3.8 KiB
DDoS Gotchas
Common Errors
"False positives blocking legitimate traffic"
Cause: Sensitivity too high, wrong action, or missing exceptions
Solution:
- Lower sensitivity for specific rule/category
- Use
logaction first to validate (Enterprise Advanced) - Add exception with custom expression (e.g., allowlist IPs)
- Query flagged requests via GraphQL Analytics API to identify patterns
"Attacks getting through"
Cause: Sensitivity too low or wrong action
Solution: Increase to default sensitivity and use block action:
const config = {
rules: [{
expression: "true",
action: "execute",
action_parameters: { id: managedRulesetId, overrides: { sensitivity_level: "default", action: "block" } },
}],
};
"Adaptive rules not working"
Cause: Insufficient traffic history (needs 7 days)
Solution: Wait for baseline to establish, check dashboard for adaptive rule status
"Zone override ignored"
Cause: Account overrides conflict with zone overrides
Solution: Configure at zone level OR remove zone overrides to use account-level
"Log action not available"
Cause: Not on Enterprise Advanced DDoS plan
Solution: Use managed_challenge with low sensitivity for testing
"Rule limit exceeded"
Cause: Too many override rules (Free/Pro/Business: 1, Enterprise Advanced: 10)
Solution: Combine conditions in single expression using and/or
"Cannot override rule"
Cause: Rule is read-only
Solution: Check API response for read-only indicator, use different rule
"Cannot disable DDoS protection"
Cause: DDoS managed rulesets cannot be fully disabled (always-on protection)
Solution: Set sensitivity_level: "eoff" for minimal mitigation
"Expression not allowed"
Cause: Custom expressions require Enterprise Advanced plan
Solution: Use expression: "true" for all traffic, or upgrade plan
"Managed ruleset not found"
Cause: Zone/account doesn't have DDoS managed ruleset, or incorrect phase
Solution: Verify ruleset exists via client.rulesets.list(), check phase name (ddos_l7 or ddos_l4)
API Error Codes
| Error Code | Message | Cause | Solution |
|---|---|---|---|
| 10000 | Authentication error | Invalid/missing API token | Check token has DDoS permissions |
| 81000 | Ruleset validation failed | Invalid rule structure | Verify action_parameters.id is managed ruleset ID |
| 81020 | Expression not allowed | Custom expressions on wrong plan | Use "true" or upgrade to Enterprise Advanced |
| 81021 | Rule limit exceeded | Too many override rules | Reduce rules or upgrade (Enterprise Advanced: 10) |
| 81022 | Invalid sensitivity level | Wrong sensitivity value | Use: default, medium, low, eoff |
| 81023 | Invalid action | Wrong action for plan | Enterprise Advanced only: log action |
Limits
| Resource/Limit | Free/Pro/Business | Enterprise | Enterprise Advanced |
|---|---|---|---|
| Override rules per zone | 1 | 1 | 10 |
| Custom expressions | ✗ | ✗ | ✓ |
| Log action | ✗ | ✗ | ✓ |
| Adaptive DDoS | ✗ | ✓ | ✓ |
| Traffic history required | - | 7 days | 7 days |
Tuning Strategy
- Start with
logaction +mediumsensitivity - Monitor for 24-48 hours
- Identify false positives, add exceptions
- Gradually increase to
defaultsensitivity - Change action from
log→managed_challenge→block - Document all adjustments
Best Practices
- Test during low-traffic periods
- Use zone-level for per-site tuning
- Reference IP lists for easier management
- Set appropriate alert thresholds (avoid noise)
- Combine with WAF for layered defense
- Avoid over-tuning (keep config simple)
See patterns.md for progressive rollout examples.