Articles

Configure Cloudflare DDoS Protection for Layer 3, 4, and 7 (2026)

April 16, 2026 3 min read

Cloudflare’s DDoS protection is more than just a firewall; it’s a distributed network that absorbs and mitigates malicious traffic before it ever reaches your origin servers.

Let’s see it in action. Imagine a sudden surge of UDP packets targeting your game server on port 25565.

# Example traffic hitting your origin server
# (This is illustrative, actual traffic would be much higher and distributed)
# Netfilter log showing UDP packets to port 25565
[ 1234.567890] IN=eth0 OUT= MAC=... SRC=192.168.1.100 DST=192.168.1.200 LEN=64 ... PROTO=UDP DPORT=25565
[ 1234.567990] IN=eth0 OUT= MAC=... SRC=192.168.1.101 DST=192.168.1.200 LEN=64 ... PROTO=UDP DPORT=25565

Cloudflare’s edge network, distributed globally, inspects this incoming traffic. For Layer 3 (network layer) and Layer 4 (transport layer) attacks, it looks at IP addresses, packet counts, and connection states. For Layer 7 (application layer) attacks, it analyzes HTTP request patterns, user agents, and request rates.

Your Cloudflare dashboard is the control panel.

DDoS Protection Settings:

  • Network Layer (Layer 3/4) Protection:

    • Attack Strength: Set to "Aggressive" for maximum mitigation. This tunes the sensitivity of the network-level filters.
    • Packet Filtering: Enabled. This allows Cloudflare to drop malformed or suspicious packets at the edge.
    • Rate Limiting: Configured at the edge for specific protocols (e.g., UDP on port 25565) to limit the number of packets per second from a single source. Example: UDP 25565 limit 1000 packets/sec.

  • Application Layer (Layer 7) Protection:

    • Web Application Firewall (WAF): Enabled. This is crucial for Layer 7 attacks.
    • Managed Rulesets: Enable "Cloudflare Managed Ruleset" and "OWASP ModSecurity Core Rule Set". These pre-configured rulesets detect common web exploits and attack patterns.
    • Rate Limiting: Configure specific URL paths or API endpoints with granular limits. Example: /api/v1/login limit 100 requests/minute.
    • Bot Management: Set to "Managed Challenge" or "Block" for known malicious bots. This uses sophisticated techniques to distinguish bots from humans.

The magic happens because Cloudflare has massive bandwidth and distributed points of presence (PoPs). When an attack hits, it’s distributed across thousands of servers worldwide, meaning your origin server only sees legitimate traffic (or traffic that has been successfully challenged).

The core problem Cloudflare DDoS protection solves is overwhelming your infrastructure with unwanted traffic. This can manifest as:

  • Network Layer: Flooding your network interfaces with packets (e.g., UDP floods, ICMP floods).
  • Transport Layer: Exhausting connection tables on your servers or firewalls (e.g., SYN floods).
  • Application Layer: Making so many HTTP requests that your web server or application logic grinds to a halt (e.g., HTTP floods, Slowloris).

The "Managed Challenge" for bots is a powerful lever. Instead of a simple CAPTCHA, it uses a series of JavaScript challenges, browser integrity checks, and threat scores to verify if a visitor is a human. This is more effective against sophisticated botnets that can solve basic CAPTCHAs.

When you enable "Aggressive" attack strength for network layer protection, Cloudflare employs more stringent filtering rules and may drop a higher percentage of traffic that exhibits even minor deviations from expected patterns, prioritizing availability over maximum reachability for potentially suspicious sources.

The next problem you’ll likely encounter is optimizing WAF rules to avoid false positives while still blocking sophisticated application-layer attacks.

Want structured learning?

Take the full Cloudflare course →