Cloud Security

DDoS Mitigation

Start your free trial

Edge filtering

As an in-line proxy, Fastly sees all bidirectional traffic (encrypted and unencrypted) between your customer’s browser and your web server. Our edge-based filtering technology automatically filters all non-HTTP / HTTPS traffic at our global nodes, making us resistant to large, highly disruptive Layer 3 and Layer 4 attacks such as Ping floods, ICMP floods, reflection / amplification attacks, transaction, resource exhaustion, and UDP abuse. Edge cache nodes also act as enforcement points, and we can apply rules using VCL to protect your network from complex Layer 7 attacks. We inspect the entire HTTP / HTTPS requests, and block based on client and request criteria (headers, cookies, request path, client IP or AS, geo location etc.).

Origin Cloaking

Traditional CDNs protected your website or application, but today’s attackers are now using tools like Cloudpiercer to uncover the IP address of origin servers. This allows them to direct attack traffic at these exposed origin servers, bypassing a CDN’s protection capabilities. Fastly’s Origin Cloaking feature prevents these kinds of attacks by hiding your origin from attackers. Using private network interconnections, we connect directly with your origin server, hiding the IP address from the public internet. This forces all attack traffic to go through our network, where we apply DDoS mitigation rules.


Consistent, global mitigation

Our entire network acts as a scrubbing center for DDoS attacks. We offer the same level of DDoS mitigation for both encrypted and unencrypted traffic. We do not change traffic flow for specific threats, nor do we handle clear traffic any differently from encrypted traffic. Because all traffic takes the same path on our network, we can spot security anomalies among normal traffic and mitigate as needed.

Rapid response

Fastly gives you access to real-time logs and the ability to make configuration changes on the fly, allowing you to keep up with rapidly changing attacker methods. Our real-time streaming logs help you monitor site performance and quickly identify anomalies like traffic spikes and instability. Our service is highly configurable; if you identify signs of a potential DDoS attack, you can use our configuration control panel or upload custom VCL to block certain URLs, client types, geographies, or types of request. We also keep a history of previous configurations so you can quickly roll back if needed.

Custom DDoS rules

With VCL, you can craft custom DDoS rules, forcing a particular client to be served from cache during a DDoS attack. Because VCL has full access to the HTTP request, you can create rules based on any attribute of the request. Custom DDoS rules can filter out malicious requests before they hit your origin server, allowing you to block IP addresses from specific regions or clients exhibiting suspicious behavior.

Flexible service options

To take advantage of our powerful DDoS mitigation, you can choose one of our two options as an add-on to your CDN service. Both plans provide DDoS protection of HTTP (port 80) and HTTPS (port 443, TLS) with unlimited overage protection.

DDoS protection and mitigation service: This 12-month service allows you to minimize your risk with continuous protection on an annual basis. 

DDoS threat response service: This month-to-month service can be used in response to an immediate DDoS threat or for an ongoing DDoS attack.



| Video

Fastly DDoS Mitigation

Download (159.01 KB)

DDoS Datasheet


Powerful, real-time DDoS mitigation

Download (248.32 KB)

DDoS White Paper


What to Look for When Choosing a CDN for DDoS Protection

Download (91.62 KB)

DDoS Customer FAQ


Q/A about Fastly's DDoS protection service