Application Layer (Layer 7) DDoS protection is one of the signature features of the StackPath WAF. Layer 7 attacks are often performed in bursts and are not always volumetric in nature. The Stackpath WAF uses multiple techniques in order to appropriately detect and mitigate incoming attacks.
Please note the StackPath WAF DDoS Protection mode is enabled for sites that are using the WAF monitor mode.
DDoS Detection Mechanisms
The DDoS detection mechanisms can be configured per site and custom thresholds can be configured based on a websites specific needs. The default configuration is aimed toward medium-sized websites (approximately 500k request a month). In general, it is not recommended to change these settings, but in some cases, it is required. Reasons for changing these settings include:
- Having regular traffic to your site that is above 5000 requests per secondWAF Application Layer DDoS Protection Configuration
- Expecting large increases in traffic from events (i.e marketing campaigns)
The DDoS mode will be activated if any one of the 3 conditions below will be met:
1. Domain threshold
This mechanism has a minimum DDoS threshold of 1,500 requests per 10 seconds and a maximum threshold of 100,000 requests per 10 seconds. If the customizable threshold value is met AND if the current number of requests is at least 2X the previous 10-second window then the DDoS mode will be activated.
This mechanism is responsible for identifying DDoS attacks that their traffic pattern consists of a slow rise in traffic over a period of time.
2. Burst Threshold
This mechanism has a minimum DDoS threshold of 1,000 requests per 2 seconds and a maximum threshold of 80,000 requests per 2 seconds. If the customizable threshold value is met AND the number of requests is at least 5X the last 2-second interval, then the DDoS mode will be activated.
This mechanism is responsible for identifying sudden bursts in traffic.
3. Sub Second Threshold
This mechanism has a minimum DDoS threshold of 50 requests per 100 milliseconds and a maximum threshold of 20,000 requests per 100 milliseconds. When the customizable threshold is met, the DDoS mode will activate on the WAF server that the traffic went through - compared to the other mechanisms that will activate DDoS mode for the entire WAF Cluster.
This mechanism is responsible for protecting against attacks that start with a burst and provides an extra layer of protection before the first 2 mechanisms will kick in.
What happens when DDoS mode is activated?
When DDoS mode is activated every request will be challenged with a JavaScript validation:
The JavaScript Challenge is responsible for detecting that a valid user is making the request and not an automated tool. Once passed, the user will not have to pass the challenge on future requests.
Who Gets Blocked When DDoS Mode is Activated?
Any automated application layer traffic will be blocked during a DDoS attack, the only exception to this is large search engines like Google, Bing, etc. that will be allowed to access the site. All other tools will be blocked.
StackPath's bot-detection technology blocks bots with an extremely high degree of accuracy:
• Bots that share IP addresses with human users are blocked while allowing unrestricted access to legitimate users.
• StackPath's Bot detection will also catch bots that frequently change their IP addresses, they are tracked down and blocked – consistently.
How Long Does DDoS Mode Last?
When DDoS mode is activated, it will remain active for a minimum duration of 10 minutes and then for the duration of the rest of the attack.
DDoS Statistics
DDoS statistics will be available on the WAF overview page:
Specific event details for DDoS (details about the block requests) are not yet available but are on the roadmap to be added in the future.
StackPath support is available 24/7 through live chat or hi@stackpath.com if you need help with WAF DDoS protection.