We offer protection for your web applications, websites, and APIs from DDoS attacks at the application layer (layer 7) in the OSI model. These attacks are often performed in bursts and aren’t always volumetric in nature.
DDoS protection is always enabled, even if WAAP is in monitor mode. Once a DDoS attack is identified, the system activates a DDoS mode.
The DDoS attack statistics and other related data are available on the DDoS attacks analytics page.
DDoS mode is activated if any of the following conditions are met.
Condition | Description | Threshold values |
---|---|---|
Global threshold | This mechanism identifies DDoS attacks whose traffic patterns consist of a slow rise in traffic over a set period of time. DDoS mode is activated when the customizable threshold value is met, AND the current number of requests is at least two times (2X) the previous 10-second window. |
|
Burst threshold | This mechanism identifies sudden bursts in traffic. DDoS mode is activated when the customizable threshold value is met, AND the number of requests is at least five times (5X) the last 2-second interval. |
|
Sub-second threshold | This threshold protects the origin servers against attacks from traffic bursts. When this threshold is reached, the DDoS mode will activate on the affected origin server (not the WAAP cluster). This mechanism can mitigate bursts of requests without activating DDoS mode when other threshold conditions aren't met. Mitigated requests are counted as DDoS L7 - Blocked on the Web Application Firewall Requests analytics graph, and they won't appear on the DDoS attacks over time graph. |
|
If you’re using WAAP Pro or Enterprise plan, you can adjust the threshold values. Contact our support team for assistance.
Every request is challenged with JavaScript validation. This challenge detects if a valid user and not an automated tool is making the request. If a user passes the validation, they will not be challenged on future requests.
DDoS mode will be active for a minimum duration of 10 minutes and then for the duration of the attack.
Any automated layer traffic is blocked. This action won’t be applied to large search engines, such as Google or Bing.
WAAP’s bot-detection technology will block bots that share IP addresses with human users or frequently change their IP addresses.
WAAP DDoS protection uses an AI-driven IP filtering profiler that analyzes daily traffic patterns from known users. This helps the system distinguish normal traffic from traffic that might be part of a DDoS attack.
Was this article helpful?