sFlow DDoS attack rule
Magic Network Monitoring customers that send sFlow data to Cloudflare can receive alerts when a specific type of distributed denial-of-service (DDoS) attack is detected within their network traffic. Magic Network Monitoring uses the same DDoS attack detection rules that protect Cloudflare's global network to generate these alerts for customers.
Only customers that send sFlow data to Cloudflare can configure a sFlow DDoS attack rule.
An sFlow DDoS attack rule can only be configured via Cloudflare's API. Today, customers are unable to configure a sFlow DDoS attack rule in the Cloudflare dashboard.
Customers can export sFlow data of their network traffic to Cloudflare via Magic Network Monitoring. There are specific brands and models of routers that are capable of generating sFlow data. Make sure to check the router specifications to ensure that it is able to export sFlow data. Customers can follow this sFlow configuration guide to configure sFlow exports to Magic Network Monitoring.
| Field | Description | 
|---|---|
| Rule name | Must be unique and cannot contain spaces. Supports characters A-Z,a-z,0-9, underscore (_), dash (-), period (.), and tilde (~). Maximum of 256 characters. | 
| Rule type | advanced_ddos | 
| Prefix Match | The field prefix_matchdetermines how IP matches are handled.
 | 
| Auto-advertisement | If you are a Magic Transit On Demand customer, you can enable this feature to automatically enable Magic Transit if the rule's dynamic threshold is triggered. To learn more and see an example, view the Auto-Advertisement section. | 
| Rule IP prefix | The IP prefix associated with the rule for monitoring traffic volume. Must be a CIDR range such as 160.168.0.1/24. The maximum is 5,000 unique CIDR entries. To learn more and see an example, view the Rule IP prefixes. | 
You can visit developers.cloudflare.com/api/, navigate to Magic Network Monitoring, and expand the Rules section to see an example API configuration call using CURL and the expected output for a successful response.
Customers can tune the thresholds of their sFlow DDoS alerts in the dashboard and via the Cloudflare API by following the Network-layer DDoS Attack Protection managed ruleset guide.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark