Fastly’s high-bandwidth, globally distributed network is built to absorb DDoS attacks. Our entire network acts as a DDoS scrubbing center, so you don’t sacrifice performance for protection. We allow you to respond in real time, filtering malicious requests at the network edge before they get near your origin.
Fastly sees all bidirectional traffic (encrypted and unencrypted) between browsers and your web server and automatically filters all non-HTTP / HTTPS traffic at our global nodes, blocking highly disruptive Layer 3 and Layer 4 attacks. We protect against Ping floods, ICMP floods, reflection / amplification attacks, transaction floods, resource exhaustion, and UDP abuse.
Fastly’s edge cache nodes act as enforcement points. Using VCL, we apply rules to protect your network from complex Layer 7 attacks. We inspect the entire HTTP / HTTPS requests, and block based on client and request criteria, like headers, cookies, request path, and client IP, or indicators like geolocation.
Fastly’s edge cloud platform gives you the flexibility to keep up with rapidly changing attacker methods. Our real-time streaming logs help you monitor site performance and quickly identify anomalies like traffic spikes and instability. Our service is highly configurable; if you identify signs of a potential DDoS attack, you can use our configuration control panel or upload custom VCL to block certain URLs, client types, geographies, or types of requests. We also keep a history of previous configurations so you can quickly roll back changes if needed.
Sophisticated attackers use tools like Cloudpiercer to uncover the IP address of origin servers. This allows them to direct attack traffic at these exposed origin servers, bypassing a traditional CDN’s protection capabilities. Fastly’s Origin Cloaking prevents these kinds of attacks by hiding your origin from attackers. Using private network interconnections, we connect directly with your origin server, hiding the IP address from the public internet. This forces all attack traffic through our network where we apply DDoS mitigation rules.