API
The Gcore Customer Portal is being updated. Screenshots may not show the current version.
WAAP
WAAP
About WAAPBilling
Configure WAAP for a domainWAAP modesManage domains protected with WAAP
Protocol validationWAF and OWASP top threatsIP reputationBehavioral WAFAnti-automation and bot protectionCMS protectionCommon automated servicesAdvanced API protection
Allow and block IP addresses in firewall
API discoveryConfigure API access with reserved tagsManually add endpoints to API base path
Advanced rate limiting rulesAdvanced rule objects and attributesSource field objects
Create and manage custom rules
Reserved tagsPredefined tags
Create custom response pagesManage custom response pages
How does WAAP JavaScript injection work?What cookies are used by WAAP?What storage variables does WAAP use?
Enable and troubleshoot bot protectionTroubleshoot blocked usersTroubleshoot 5xx errors
API
Chosen image
Home/WAAP/L7 DDoS protection

L7 DDoS protection

We offer protection for your web applications, websites, and APIs from DDoS attacks at the application layer (layer 7) in the OSI model. These attacks are often performed in bursts and aren’t always volumetric in nature.

DDoS protection is always enabled, even if WAAP is in monitor mode. Once a DDoS attack is identified, the system activates a DDoS mode.

The DDoS attack statistics and other related data are available on the DDoS attacks analytics page.

When DDoS mode is activated

DDoS mode is activated if any of the following conditions are met.

Condition Description Threshold values
Global threshold This mechanism identifies DDoS attacks whose traffic patterns consist of a slow rise in traffic over a set period of time.

DDoS mode is activated when the customizable threshold value is met, AND the current number of requests is at least two times (2X) the previous 10-second window.
    Default:
  • This mechanism has a default DDoS threshold of 5000 requests per 10 seconds.
    Minimum:
  • This mechanism has a minimum DDoS threshold of 250 requests per 10 seconds.
    Maximum:
  • This mechanism has a maximum threshold of 10,000 requests per 10 seconds.
Burst threshold This mechanism identifies sudden bursts in traffic.

DDoS mode is activated when the customizable threshold value is met, AND the number of requests is at least five times (5X) the last 2-second interval.
    Default:
  • This mechanism has a default value of 500 requests per 2 seconds.
    Minimum:
  • This mechanism has a minimum DDoS threshold of 30 requests per 2 seconds.
    Maximum:
  • This mechanism has a maximum threshold of 1,000 requests per 2 seconds.
Sub-second threshold This threshold protects the origin servers against attacks from traffic bursts.

When this threshold is reached, the DDoS mode will activate on the affected origin server (not the WAAP cluster).

This mechanism can mitigate bursts of requests without activating DDoS mode when other threshold conditions aren't met. Mitigated requests are counted as DDoS L7 - Blocked on the Web Application Firewall Requests analytics graph, and they won't appear on the DDoS attacks over time graph.
    Default:
  • This mechanism has a default value of 50 seconds.

If you’re using WAAP Pro or Enterprise plan, you can adjust the threshold values. Contact our support team for assistance.

What happens when DDoS mode is activated

  • Every request is challenged with JavaScript validation. This challenge detects if a valid user and not an automated tool is making the request. If a user passes the validation, they will not be challenged on future requests.

  • DDoS mode will be active for a minimum duration of 10 minutes and then for the duration of the attack.

  • Any automated layer traffic is blocked. This action won’t be applied to large search engines, such as Google or Bing.

  • WAAP’s bot-detection technology will block bots that share IP addresses with human users or frequently change their IP addresses.

  • WAAP DDoS protection uses an AI-driven IP filtering profiler that analyzes daily traffic patterns from known users. This helps the system distinguish normal traffic from traffic that might be part of a DDoS attack.

Was this article helpful?

Edit on GitHub