What is the mitigation capacity?

Cloudflare's network has over 296 Tbps of DDoS mitigation capacity as of 2024, distributed across data centres in more than 120 countries. For context, the largest publicly disclosed DDoS attacks have peaked at around 5 Tbps. The network is sized well beyond anything that would target a typical Australian business.

Does it protect against Layer 7 attacks?

Yes. Application-layer (Layer 7) attacks that send large volumes of seemingly legitimate HTTP requests to exhaust server resources are handled through a combination of traffic analysis, rate limiting, and challenge pages. These attacks are harder to mitigate than volumetric floods because the traffic looks like real users, but Cloudflare's systems identify anomalous patterns and respond accordingly.

Is DDoS protection always on, or do I have to enable it manually?

Always on. Cloudflare analyses every request passing through its network continuously. There is no threshold to configure or button to press when an attack starts. Mitigation begins automatically within seconds of detection.

Will legitimate users experience any disruption during an attack?

In most cases, no. Clean traffic continues to your origin without interruption. During very large or sophisticated attacks, some users may hit a challenge page for a few seconds while their traffic is verified. That's a better outcome than an unavailable application.

Do I need a Cloudflare paid plan for DDoS protection?

Unmetered DDoS mitigation is included on all Cloudflare plans, including the free tier. More advanced controls, rate limiting rules, custom mitigation rules, and detailed analytics, are available on paid plans. We can advise on the right tier for your requirements.

Edge Security · DDoS Protection

Cloudflare DDoS protection. Stay online under attack.

Absorb volumetric floods, protocol attacks, and application-layer DDoS at the edge, before they knock your application offline.

Cloudflare's DDoS protection is always on, unmetered, and responds within seconds of attack onset. No manual activation. No capacity limits. No per-attack charges regardless of volume.

Enable DDoS protection →How it works

Unmetered mitigation

Sub-3-second detection and response

Always-on, no manual activation required

How it works

Absorb the flood. Forward the real traffic.

All traffic passes through Cloudflare's anycast network first. Attack traffic is absorbed at the edge; clean traffic reaches your origin without disruption.

With over 296 Tbps of mitigation capacity across 120 countries, Cloudflare can absorb attacks that would overwhelm any single hosting provider.

Traffic arrives

All traffic destined for your application passes through Cloudflare's global anycast network before reaching your origin server.

Continuous analysis

Cloudflare's systems analyse traffic in real time against known attack signatures and your application's baseline traffic profile.

Attack identified

Anomalies consistent with volumetric floods, protocol attacks, or application-layer attacks are identified and classified within seconds of onset.

Mitigation applied

Attack traffic is absorbed and dropped at Cloudflare's edge. Clean traffic continues to your origin without interruption or added latency.

What's mitigated

Every attack type, handled at the edge.

Volumetric, protocol, and application-layer attacks across all eight categories are mitigated automatically, without capacity limits or manual intervention.

Volumetric floods

High-bandwidth UDP and ICMP floods designed to saturate your network connection are absorbed at Cloudflare's edge before they reach your infrastructure.

SYN floods

TCP SYN flood attacks that exhaust server connection tables are mitigated at the network layer, protecting your server's ability to handle legitimate connections.

UDP amplification

Reflection and amplification attacks using DNS, NTP, and similar protocols are absorbed without exposing your origin server's bandwidth or IP address.

DNS amplification

Amplification attacks targeting your DNS infrastructure are mitigated at Cloudflare's anycast DNS layer, before affecting your authoritative name servers.

Application-layer attacks

Layer 7 attacks that mimic legitimate HTTP traffic to exhaust server resources are identified through traffic analysis and mitigated with challenge pages.

Protocol attacks

Malformed packet floods and protocol abuse targeting firewalls and load balancers are dropped at the network edge before reaching your infrastructure.

Burst attacks

Short-duration burst attacks designed to cause disruption before mitigation kicks in are caught by always-on detection that responds in under three seconds.

Attack reporting

Every DDoS event is logged with duration, volume, attack type, and source distribution. Reports available in the dashboard and included in monthly summaries.

Origin server protection

When traffic routes through Cloudflare, your server's real IP address is hidden. Attackers can target Cloudflare's network, which is built for it. They cannot reach your origin directly.

Origin IP hidden behind Cloudflare's anycast network
Direct-to-origin attacks become impossible without your real IP
Traffic is scrubbed before forwarding: clean requests only
Firewall rules block any traffic that bypasses Cloudflare
Full visibility into attack volume and source distribution

Add WAF for application-layer protection →

Unmetered and predictable

Many hosting providers charge for excess bandwidth during DDoS events. Cloudflare's unmetered protection means the cost of an attack is absorbed by Cloudflare, not passed to you.

No charges for attack traffic volume, regardless of size
No plan upgrades required when attacks exceed a threshold
Protection cost is fixed regardless of attack frequency
Included on all Cloudflare plans; advanced controls on paid tiers
Attack reports available post-event for insurance or incident review

What you gain

Online when it counts. Regardless of what hits you.

Four outcomes that matter when an attack lands, available from day one of Cloudflare deployment.

Availability maintained

Your website and applications stay online under attacks that would otherwise take down unprotected infrastructure within minutes.

Origin server protected

Your server's real IP address is hidden behind Cloudflare's network. Attackers cannot target your origin directly, even if they discover it.

No per-attack billing

Cloudflare's unmetered DDoS mitigation means attack traffic does not generate overage charges. Protection costs remain predictable regardless of attack volume.

Always-on detection

No manual activation or threshold configuration required. Mitigation begins automatically, typically within three seconds of attack onset.

Common questions

DDoS protection questions answered.

Talk to a specialist →

What is the mitigation capacity?
Cloudflare's network has over 296 Tbps of DDoS mitigation capacity as of 2024, distributed across data centres in more than 120 countries. For context, the largest publicly disclosed DDoS attacks have peaked at around 5 Tbps. The network is sized well beyond anything that would target a typical Australian business.
Does it protect against Layer 7 attacks?
Yes. Application-layer (Layer 7) attacks that send large volumes of seemingly legitimate HTTP requests to exhaust server resources are handled through a combination of traffic analysis, rate limiting, and challenge pages. These attacks are harder to mitigate than volumetric floods because the traffic looks like real users, but Cloudflare's systems identify anomalous patterns and respond accordingly.
Is DDoS protection always on, or do I have to enable it manually?
Always on. Cloudflare analyses every request passing through its network continuously. There is no threshold to configure or button to press when an attack starts. Mitigation begins automatically within seconds of detection.
Will legitimate users experience any disruption during an attack?
In most cases, no. Clean traffic continues to your origin without interruption. During very large or sophisticated attacks, some users may hit a challenge page for a few seconds while their traffic is verified. That's a better outcome than an unavailable application.
Do I need a Cloudflare paid plan for DDoS protection?
Unmetered DDoS mitigation is included on all Cloudflare plans, including the free tier. More advanced controls, rate limiting rules, custom mitigation rules, and detailed analytics, are available on paid plans. We can advise on the right tier for your requirements.

Always-on. Unmetered. No surprises.

Stay online regardless of what hits you.

Cloudflare DDoS protection is one of the fastest controls to put in place for any public-facing application. We can have it live and tested the same day.

Enable DDoS protection →