Learn how Cloudflare DDoS alerts provide real-time attack intelligence.
Overview
Cloudflare’s distributed denial of service (DDoS) alerts provide real-time (within ~1m) notification of attacks that target your Internet property.
Alert types
Cloudflare issues two kinds of DDoS alert: HTTP DDoS alerts and L3/L4 (network/transport layer) DDoS alerts.
Cloudflare issues DDoS alerts for
- HTTP attacks for a duration over 2 minutes that generate more than 2,000 requests per second
- L3/L4 attacks for a duration over 2 minutes that generate more than 20,000 packets per second
Availability is based on Cloudflare service:
| Cloudflare service | ||||
|---|---|---|---|---|
| Alert type | WAF/CDN | Spectrum | Spectrum BYOIP | Magic Transit |
| HTTP DDoS alerts | ✅ | ❌ | ❌ | ❌ |
| L3/L4 DDoS alerts | ❌ | ✅ (Enterprise plans only) |
✅ | ✅ |
Alert content
Each alert includes a short description, the time the attack was detected and mitigated, the attack type, its maximum rate of attack, and the target, as illustrated in this example:
The View Dashboard button links to the Cloudflare dashboard so that you can immediately investigate ongoing attacks.
Delivery method
Cloudflare issues alerts via email, webhook, and PagerDuty. Availability is based on Cloudflare plan:
| Cloudflare plan | ||||
|---|---|---|---|---|
| Delivery method | Free | Pro | Business | Enterprise |
| ✅ | ✅ | ✅ | ✅ | |
| Webhook | ❌* | ✅ | ✅ | ✅ |
| PagerDuty | ❌* | ❌* | ✅ | ✅ |
* The availability of additional delivery methods in Free or Pro zones depends on the highest zone plan in your Cloudflare account:
- Webhooks are available in zones on a Free plan if your Cloudflare account has at least one zone in a Pro plan (or higher).
- PagerDuty is available in zones on a Free/Pro plan if your Cloudflare account has at least one zone in a Business plan (or higher).
Setting up DDoS alerts
Before you can receive Cloudflare DDoS attack alerts, you must create an alert notification policy. To use PagerDuty as a delivery method in your policy, first connect PagerDuty to Cloudflare.
To create an alert notification policy, follow these steps:
1. Log in to your Cloudflare account and select the Notifications tab. The Notifications page displays:
2. In the Notifications card, click Create. The Create Notification page displays:
3. Use the Event Type drop-down list to choose the type of alert you want to receive: HTTP DDoS Attack Alert or L3/L4 DDoS Attack.
4. Click Next. Use the additional controls that display to give your notification a name and a description, as in this example:
5. [Optional] If you have a Cloudflare Business or Enterprise plan and have connected PagerDuty to Cloudflare, you can use the Connected Notification Services checkboxes to configure the services that should receive attack alerts. For instructions, see Connecting PagerDuty to Cloudflare.
6. To add a list of email addresses, click Add email recipient and enter an email address. Repeat this step until your list is complete:
7. Click Create. The Notifications card displays, and your new notification policy is listed:
DDoS reports
Cloudflare automatically sends weekly reports summarizing L3/L4 DDoS alerts to Magic Transit and Spectrum BYOIP customers. For more information, see Understanding Cloudflare DDoS reports.