Skip to main content

TCP authentication under permanent protection

Permanent protection forces TCP authentication on every new connection. This means the very first packet in a new TCP session is reset, and the client must initiate a second handshake to complete the connection.
This behaviour is by design and is not a sign of misconfiguration. Standard TCP clients retry automatically and the impact is typically sub-second.
Cloudflare and other CDN providers typically do not retry after receiving a TCP reset.

If you route traffic through a CDN, mitigation will break that path. This is a known incompatibility.

Rate limiting during active attacks

The following traffic types are subject to rate limiting, but only while an attack of the same type is actively ongoing. Rate limits are not applied to clean traffic outside of attack windows.
Traffic typeCondition for rate limiting
TCPOnly during an active TCP attack
UDPOnly during an active UDP attack
ICMPRate limited or blocked under attack
DNSLimited to common resolvers (see below)
By default, all UDP ports not covered by a specific application or game filter are limited to a specific destination limit. If your UDP service uses a non-standard port, please contact Support to request a dedicated filter or further assistance.

DNS resolver restrictions

During a DNS attack, DNS traffic is restricted to requests sourced from the following well-known public resolvers:
  • 1.1.1.1 and 1.0.0.1 — Cloudflare DNS
  • 8.8.8.8 and 8.8.4.4 — Google Public DNS
  • 9.9.9.9 — Quad9
DNS queries from resolvers outside this list may be dropped while mitigation is active.
If your application relies on a private or non-standard resolver, be aware that DNS resolution may fail for users behind those resolvers during an attack.