DDoS Mitigation

DDoS protection at the network edge

Protect your digital infrastructure with Fastly's high-bandwidth, globally distributed network. Our real-time DDoS mitigation safeguards performance without compromising protection. Filter malicious requests at the network edge before they get near your origin.

Hero image
Benefits

The edge network built to stop DDoS attacks

In today's digital landscape, countering DDoS attacks is crucial. DDoS protection is built into our platform, automatically blocking highly disruptive Layer 3/4 DDoS attacks as well as inspecting and blocking more complex Layer 7 attacks. With over a trillion requests served daily through our global network, we have access to data at a massive scale and leverage it to make informed security decisions, ensuring stronger defenses for our customers.

Bandwidth that outstrips the largest attacks

Fastly's network boasts 291+ Tbps of capacity, standing up to even the most massive DDoS attacks. Our infrastructure acts as a DDoS scrubbing center, filtering malicious requests at the network edge before they can reach your origin, so you can focus on keeping your business running.

Visibility for better mitigation

HTTP(S) traffic can be hard to see at scale, especially when you are under attack. There can be a fine line between the thundering herd of a viral campaign, a DDoS attack, or abusive bot behavior. Fastly’s real-time, flexible logging and observability capabilities provide the insights you need to block attack traffic while letting legitimate users access your site.

Flexibility to keep up with evolving attacks

Many DDoS attacks evolve in real time to avoid blocking. Fastly helps you adapt to changing attack patterns without compromising performance. Stay one step ahead with the ability to update your security policies and push changes around the globe within seconds: our median deployment time is 13 seconds.

Features

How DDoS mitigation prevents attacks

Fastly DDOS Mitigation ensures availability and uptime by offering over 277+ Tbps to halt the largest Layer 3/4 attacks and inspecting the entirety of requests to identify and block Layer 7 attacks. Leverage its full configuration options to make intelligent rate-limiting and blocking decisions.

Network layer attacks

Fastly sees all bidirectional traffic (encrypted and unencrypted) between browsers and your web server. We automatically filter all non-HTTP / HTTPS traffic at our global nodes, blocking highly disruptive Layer 3 and Layer 4 attacks. We also protect against Ping floods, ICMP floods, reflection/amplification attacks, transaction floods, resource exhaustion, and UDP abuse.

Application layer attacks

Fastly's edge cache nodes enforce Varnish (VCL) rules to safeguard against Layer 7 attacks. We inspect the entire HTTP / HTTPS requests, and block or rate limit based on client and request criteria, or indicators like geolocation. Our Next-Gen WAF complements our CDN’s built-in protection through advanced rate limiting, thresholding, and SmartParse.

Full configurability

Our service is highly configurable: use our control panel or upload custom VCL to block a multitude of request types the moment a potential DDoS attack is identified. Our CDN also picks up responses from our Next-Gen WAF, enabling additional options for blocking or restricting clients as necessary.

Additional Features

Mitigation features you can count on

Protect against Denial of Service style attacks with flexible configurations that enable powerful protection

Origin Shielding

Fastly’s Origin Shield maximizes computing resources for continuous content requests by designating a specific POP to serve as a “shield” for your origin servers. A shield POP can also be used to configure more specific DDoS protections and improve service availability.

Fastly cache IP space

Fastly provides an API endpoint so you know which IP addresses our caches will use to send traffic from our CDN to your origin server. This enables you to update firewalls at the origin so only our cache traffic can access your resources.

Rate limiting

Fastly offers rate limiting on the edge and within the WAF. Edge rate limiting on the CDN is ideal for high-speed, high-volume attacks, while the Next-Gen WAF’s advanced rate limiting counters slow and low attacks. Together, they provide unmatched flexibility to effectively mitigate attacks of any level and complexity.

Custom DDoS filters

Upload custom VCL to block certain URLs, client types, geographies, or types of requests for immediate response to DDoS attacks.

Stop reflection and amplification (DRDoS)

Distributed Reflection Denial of Service (DRDoS) attacks take down a victim's network by overwhelming it with response requests sent from a different or spoofed origin.

Stop ping floods, ICMP floods, UDP abuse

Ping Floods (also known as ICMP floods) aim to overwhelm a network with ICMP echo requests, impacting both outgoing and incoming bandwidth.

Product Capabilities

DDoS Services

Core DDoS protection is included for all Fastly delivery customers. We also offer a curated set of services for those requiring greater capabilities and assistance around DDoS attacks and preparedness.

Minimize your risk with continuous protection on an annual basis. This service provides DDoS protection of HTTP (port 80) and HTTPS (port 443, TLS) services with unlimited overage protection. Features immediate onboarding, incident response planning, and emergency and ongoing attack mitigation support. Learn more

This full-service offering is for those who require comprehensive, 24/7 monitoring of their environments. It includes proactive monitoring and remediation, monthly and post-event reports and reviews, threat hunting, and readiness drills. Learn more

This service augments your team with priority, direct access to Fastly’s 24/7 CSOC and an industry-leading 15-minute response SLA. In the event of an incident, our team of experts is standing by to provide the fastest response. Learn more

DDoS Protection and Mitigation Service

Minimize your risk with continuous protection on an annual basis. This service provides DDoS protection of HTTP (port 80) and HTTPS (port 443, TLS) services with unlimited overage protection. Features immediate onboarding, incident response planning, and emergency and ongoing attack mitigation support. Learn more

Managed Security Service

This full-service offering is for those who require comprehensive, 24/7 monitoring of their environments. It includes proactive monitoring and remediation, monthly and post-event reports and reviews, threat hunting, and readiness drills. Learn more

Response Security Service

This service augments your team with priority, direct access to Fastly’s 24/7 CSOC and an industry-leading 15-minute response SLA. In the event of an incident, our team of experts is standing by to provide the fastest response. Learn more

Looking for more?

Powerful, Real-time DDoS Mitigation

Fastly’s DDoS mitigation is an always-on security solution. Our entire network acts as a scrubbing center for DDoS attacks, offering you the same level of DDoS mitigation for both encrypted and unencrypted traffic.

Read more

Fastly Edge Cloud Platform

Ensure your websites, applications, and services are able to scale to meet the demand of your users and are delivered securely and as fast as possible with Fastly.

Read more

Ready to get started?

Get in touch or create an account