Learn how Cloudflare DDoS alerts provide real-time attack intelligence.
Overview
Cloudflare’s distributed denial of service (DDoS) alerts provide real-time (within ~1m) notification of attacks that target your Internet property.
Alert types
Cloudflare issues two kinds of DDoS alert: HTTP DDoS alerts and L3/L4 (network/transport layer) DDoS alerts.
Cloudflare issues DDoS alerts for
- HTTP attacks for a duration over 2 minutes that generate more than 2,000 requests per second
- L3/L4 attacks for a duration over 2 minutes that generate more than 20,000 packets per second
Availability is based on Cloudflare service:
| Cloudflare service | ||||
|---|---|---|---|---|
| Alert type | WAF/CDN | Spectrum | Spectrum BYOIP | Magic Transit |
| HTTP DDoS alerts | ✅ | ❌ | ❌ | ❌ |
| L3/L4 DDoS alerts | ❌ | ✅ (Enterprise plans only) |
✅ | ✅ |
Alert content
Each alert includes a short description, the time the attack was detected and mitigated, the attack type, its maximum rate of attack, and the target. HTTP DDoS alerts delivered through webhook or PagerDuty will also include the target hostname.
The following image shows an example alert delivered via email:
The View Dashboard button links to the Cloudflare dashboard so that you can immediately investigate ongoing attacks.
Delivery method
Cloudflare issues alerts via email, webhook, and PagerDuty. Availability is based on Cloudflare plan:
| Cloudflare plan | ||||
|---|---|---|---|---|
| Delivery method | Free | Pro | Business | Enterprise |
| ✅ | ✅ | ✅ | ✅ | |
| Webhook | ❌* | ✅ | ✅ | ✅ |
| PagerDuty | ❌* | ❌* | ✅ | ✅ |
* The availability of additional delivery methods in Free or Pro zones depends on the highest zone plan in your Cloudflare account:
- Webhooks are available in zones on a Free plan if your Cloudflare account has at least one zone in a Pro plan (or higher).
- PagerDuty is available in zones on a Free/Pro plan if your Cloudflare account has at least one zone in a Business plan (or higher).
Setting up DDoS alerts
Before you can receive Cloudflare DDoS attack alerts, you must create an alert notification policy. To use PagerDuty as a delivery method in your policy, first connect PagerDuty to Cloudflare.
To create an alert notification policy:
1. Log in to the Cloudflare dashboard, and select your account.
2. Navigate to Account Home > Notifications.
3. In the Notifications card, click Create.
4. In the Event Type drop-down list, choose the type of alert you want to receive: HTTP DDoS Attack Alert or L3/L4 DDoS Attack. Click Next.
5. Use the additional controls that display to give your notification a name and a description, as in the following example:
6. (Optional) If you have a Cloudflare Business or Enterprise plan and have connected PagerDuty to Cloudflare, you can use the Connected Notification Services checkboxes to configure the services that should receive attack alerts. For instructions, refer to Connecting PagerDuty to Cloudflare.
7. To add a list of email addresses, click Add email recipient and enter an email address. Repeat this step until your list of email addresses is complete.
8. Click Create.
DDoS reports
Cloudflare automatically sends weekly reports summarizing L3/L4 DDoS alerts to Magic Transit and Spectrum BYOIP customers. For more information, see Understanding Cloudflare DDoS reports.