DDoS protection for different plans

I found 2 difference answers:

On the support site: Understanding-Cloudflare-DDoS-protection

For all plan types, Cloudflare provides unmetered mitigation of DDoS attacks including DNS attacks, and network Layer 3, 4, and 7 attacks.

But the information for all plans is different: Compare-Features

  • Unmetered mitigation of volumetric DDoS
    Cloudflare’s unmetered mitigation of DDoS stops illegitimate volumetric traffic at the Cloudflare edge. All Cloudflare plans include unmetered mitigation without fear of being dropped.
  • Enterprise-grade mitigation of DDoS
    Cloudflare’s enterprise-grade mitigation of DDoS attacks against layers 3, 4, & 7 includes prioritized IP ranges and routing, ensuring maximum speed and availability.

Does anyone know the exact difference of DDoS protection of all plans? What is included, what not? Is Layer 3, 4 and 7 included in Free/Pro/Business or not? What kind of protection is included exactly in Free/Pro/Business and in Enterprise?

1 Like

Due to how CF works, they effectively protect against layer 3/4 attacks (network/transport volumetric attacks) if someone were to blindly try that on your website. The limitation is that CF will only pass through good traffic for your HTTP(S) services like websites.

But, actually providing protection for any non-HTTP services or protocols is not provided outside the Enterprise plan. This is generally only relevant for things like game servers, SSH, etc.


Is it really like that? Do you know or do you believe that? :slight_smile: Don’t get me wrong, but I want to know why they write “layers 3, 4 & 7” in the Enterprise-grade description and not in other plans. Where is the exact difference? There are so many types of DDoS attacks and there are no examples or a list of attacks which will be filtered for all plans. I miss that really.

Should have gone into more detail, but was on mobile.

The 3/4 protection is available for HTTP websites as a result of the immense infrastructure CF has built up. Attackers trying to send loads of traffic to your domain will instead hit Cloudflare’s servers, and CF can’t easily be taken down thanks to technology knows as anycast. This is provided on every plan since they all use the same infrastructure.

The enterprise plan doesn’t upgrade a website to provide protection on layer 3/4, it just allows non-HTTP services to be proxied through the CF network via a feature called Cloudflare Spectrum - it uses the same infrastructure but allows for CF to protect traffic that’s not HTTP/HTTPS.

You can read more on the following learning page, see “Common DDoS Attacks”:



Hello Judge,
I could be wrong but I was interested in knowing something, doesn’t the Enterprise HTTP protection get enhanced? I do not mean that business and lower receive worse protection, but that Enterprise is actually backed by an SLA.
Meaning if, somebody manages to take your site down, and what is causing the unavailability of your page is going through CloudFlare, they must mitigate the attack in order to comply with that SLA.

I can’t say for certain, the only thing we have for that is that the pricing page says rate limiting has custom pricing for Enterprise (likely discounted). I’m sure sales could clarify that.

As for the SLA, No; unless specifically negotiated in the contract, the SLA is only for CF’s services actually functioning and allowing configuration, I would doubt the regular SLA makes a guarantee about your own server fleet’s uptime.

If that’s the case then its a shame, I would expect enterprises to have an SLA even on the worst DDoS attack scenarios.
Of course if traffic is not going through their tunnel then its perfectly understandable, but if it is…

I would assume Enterprise contracts are something very custom tailored and very different than the standard plans.

Cloudflare, naturally, wont assume any responsibility for the uptime of the origin(s) but I guess their concern when it comes to attack mitigation will be a lot higher.


This topic was automatically closed after 30 days. New replies are no longer allowed.