Help Center

  1. StackPath Help
  2. WAF
  3. WAF Features

L7 DDoS Protection

Avatar
Permanently deleted user
Updated:

Overview

The StackPath WAF offers protection against Application Layer (Layer 7) DDoS. Layer 7 attacks are often performed in bursts and are not always volumetric in nature.

The WAF uses multiple techniques to detect and mitigate incoming attacks. This protection is always active, even if the WAF is in Monitor mode.

WAF Professional and WAF Enterprise customers may contact support to review and adjust these thresholds. The default thresholds cannot be adjusted for WAF Essentials customers.

DDoS Mode Explained

DDoS mode will activate if any of the following three conditions are met:

Condition type Description Values
Global threshold

This mechanism identifies a slow rise in traffic over a period of time.

This mechanism is responsible for identifying DDoS attacks whose traffic patterns consist of a slow rise in traffic over a set period of time.

If the customizable threshold value is met AND if the current number of requests is at least two times (2X) the previous 10-second window, then the DDoS mode will be activated.

Default

  • This mechanism has a default DDoS threshold of 5000 requests per 10 seconds.

Minimum

  • This mechanism has a minimum DDoS threshold of 250 requests per 10 seconds.

Maximum

  • This mechanism has a maximum threshold of 10,000 requests per 10 seconds.
Burst threshold

This mechanism identifies sudden bursts in traffic.

If the customizable threshold value is met AND the number of requests is at least five times (5X) the last 2-second interval, then the DDoS mode will activate.

Default

  • This mechanism has a default value of 500 request per 2 seconds.

Minimum

  • This mechanism has a minimum DDoS threshold of 30 requests per 2 seconds.

Maximum

  • This mechanism has a maximum threshold of 1,000 requests per 2 seconds.
Sub second threshold

This threshold protects WAF servers against attacks from traffic bursts.

When this threshold is reached, the DDoS mode will activate on the affected WAF server (not the WAF cluster).

Default

  • This mechanism has a default value of 50 seconds.
  • By default, StackPath maintains this threshold.

When DDoS mode is activated:

  • Every request will be challenged with a JavaScript validation.
    • The JavaScript Challenge detects if a valid user is making the request, and not an automated tool. Once passed, the user will not have to pass the challenge on future requests.
  • The mode will be active for a minimum duration of 10 minutes and then for the duration of the attack.
  • Any automated layer traffic will be blocked.
    • This action will not take place against large search engines (Google, Bing, etc.).
  • StackPath's bot-detection technology will block bots that:
    • Share IP addresses with human users
    • Frequently change their IP addresses

View DDoS Statistics

  1. In the StackPath Control Portal, in the left-side navigation, click Sites.
  2. Locate and select the desired site.
  3. In the left-side navigation, click Analytics.
  4. Click the WAF tab.
  5. Under Web Application Firewall Requests, mark DDoS L7 - Blocked to display DDoS data in the graph.
Was this article helpful?

Related articles

Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Contact Us