DDOS mitigation and protection

Fastly’s high-bandwidth, globally distributed network is built to absorb DDoS attacks. Our entire network acts as a DDoS scrubbing center, so you don’t sacrifice performance for protection. We allow you to respond in real time, filtering malicious requests at the network edge before they get near your origin.

Start your free trial

Edge filtering

Fastly sees all bidirectional traffic (encrypted and unencrypted) between browsers and your web server and automatically filters all non-HTTP / HTTPS traffic at our global nodes, blocking highly disruptive Layer 3 and Layer 4 attacks. We protect against Ping floods, ICMP floods, reflection / amplification attacks, transaction floods, resource exhaustion, and UDP abuse.

Fastly’s edge cache nodes act as enforcement points. Using VCL, we apply rules to protect your network from complex Layer 7 attacks. We inspect the entire HTTP / HTTPS requests, and block based on client and request criteria, like headers, cookies, request path, and client IP, or indicators like geolocation.

Edge filtering

Rapid response

Fastly’s edge cloud platform gives you the flexibility to keep up with rapidly changing attacker methods. Our real-time streaming logs help you monitor site performance and quickly identify anomalies like traffic spikes and instability. Our service is highly configurable; if you identify signs of a potential DDoS attack, you can use our configuration control panel or upload custom VCL to block certain URLs, client types, geographies, or types of requests. We also keep a history of previous configurations so you can quickly roll back changes if needed.

Origin Cloaking

Sophisticated attackers use tools like Cloudpiercer to uncover the IP address of origin servers. This allows them to direct attack traffic at these exposed origin servers, bypassing a traditional CDN’s protection capabilities. Fastly’s Origin Cloaking prevents these kinds of attacks by hiding your origin from attackers. Using private network interconnections, we connect directly with your origin server, hiding the IP address from the public internet. This forces all attack traffic through our network where we apply DDoS mitigation rules.

Origin Cloaking

DDoS Protection and Mitigation Service

Fastly offers a 12-month DDoS Protection and Mitigation Service as an add-on to your Fastly edge cloud service.

This includes:

  • Layer 3, 4 and 7 DDoS mitigation and support of HTTP (port 80) and HTTPS (port 443, TLS)
  • Unlimited overage protection
  • Security support 24/7
DDOS Video

Learn how our DDoS Mitigation services can protect your business

DDoS Mitigation

Powerful, real-time DDoS mitigation


Answers to some of the most frequently asked questions about Fastly’s DDoS protection service.


What to Look for When Choosing a CDN for DDoS Protection

Ready to get started?

Get in touch or create an account.