Application Layer (Layer 7) DDoS protection is one of the signature features of the StackPath WAF. Layer 7 attacks are often performed in bursts and are not always volumetric in nature. The Stackpath WAF uses multiple techniques in order to appropriately detect and mitigate incoming attacks.
DDoS Detection Mechanisms
The DDoS detection mechanisms can be configured per site and custom thresholds can be configured based on a websites specific needs. The default configuration is aimed toward medium-sized websites (approximately 500k request a month). In general, it is not recommended to change these settings, but in some cases, it is required. Reasons for changing these settings include:
- Having regular traffic to your site that is above 5000 requests per second
- Expecting large increases in traffic from events (i.e marketing campaigns)
The DDoS mode will be activated if any one of the 3 conditions below will be met:
1. Domain threshold
This mechanism has a DDoS threshold of 1500 request per 10 seconds AND the traffic should be at least 2X the last count when the threshold is met the DDoS mode will be activated.
This mechanism is responsible for identifying DDoS attacks that their traffic pattern consists of a slow rise in traffic over a period of time.
2. Burst Threshold
This mechanism has a DDoS threshold of 1000 request per 2 seconds AND the traffic should be at least 5X then the last count when the threshold is met the DDoS mode will be activated.
This mechanism is responsible for identifying sudden bursts in traffic.
3. Sub Second Threshold
This mechanism has a DDoS threshold of 50 requests per 100 milliseconds when the threshold is met the DDoS mode will activate on the WAF server that the traffic went through - compared to the other mechanisms that will activate DDoS mode for the entire WAF Cluster.
This mechanism is responsible for protecting against attacks that start with a burst and provides an extra layer of protection before the first 2 mechanisms kick in.
What happens when DDoS mode is activated?
When DDoS mode is activated every request will be challenged with a JavaScript validation:
The JavaScript Challenge is responsible for detecting that a valid user is making the request and not an automated tool. Once passed, the user will not have to pass the challenge on future requests.
Who Gets Blocked When DDoS Mode is Activated?
Any automated application layer traffic will be blocked during a DDoS attack, the only exception to this is large search engines like Google, Bing, etc. that will be allowed to access the site. All other tools will be blocked.
StackPath's bot-detection technology blocks bots with an extremely high degree of accuracy:
• Bots that share IP addresses with human users are blocked while allowing unrestricted access to legitimate users.
• StackPath's Bot detection will also catch bots that frequently change their IP addresses, they are tracked down and blocked – consistently.
How Long Does DDoS Mode Last?
When DDoS mode is activated, it will remain active for a minimum duration of 10 minutes and then for the duration of the rest of the attack.
DDoS Statistics
DDoS statistics will be available on the WAF overview page:
Specific event details for DDoS (details about the block requests) are not yet available but are on the roadmap to be added in the future.
StackPath support is available 24/7 through live chat, if you have any questions.