Overview
The StackPath WAF offers protection against Application Layer (Layer 7) DDoS. Layer 7 attacks are often performed in bursts and are not always volumetric in nature.
This protection is always active, even if the WAF is in Monitor mode.
The WAF uses multiple techniques to detect and mitigate incoming attacks. The DDoS mode will activate if any of the following 3 conditions are met:
| Condition type | Description |
| Global threshold |
This mechanism identifies a slow rise in traffic over a period of time. This mechanism is responsible for identifying DDoS attacks that their traffic pattern consists of a slow rise in traffic over a period of time. This mechanism has a minimum DDoS threshold of 250 requests per 10 seconds and a maximum threshold of 100,000 requests per 10 seconds. If the customizable threshold value is met AND if the current number of requests is at least two times (2X) the previous 10-second window, then the DDoS mode will be activated. |
| Burst threshold |
This mechanism identifies sudden bursts in traffic. This mechanism has a minimum DDoS threshold of 30 requests per 2 seconds and a maximum threshold of 80,000 requests per 2 seconds. If the customizable threshold value is met AND the number of requests is at least five times (5X) the last 2-second interval, then the DDoS mode will activate. |
| Sub second threshold | This threshold protects WAF servers against attacks from traffic bursts. By default, StackPath maintains this threshold. When this threshold is reached, the DDoS mode will activate on the affected WAF server (not the WAF cluster). |
When DDoS mode is activated:
- Every request will be challenged with a JavaScript validation.
- The JavaScript Challenge detects if a valid user is making the request, and not an automated tool. Once passed, the user will not have to pass the challenge on future requests.
- The mode will be active for a minimum duration of 10 minutes and then for the duration of the rest of the attack.
- Any automated layer traffic will be blocked.
- This action will not take place against large search engines (Google, Bing, etc.).
- StackPath's bot-detection technology will block bots that:
- Share IP addresses with human users
- Frequently change their IP addresses
View DDoS statistics
- In the StackPath Control Portal, in the left-side navigation, click Sites.
- Locate and select the desired site.
- This action will refresh the portal.
- In the left-side navigation, click Analytics.
- Click the WAF tab.
- In Web Application Firewall Events, select to display DDoS L7.
Update threshold values
You can use these instructions to update the threshold values for a specific site.
The default configuration is designed for medium-sized websites that receive approximately 500,000 request a month.
In general, StackPath recommends that you do not change these settings; however, based on your website's specific needs, you can customize these settings. For example, if your regular traffic is above 5000 requests per second or if you are expecting large increases in traffic from events, such as from marketing campaigns, then you can update the default values.
- In the StackPath Control Portal, in the left-side navigation, click Sites.
- Locate and select the desired site.
- This action will refresh the portal.
- In the left-side navigation, click WAF.
- Navigate to DDoS Configuration.
- For Global Threshold or Burst Threshold, click Edit, enter a value, and then click Save.