Overview
The StackPath WAF offers protection against Application Layer (Layer 7) DDoS. Layer 7 attacks are often performed in bursts and are not always volumetric in nature.
The WAF uses multiple techniques to detect and mitigate incoming attacks. This protection is always active, even if the WAF is in Monitor mode.
WAF Professional and WAF Enterprise customers may contact support to review and adjust these thresholds. The default thresholds cannot be adjusted for WAF Essentials customers.
DDoS Mode Explained
DDoS mode will activate if any of the following three conditions are met:
Condition type | Description | Values |
Global threshold |
This mechanism identifies a slow rise in traffic over a period of time. This mechanism is responsible for identifying DDoS attacks whose traffic patterns consist of a slow rise in traffic over a set period of time. If the customizable threshold value is met AND if the current number of requests is at least two times (2X) the previous 10-second window, then the DDoS mode will be activated. |
Default
Minimum
Maximum
|
Burst threshold |
This mechanism identifies sudden bursts in traffic. If the customizable threshold value is met AND the number of requests is at least five times (5X) the last 2-second interval, then the DDoS mode will activate. |
Default
Minimum
Maximum
|
Sub second threshold |
This threshold protects WAF servers against attacks from traffic bursts. When this threshold is reached, the DDoS mode will activate on the affected WAF server (not the WAF cluster). |
Default
|
When DDoS mode is activated:
- Every request will be challenged with a JavaScript validation.
- The JavaScript Challenge detects if a valid user is making the request, and not an automated tool. Once passed, the user will not have to pass the challenge on future requests.
- The mode will be active for a minimum duration of 10 minutes and then for the duration of the attack.
- Any automated layer traffic will be blocked.
- This action will not take place against large search engines (Google, Bing, etc.).
- StackPath's bot-detection technology will block bots that:
- Share IP addresses with human users
- Frequently change their IP addresses
View DDoS Statistics
- In the StackPath Control Portal, in the left-side navigation, click Sites.
- Locate and select the desired site.
- In the left-side navigation, click Analytics.
- Click the WAF tab.
- Under Web Application Firewall Requests, mark DDoS L7 - Blocked to display DDoS data in the graph.