Setup

In order to enable automatic mitigation of random prefix attacks:

1. Set up DNS Firewall.

2. Send a PATCH request to update your DNS Firewall cluster.

   Required API token permissions

   At least one of the following token permissions is required:

   • DNS Firewall Write

   Update DNS Firewall Cluster

   curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dns_firewall/$DNS_FIREWALL_ID" \
     --request PATCH \
     --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
     --json '{
       "attack_mitigation": {
           "enabled": true,
           "only_when_upstream_unhealthy": true
       }
     }'

Once you receive a 200 success response from the API, queries identified as being part of a random prefix attack will receive a REFUSED response.

Note

If you do not specify otherwise in your API call, Cloudflare automatically sets the "only_when_upstream_unhealthy" parameter to true, which means that Cloudflare will only mitigate attacks when we detect that the upstream is unresponsive (possibly as a result of an attack). This setting can also be changed via the API, using a request similar to the ones shown above.