Http ddos Connection Close

Hi Cloudflare community i configured DDoS L7 ruleset action Default and sensitivity high then I see a lot of traffic which looks normal that firewall blocked and action taken became “Connection Close” so my question is

Is that OK and traffic is DDos
is status code of “Connection Close” 200 that I see in the “analytics” dashboard

Yeah, for CF to take such aggressive measures such as close, you can be confident that the traffic was malicious. Obviously, mistakes can happen so if you feel like those were unfair bans, I’d suggest reporting it to Cloudflare.

2 Likes

If a high amount of traffic is being blocked you got 1 cause! Your sensitivity level is too high (and it might be blocking ligament traffic from reaching your website)! Your best bet is to try lowering the sensitivity to medium (so you have don’t block actual, ligament connections to your site, while still blocking dangerous connections)

Yes, Cloudflare will block any suspicious IP’S (like those sending repeated HTTPS requests that is, with rate-limiting enabled). Just know that it doesn’t just block connections because they are sending repeated HTTPS requests! That’s just 1 example!

No, status 200 indicates an “OK” response, not a “Connection Close” or “Connection Closed” response. However, this might be occurring if the client’s browser sends the request but never completes it (like they lose internet or close out the tab). If I may ask what percentage of traffic is giving a “Connection Close” or “Connection Closed” response with HTTP response code 200?

1 Like

I see 4.07M traffic in the analytics dashboard and 2.04 in the firewall dashboard(HTTP DDoS) now I changed sensitivity to medium and blocked traffic in decreasing

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.