Protect your origin from volumetric attacks with our globally distributed network that provides visibility at scale and insights into malicious traffic. Block bad traffic by updating security policies in seconds as you keep-up with changing attack patterns.
As DDoS attacks continue to grow in size, so too should your protection. With 233+ Tbps of globally distributed network capacity, Fastly is built to absorb even the largest DDoS attacks.
We filter malicious requests at the network edge, before they reach your origin, so you can focus on keeping your business running.
HTTP(S) traffic can be hard to see at scale, especially when you are under attack. There can be a fine line between the thundering herd of a viral campaign, a DDoS attack or abusive bot behavior. Fastly’s real-time and flexible logging capabilities provide the insights you need to block attack traffic while letting legitimate users access your site.
Many DDoS attacks evolve in real time to avoid blocking. Fastly’s edge cloud platform helps you stay ahead with the ability to update your security policies and push changes around the globe within seconds: our median deployment time is 13 seconds.
Fastly sees all bidirectional traffic (encrypted and unencrypted) between browsers and your web server. We automatically filter all non-HTTP / HTTPS traffic at our global nodes, blocking highly disruptive Layer 3 and Layer 4 attacks. We also protect against Ping floods, ICMP floods, reflection / amplification attacks, transaction floods, resource exhaustion, and UDP abuse.
Fastly’s edge cache nodes act as enforcement points. Using Varnish Configuration Language (VCL), we apply rules to protect your network from complex Layer 7 attacks. We inspect the entire HTTP / HTTPS requests, and block based on client and request criteria, like headers, cookies, request path, and client IP, or indicators like geolocation. Our next-gen WAF (formerly Signal Sciences) can provide additional Layer 7 protection that can be deployed at the app or API origin server complementing our built-in Layer 3 and 4 protection.
Our service is highly configurable: if you identify signs of a potential DDoS attack, you can use our configuration control panel or upload custom VCL to block certain URLs, client types, geographies, or types of requests. We also keep a history of previous configurations so you can quickly roll back changes if needed.
Basic DDoS Protection is included for all Fastly delivery customers. Fastly also offers a 12-month DDoS Protection and Mitigation Service as an add-on to your Fastly edge cloud service.
We’ll work together to immediately transition you to Fastly's CDN service if you're not already a customer.
Fastly partners with you to configure your service map and provide an initial filter policy to immediately block an attack.
Our team can create custom VCL filters to deal with changing attacks or new attacks, and isolate malicious traffic on your behalf.
Fastly provides a plan that identifies how communication and escalation will occur between you, your staff, and Fastly if an attack occurs. The plan will also describe mitigation and defense details such as any DDoS filters that we can insert into VCL prior to or during an attack.
“Fastly’s DDoS mitigation capabilities allow us to quickly scale while remaining protected from a wide range of security threats."
Fastly’s powerful Origin Shield feature maximizes computing resources for outdated content requests by designating a specific POP to serve as a “shield” for your origin servers.
Fastly provides an API endpoint so customers can know which IP addresses our caches will use to send traffic from our CDN to your origin server, enabling you to update firewalls at the origin so only our cache traffic can access your resources.
Fastly empowers customers to upload custom VCL to block certain URLs, client types, geographies, or types of request for immediate response to DDoS attacks.
Distributed Reflection Denial of Service (DRDoS) attacks take down a victim's network by overhwleming it with response requests sent from a different or spoofed origin.
Ping Floods (also known as ICMP floods) aim to overhwhelm a network with ICMP echo requests, impacting both outgoing and incoming bandwidth.
Fastly's DDoS protection provides real-time response and malicious request mitigation at both the network layer (Layer 3 and 4) and application layer (Layer 7).
Built for our next-gen WAF customers, enabling you to better prepare for and response quickly to suspected attacks