Fastly’s high-bandwidth, globally distributed network is built to absorb DDoS attacks. Our entire network acts as a DDoS scrubbing center, so you don’t sacrifice performance for protection. We allow you to respond in real time, filtering malicious requests at the network edge before they get near your origin.
The edge network built to stop DDoS attacks
Protect your origin from volumetric attacks with our globally distributed network that provides visibility at scale and insights into malicious traffic. Block bad traffic by updating security policies in seconds as you keep-up with changing attack patterns.
Bandwidth that outstrips the largest attacks
As DDoS attacks continue to grow in size, so too should your protection. With 252+ Tbps of globally distributed network capacity, Fastly is built to absorb even the largest DDoS attacks.
We filter malicious requests at the network edge, before they reach your origin, so you can focus on keeping your business running.
Visibility for better mitigation
HTTP(S) traffic can be hard to see at scale, especially when you are under attack. There can be a fine line between the thundering herd of a viral campaign, a DDoS attack or abusive bot behavior. Fastly’s real-time and flexible logging capabilities provide the insights you need to block attack traffic while letting legitimate users access your site.
Flexibility to keep up with evolving attacks
Many DDoS attacks evolve in real time to avoid blocking. Fastly’s edge cloud platform helps you stay ahead with the ability to update your security policies and push changes around the globe within seconds: our median deployment time is 13 seconds.
How it works
Network layer attacks
Fastly sees all bidirectional traffic (encrypted and unencrypted) between browsers and your web server. We automatically filter all non-HTTP / HTTPS traffic at our global nodes, blocking highly disruptive Layer 3 and Layer 4 attacks. We also protect against Ping floods, ICMP floods, reflection / amplification attacks, transaction floods, resource exhaustion, and UDP abuse.
Application layer attacks
Fastly’s edge cache nodes act as enforcement points. Using Varnish Configuration Language (VCL), we apply rules to protect your network from complex Layer 7 attacks. We inspect the entire HTTP / HTTPS requests, and block based on client and request criteria, like headers, cookies, request path, and client IP, or indicators like geolocation. Our next-gen WAF (formerly Signal Sciences) can provide additional Layer 7 protection that can be deployed at the app or API origin server complementing our built-in Layer 3 and 4 protection.
Full configurability
Our service is highly configurable: if you identify signs of a potential DDoS attack, you can use our configuration control panel or upload custom VCL to block certain URLs, client types, geographies, or types of requests. We also keep a history of previous configurations so you can quickly roll back changes if needed.
DDoS protection and mitigation service
Basic DDoS Protection is included for all Fastly delivery customers. Fastly also offers a 12-month DDoS Protection and Mitigation Service as an add-on to your Fastly edge cloud service.
Immediate onboarding
We’ll work together to immediately transition you to Fastly's CDN service if you're not already a customer.
Emergency configuration and deployment support
Fastly partners with you to configure your service map and provide an initial filter policy to immediately block an attack.
Ongoing attack mitigation support
Our team can create custom VCL filters to deal with changing attacks or new attacks, and isolate malicious traffic on your behalf.
Incident response plan
Fastly provides a plan that identifies how communication and escalation will occur between you, your staff, and Fastly if an attack occurs. The plan will also describe mitigation and defense details such as any DDoS filters that we can insert into VCL prior to or during an attack.
“Fastly’s DDoS mitigation capabilities allow us to quickly scale while remaining protected from a wide range of security threats."
DDoS mitigation and protection features
Configurability
Fastly’s powerful Origin Shield feature maximizes computing resources for outdated content requests by designating a specific POP to serve as a “shield” for your origin servers.
Fastly provides an API endpoint so customers can know which IP addresses our caches will use to send traffic from our CDN to your origin server, enabling you to update firewalls at the origin so only our cache traffic can access your resources.
Fastly empowers customers to upload custom VCL to block certain URLs, client types, geographies, or types of request for immediate response to DDoS attacks.
Protection
Distributed Reflection Denial of Service (DRDoS) attacks take down a victim's network by overhwleming it with response requests sent from a different or spoofed origin.
Ping Floods (also known as ICMP floods) aim to overhwhelm a network with ICMP echo requests, impacting both outgoing and incoming bandwidth.
Fastly's DDoS protection provides real-time response and malicious request mitigation at both the network layer (Layer 3 and 4) and application layer (Layer 7).
Looking for more?
Data sheet
DDoS Mitigation data sheet
Video
How DDoS mitigation services can protect your business
Data sheet
Answers to some of the most frequently-asked DDoS questions
Data Sheet
Fastly Response Security Service
Built for our next-gen WAF customers, enabling you to better prepare for and response quickly to suspected attacks