Skip to content

SynProtectionFilter

Source: src/Cloudflare/DdosProtection/SynProtectionFilter.ts

An Advanced TCP Protection SYN Protection filter (Magic Transit).

Filters gate which traffic the SYN Protection rules see, per mode: an enabled filter scopes mitigation, a monitoring filter scopes observe-only analysis, and a disabled filter excludes traffic. Both expression and mode are mutable in place.

Requires the Magic Transit / Advanced TCP Protection entitlement; on accounts without it every API call fails with the typed AdvancedTcpProtectionNotEntitled error.

Safety: filters carry no ownership markers. When there is no prior state, read scans for an existing filter with the same expression and reports it as Unowned, so the engine refuses to take it over unless --adopt (or adopt(true)) is set.

Creating a filter

Section titled “Creating a filter”

Scope SYN mitigation to HTTPS traffic

const filter = yield* Cloudflare.SynProtectionFilter("HttpsOnly", {
  expression: "tcp.dstport in {443}",
  mode: "enabled",
});

Monitor a port range without mitigating

yield* Cloudflare.SynProtectionFilter("WatchHighPorts", {
  expression: "tcp.dstport in {8000..8999}",
  mode: "monitoring",
});