From routine
Investigates traffic anomalies, spikes, and degradation on Cloudflare-protected domains using cloudflare-mcp-cli for GraphQL analytics, JA4 fingerprints, bot/WAF scoring, and incident reports.
npx claudepluginhub delexw/claude-code-miscThis skill is limited to using the following tools:
Raw arguments: $ARGUMENTS
README.mdreferences/cloudflare-api-cli.mdreferences/failure-patterns.mdreferences/incident-report-template.mdreferences/security-scores.mdsteps/step-01-get-parameters.mdsteps/step-02-confirm-spike.mdsteps/step-03-minute-detail.mdsteps/step-04-identify-ja4.mdsteps/step-05-analyze-traffic.mdsteps/step-06-verify-legitimacy.mdsteps/step-06b-check-rules.mdsteps/step-07-extract-users.mdsteps/step-08-synthesize.mdConfigures Cloudflare DDoS protection with managed rulesets, rate limiting, WAF rules, Bot Management, and origin protection to mitigate volumetric, protocol, and application-layer attacks.
Configures Cloudflare DDoS protection using managed rulesets, rate limiting, WAF rules, Bot management, and origin hardening to mitigate L3/4 volumetric/protocol and L7 attacks.
Configures Cloudflare DDoS protection with managed rulesets, rate limiting, WAF rules, Bot Management, and origin shielding against volumetric, protocol, and L7 attacks.
Share bugs, ideas, or general feedback.
Raw arguments: $ARGUMENTS
Infer from the arguments:
date +"%Z" on the calling machine). When provided, use this as the pinned timezone instead of detecting via system clock in Step 1.If domain or zone ID cannot be inferred, ask the user via AskUserQuestion. Time range is collected in Step 1 if neither TIME_RANGE nor SINCE/UNTIL are provided.
Investigate unusual traffic patterns on Cloudflare-protected domains that cause downstream service failures (e.g., service overload, database saturation, API rate limiting). This skill walks through a structured investigation from confirming the spike through to a full incident report.
Follow these steps in order. Each step file contains detailed instructions and example Cloudflare GraphQL queries.
All Cloudflare interactions use the cloudflare-mcp-cli CLI tool (via cloudflare-mcp-cli):
cloudflare-mcp-cli search '<async fn>' — Discover API endpoints by searching the OpenAPI speccloudflare-mcp-cli execute '<async fn>' — Execute API calls via cloudflare.request() (GraphQL analytics via POST to /graphql, Radar via REST, zone operations via /zones)See Cloudflare API CLI Reference for query patterns and examples.
t13dNNNNNN_XXXXXXXXXXXX_YYYYYYYYYYYYCLOUDFLARE_JA4 environment variable before flagging as unknownFirewall events use adaptive sampling. Numbers are sampled counts, not actual totals. Use them for pattern identification and relative comparisons — top users in sample likely represent top users overall. Always note this in reports.
Quickly identify root causes using these patterns:
| Pattern | Signal | Resolution |
|---|---|---|
| Circuit Breaker Cascade | 429 → timeout → breaker opens | Scale service or add rate limiting |
| Retry Storm | Error count exceeds initial traffic | Add exponential backoff, client-side circuit breaker |
| Single User Amplification | One user dominates request count | Contact user, fix frontend logic |
| Undersized Service | Normal distribution, fails at <10 req/sec | Scale service capacity urgently |
| Cascading Failure | Multiple services failing sequentially | Isolate fault, restart root service |
| Cache Stampede | Spike after cache expiration | Cache lock, stale-while-revalidate |
Detailed descriptions and resolution steps: Failure Patterns Reference
| Priority | Condition |
|---|---|
| P1 — Immediate | Service 429 errors / circuit breaker open, >10% error rate, cascading failures |
| P2 — High | Single user >500 req/hour on critical endpoint, sustained spike >50% above baseline, multiple dependencies affected |
| P3 — Monitor | Moderate increase <50% above baseline, isolated user anomalies |
Document findings using the Incident Report Template covering metrics, timeline, security analysis, root cause, and recommendations.
AskUserQuestion if not provided