Override examples
The following scenarios detail how you can make use of override rules as a solution to common HTTP DDoS Protection issues.
The traffic from your mobile application may have appeared suspicious, causing a DDoS Managed Rule to block it.
You should identify the Managed Rule blocking the traffic and change the sensitivity level to Medium. If traffic continues to be blocked by the managed rule, set the sensitivity level to Low or Essentially off.
If you have access to filter expressions, you can create an override to target the specific affected traffic.
If you recognize that the traffic flagged by an adaptive rule may be considered an attack, you can create an override rule to enable the adaptive rule in mitigation mode to challenge (if it is browser traffic) or block (for other suspicious traffic).
If you observe that one of your end users is experiencing a false positive, you can create an override for the rule that caused the false positive and use the filter expressions to apply it only to the hostname.
[INSERT false-positive.mdx PAGE CONTENT HERE]
A false negative is a lack of identification. In the case of DDoS protection, there is a false negative when attack traffic is mistakenly classified as legitimate traffic and is not mitigated. This can occur when the attack traffic is not sufficiently high to trigger mitigation actions or if there are no rules matching the attack.
To address a false negative:
- If you are a WAF/CDN customer, follow the steps in the Respond to DDoS attacks page, which guides you on enabling the Under Attack mode and creating rate limiting rules and WAF custom rules as needed.
- If you are a Magic Transit customer, use Magic Firewall rules to help mitigate the attack.
An incomplete mitigation is a case when the DDoS protection systems have applied mitigation, but not all the attack was mitigated. This can happen when Cloudflare's systems apply a mitigation action that is less strict than what the attack requires.
The system chooses the mitigation action based on the logic and the DDoS protection system's confidence that the traffic is indeed part of an attack:
- For high-confidence rules, the system will apply a strict mitigation action such as the Block action.
- For low-confidence rules, the system will apply a less strict mitigation rule such as Challenge or Force Connection Close.
If you are experiencing a DDoS attack detected by Cloudflare and the applied mitigation action is not sufficiently strict, change the rule action to Block:
- Log in to the Cloudflare dashboard ↗ and select your account.
- Go to the analytics dashboard and apply filters to the displayed data.
For WAF/CDN customers
- Select the zone that is experiencing an incomplete mitigation of a DDoS attack.
- Go to Security > Events.
- Select Add filter and filter by
Service equals HTTP DDoS.
For Magic Transit and Spectrum customers
- Go to Account Home > Analytics & Logs > Network Analytics.
- Identify the DDoS attack that is having incomplete mitigations. Use the Attack ID number included in the DDoS alert (if you received one), or apply dashboard filters such as destination IP address and port.
- Scroll down to Top events by source > HTTP DDoS rules.
- Copy the rule name.
- Go to your zone > Security > DDoS and select Deploy a DDoS override. If you cannot deploy any additional overrides, edit an existing override to adjust rule configuration.
- Select Browse rules and paste the rule name in the search field.
- Change the rule’s Action to Block.
- Select Next and then select Save.
Once saved, the rule takes effect within one or two minutes. The rule adjustment should provide immediate remedy, which you can view in the analytics dashboard.
If you cannot stop an attack from overloading your origin web server using the above steps, contact Cloudflare Support for assistance, providing the following details:
- Time period of the attack (UTC timestamp)
- Domain/path being targeted (zone name/ID)
- Attack frequency
- Steps to reproduce the issue, with actual results versus expected results
- Any relevant additional information such as site URLs, error messages, screenshots, or relevant logs from your origin web server
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark