TCP authentication under permanent protection
Permanent protection forces TCP authentication on every new connection. This means the very first packet in a new TCP session is reset, and the client must initiate a second handshake to complete the connection.This behaviour is by design and is not a sign of misconfiguration. Standard TCP clients retry automatically and the impact is typically sub-second.
Rate limiting during active attacks
The following traffic types are subject to rate limiting, but only while an attack of the same type is actively ongoing. Rate limits are not applied to clean traffic outside of attack windows.| Traffic type | Condition for rate limiting |
|---|---|
| TCP | Only during an active TCP attack |
| UDP | Only during an active UDP attack |
| ICMP | Rate limited or blocked under attack |
| DNS | Limited to common resolvers (see below) |
By default, all UDP ports not covered by a specific application or game filter are limited to a specific destination limit. If your UDP service uses a non-standard port, please contact Support to request a dedicated filter or further assistance.
DNS resolver restrictions
During a DNS attack, DNS traffic is restricted to requests sourced from the following well-known public resolvers:1.1.1.1and1.0.0.1— Cloudflare DNS8.8.8.8and8.8.4.4— Google Public DNS9.9.9.9— Quad9
If your application relies on a private or non-standard resolver, be aware that DNS resolution may fail for users behind those resolvers during an attack.