Fastly DDoS Mitigation
Fastly’s DDoS mitigation is an always-on security solution. Our entire network acts as a scrubbing center for DDoS attacks, offering you the same level of DDoS mitigation for both encrypted and unencrypted traffic.
On this page
The growing threat of DDoS attacks
In today's interconnected and digital landscape, the threat of distributed denial of service (DDoS) attacks looms larger than ever. These attacks are growing in size, frequency, and complexity, aiming to disrupt web services by overwhelming networks and web resources. According to a recent Gartner report, DDoS attacks are projected to become the most common type of cyberattack. To safeguard your web applications and infrastructure from potential damage, a robust and scalable solution is critical.
Fastly DDoS mitigation
Fastly offers a globally distributed network with multi-terabit-per-second capacity, capable of absorbing even the most massive DDoS attacks. Our real-time response capabilities, comprehensive protection against Layer 3/4 and Layer 7 attacks, and the ability to make on-the-fly configuration changes empower you to fortify your digital infrastructure and defend against disruptive DDoS threats. Additionally, we provide origin cloaking through various methods, allowing us to hide your origin IP or prevent direct access to it. This prevents your cloud-based DDoS protection from being easily circumvented.
Benefits
Safeguard your website: Reduce downtime and risk of brand damage with rapid response to DDoS threats and events.
Payment flexibility: Decide on the payment model that suits you best after an attack.
Overage protection: Unlimited overage protection always included.
Cost-effective: Single vendor for DDoS protection, web application and API security, and edge cloud services.
Resolving DDoS challenges
With DDoS attacks, a clear pattern emerges - larger volume attacks tend to be simpler, while lower volume attacks exhibit greater complexity, requiring deeper contextual analysis. As requests progress through the layers of the OSI model, computational intensity increases, underscoring the need for multi-layered defense mechanisms.
Fastly's expansive Content Delivery Network (CDN) effortlessly absorbs Layer 3 and Layer 4 DDoS attacks, while caching your content on our CDN provides an additional layer of protection against disruptions to your web services. For cache busting and Layer 7 attacks, Fastly offers specialized features.
Edge rate limiting, seamlessly integrated into our CDN, offers an ideal defense against high-speed, high-volume attacks. By intercepting these attacks at the edge, without the need for request inspection, we effectively halt them before they reach your origin.
Advanced rate limiting, a distinguishing feature of Fastly's Next-Gen WAF, scrutinizes the actual request to counter slow and low attacks. This approach grants you maximum control over complex traffic, ensuring only malicious traffic is blocked.
By combining the capabilities of Fastly Delivery and the Next-Gen WAF, we provide comprehensive protection against volumetric DDoS attacks and low and slow attacks, shielding your production infrastructure from harm.
Fastly offers layered protection to protect against the different types of DDoS attacks.
Superior protection at all layers
Fastly’s edge-based filtering technology ensures broad DDoS protection by automatically blocking all types of highly disruptive Layer 3 and Layer 4 attacks at the edge before they hit your origin. To protect your network from complex Layer 7 attacks, our edge cache nodes act as enforcement points. Our security experts can apply rules using Varnish Configuration Language (VCL) to inspect the entire HTTP/HTTPS request, and block based on specific criteria (headers, cookies, request path, client IP, geolocation, etc.). We also give you the option to customize rules to fit your security needs.
For Layer 7 application layer attacks like cross-site scripting (XSS), SQL injection (SQLi), or other OWASP Top Ten attacks, the Fastly Next-Gen WAF stops these through our proprietary SmartParse technology, which requires no tuning and provides immediate protection out of the box. The Next-Gen WAF also provides customizable rules and virtual patches to protect against vulnerabilities.
“By enabling us to mitigate DDoS attacks and terminate TLS at the edge, Fastly empowers us to protect our users while providing consistent and fast experiences."
Read case studyComprehensive DDoS protection
DNS flood
HTTP flood
UDP
ICMP (NTP, SSDP, etc.)
IGMP
Layer 7 DNS
Mixed flood (SYN + UDP or ICMP + UDP)
Ping of Death
Slowloris
Smurf
TCP SYN+ACK
TCP FIN
TCP Reset
TCP ACK
Real-time visibility and control
Fastly provides real-time access to data logs and historical statistics, allowing you to identify suspicious activity, including DDoS attack traffic spikes, for immediate troubleshooting. We empower you to make real-time configuration changes using Varnish Configuration Language (VCL). With our highly modified and improved Varnish, you can apply custom DDoS rules in under a second, enabling powerful and rapid mitigation. With full access to HTTP requests, VCL can be used to create rules based on any attribute of the request or response.
Economic flexibility
We give you flexibility and control in making an economic decision after an attack. If you are under attack we will help you, no questions asked. Afterward, you can choose to enroll in our DDoS Protection and Mitigation Service or pay for overages based on the actual billing, eliminating the need for upfront decisions and enabling a more cost-effective approach.
Flexible add-on service options
To take full advantage of our powerful DDoS mitigation capabilities, we offer the following services:
DDoS Protection and Mitigation Service: A 12-month service commitment for customers who want to minimize their risks with continuous protection on an annual basis. It provides DDoS protection of HTTP (port 80) and HTTPS (port 443, TLS) services with unlimited overage protection.
For customers looking for an augmented or fully-managed Next-Gen WAF and DDoS experience, we offer:
Response Security Service: This service augments your team with priority, direct access to Fastly’s 24/7 CSOC, regular configuration maintenance, and an industry-leading response SLA.
Managed Security Service: this full-service offering is for our customers who require comprehensive, 24/7 monitoring of their environments. It includes all features of the Response Security Service plus proactive monitoring and remediation, monthly and post-event reports and reviews, and expert collaboration with threat hunting and readiness drills.
Key capabilities
High-network capacity: Multi-terabit-per-second network capacity at the edge, ensuring resilience against massive DDoS attacks.
Broad DDoS protection: Secure your origin server from multi-layer attacks.
Real-time control: Craft custom DDoS rules with VCL to serve specific clients from cache during an attack.
Highly automated: Majority of configurations can be done via API, unlike most security systems that rely on CLI.
High-performance: Tight integration of security with our edge cloud network ensures optimal performance.
Dedicated security team: 24/7 cybersecurity expertise and support.
“Fastly’s DDoS mitigation capabilities allow us to quickly scale while remaining protected from a wide range of security threats”
Read case studyGetting started
Join leading companies like Dunelm, The New York Times, and Yelp in fortifying your business against DDoS attacks. Contact us today to discover how our proven DDoS mitigation solutions can protect your digital infrastructure.
Related resources
Learn how Fastly speeds up and optimizes the delivery of your web and mobile traffic, allowing you to scale globally, improve performance, and save on costs.
Learn how our Next-Gen WAF automatically protects against web layer attacks and easily integrates with DevOps tools.
Stay ahead of web application threats with Fastly’s most complete security coverage offering. Expert protection, 24/7 peace of mind.
Learn about the five best practices you can implement to help prepare for DDoS attacks.
Meet a more powerful global network.
Our network is all about greater efficiency. With our strategically placed points of presence (POPs), you can scale on-demand and deliver seamlessly during major events and traffic spikes. Get the peace of mind that comes with truly reliable performance — wherever users may be browsing, watching, shopping, or doing business.
353 Tbps
Edge network capacity1
150 ms
Mean purge time2
>1.8 trillion
Daily requests served4
~90% of customers
Run Next-Gen WAF in blocking mode3
As of March 31, 2024
As of December 31, 2019
As of March 31, 2021
As of July 31, 2023