Skip to content

SynProtectionRule

Source: src/Cloudflare/DdosProtection/SynProtectionRule.ts

An Advanced TCP Protection SYN flood rule (Magic Transit).

Rules tune how Cloudflare mitigates SYN floods on Magic Transit prefixes, per scope (global, a region, or a data center). The rule’s identity is its scope + name pair — only mode, sensitivities, and mitigationType are mutable in place.

Requires the Magic Transit / Advanced TCP Protection entitlement; on accounts without it every API call fails with the typed AdvancedTcpProtectionNotEntitled error.

Safety: rules carry no ownership markers. When there is no prior state, read scans for an existing rule with the same scope + name and reports it as Unowned, so the engine refuses to take it over unless --adopt (or adopt(true)) is set.

Creating a rule

Section titled “Creating a rule”

Global SYN protection in monitoring mode

const rule = yield* Cloudflare.SynProtectionRule("GlobalSyn", {
  scope: "global",
  mode: "monitoring",
  burstSensitivity: "medium",
  rateSensitivity: "medium",
});

Data-center scoped rule with retransmit mitigation

yield* Cloudflare.SynProtectionRule("SjcSyn", {
  scope: "datacenter",
  name: "SJC",
  mode: "enabled",
  burstSensitivity: "high",
  rateSensitivity: "high",
  mitigationType: "retransmit",
});