DDoS Mitigation

DDoS protection at the network edge

Schedule a demo

Protect your digital infrastructure with Fastly's high-bandwidth, globally distributed network. Filter malicious requests at the network edge before they get near your origin. Our real-time DDoS mitigation safeguards performance without compromising protection.

The edge network built to stop DDoS attacks

In today's digital landscape, safeguarding against DDoS attacks is crucial. DDoS protection is built into our platform by default, automatically blocking highly disruptive Layer 3/4 DDoS attacks as well as inspecting and blocking more complex Layer 7 attacks. With over a trillion requests served daily through our globally distributed network, we have access to data at a massive scale and leverage this data to make informed security decisions, ensuring stronger defenses for our customers.

Bandwidth that outstrips the largest attacks

Fastly's network boasts 277+ Tbps of capacity, standing up to even the most massive DDoS attacks. Our infrastructure acts as a DDoS scrubbing center, filtering malicious requests at the network edge before they can reach your origin, so you can focus on keeping your business running.

Visibility for better mitigation

HTTP(S) traffic can be hard to see at scale, especially when you are under attack. There can be a fine line between the thundering herd of a viral campaign, a DDoS attack, or abusive bot behavior. Fastly’s real-time, flexible logging and observability capabilities provide the insights you need to block attack traffic while letting legitimate users access your site.

Flexibility to keep up with evolving attacks

Many DDoS attacks evolve in real time to avoid blocking. Fastly helps you adapt to changing attack patterns without compromising performance. Stay one step ahead with the ability to update your security policies and push changes around the globe within seconds: our median deployment time is 13 seconds.

How it works

Network layer attacks

Fastly sees all bidirectional traffic (encrypted and unencrypted) between browsers and your web server. We automatically filter all non-HTTP / HTTPS traffic at our global nodes, blocking highly disruptive Layer 3 and Layer 4 attacks. We also protect against Ping floods, ICMP floods, reflection/amplification attacks, transaction floods, resource exhaustion, and UDP abuse.

Application layer attacks

Fastly’s edge cache nodes act as enforcement points. Using Varnish Configuration Language (VCL), we apply rules to protect your network from complex Layer 7 attacks. We inspect the entire HTTP / HTTPS requests, and block or rate limit based on client and request criteria, like headers, cookies, request path, and client IP, or indicators like geolocation. Our Next-Gen WAF complements our built-in protection provided by the CDN through advanced rate limiting, thresholding, and SmartParse.

Full configurability

Our service is highly configurable: if you identify signs of a potential DDoS attack, you can use our configuration control panel or upload custom VCL to block certain URLs, client types, geographies, or types of requests. We also keep a history of previous configurations so you can quickly roll back changes if needed. Additionally, our CDN can pick up responses from our Next-Gen WAF, enabling additional options for blocking or restricting clients as necessary.

ddos attack icon

DDoS Services

Core DDoS protection is included for all Fastly delivery customers. We also offer a curated set of services for those requiring greater capabilities and assistance around DDoS attacks and preparedness.

DDoS Protection and Mitigation Service

Minimize your risk with continuous protection on an annual basis. This service provides DDoS protection of HTTP (port 80) and HTTPS (port 443, TLS) services with unlimited overage protection. Features immediate onboarding, incident response planning, and emergency and ongoing attack mitigation support.

Learn more
Response Security Service

This service augments your team with priority, direct access to Fastly’s 24/7 CSOC and an industry-leading 15-minute response SLA. In the event of an incident, our team of experts is standing by to provide the fastest response.

Learn more
Managed Security Service

This full-service offering is for those who require comprehensive, 24/7 monitoring of their environments. It includes proactive monitoring and remediation, monthly and post-event reports and reviews, threat hunting, and readiness drills.

Learn more
  • “Fastly’s DDoS mitigation capabilities allow us to quickly scale while remaining protected from a wide range of security threats."
    Tom Hayman
    Head of Platform Engineering
  • "By enabling us to mitigate DDoS attacks and terminate TLS at the edge, Fastly empowers us to protect our users while providing consistent and fast experiences."
    Fred Hatfull
    Engineering Manager
  • "Overall great service and support. The technology works well. It's really helped us mitigate DDoS attacks and improve our overall site performance. "
    Media and publishing industry

DDoS mitigation and protection features

Access to Origin Shielding

Fastly’s Origin Shield maximizes computing resources for continuous content requests by designating a specific POP to serve as a “shield” for your origin servers. A shield POP can also be used to configure more specific DDoS protections and improve service availability.

Access to Fastly cache IP space

Fastly provides an API endpoint so you know which IP addresses our caches will use to send traffic from our CDN to your origin server. This enables you to update firewalls at the origin so only our cache traffic can access your resources.

Custom DDoS filter creation abilities

Upload custom VCL to block certain URLs, client types, geographies, or types of requests for immediate response to DDoS attacks.

Stop reflection and amplification (DRDoS)

Distributed Reflection Denial of Service (DRDoS) attacks take down a victim's network by overwhelming it with response requests sent from a different or spoofed origin.

Stop ping floods, ICMP floods, UDP abuse

Ping Floods (also known as ICMP floods) aim to overwhelm a network with ICMP echo requests, impacting both outgoing and incoming bandwidth.

Layer 3, 4 and 7 protection

Fastly's DDoS protection provides real-time response and malicious request mitigation at both the network layer (Layer 3 and 4) and application layer (Layer 7).

Looking for more?

Data sheet

DDoS Mitigation data sheet

Learn how we enable you to fortify your digital infrastructure and defend against disruptive DDoS threats.


How DDoS mitigation services can protect your business

Web page

Fastly Edge Cloud Platform

Ensure your websites, applications, and services are able to scale to meet the demand of your users and are delivered securely and as fast as possible with Fastly.

Data Sheet

Fastly Managed Security Service

Stay ahead of web application threats with Fastly’s most complete security coverage offering. Expert protection, 24/7 peace of mind.