DDoS Mitigation

DDoS protection at the network edge

Talk to an expert

Fastly’s high-bandwidth, globally distributed network is built to absorb DDoS attacks. Our entire network acts as a DDoS scrubbing center, so you don’t sacrifice performance for protection. We allow you to respond in real time, filtering malicious requests at the network edge before they get near your origin.

The edge network built to stop DDoS attacks

Protect your origin from volumetric attacks with our globally distributed network that provides visibility at scale and insights into malicious traffic. Block bad traffic by updating security policies in seconds as you keep-up with changing attack patterns.

Bandwidth that outstrips the largest attacks

As DDoS attacks continue to grow in size, so too should your protection. With 167+ Tbps of globally distributed network capacity, Fastly is built to absorb even the largest DDoS attacks. 

We filter malicious requests at the network edge, before they reach your origin, so you can focus on keeping your business running.

Visibility for better mitigation

HTTP(S) traffic can be hard to see at scale, especially when you are under attack. There can be a fine line between the thundering herd of a viral campaign, a DDoS attack or abusive bot behavior. Fastly’s real-time and flexible logging capabilities provide the insights you need to block attack traffic while letting legitimate users access your site.

Flexibility to keep up with evolving attacks

Many DDoS attacks evolve in real time to avoid blocking. Fastly’s edge cloud platform helps you stay ahead with the ability to update your security policies and push changes around the globe within seconds: our median deployment time is 13 seconds.

How it works

Network layer attacks

Fastly sees all bidirectional traffic (encrypted and unencrypted) between browsers and your web server. We automatically filter all non-HTTP / HTTPS traffic at our global nodes, blocking highly disruptive Layer 3 and Layer 4 attacks. We also protect against Ping floods, ICMP floods, reflection / amplification attacks, transaction floods, resource exhaustion, and UDP abuse.

Application layer attacks

Fastly’s edge cache nodes act as enforcement points. Using Varnish Configuration Language (VCL), we apply rules to protect your network from complex Layer 7 attacks.  We inspect the entire HTTP / HTTPS requests, and block based on client and request criteria, like headers, cookies, request path, and client IP, or indicators like geolocation. Our next-gen WAF (formerly Signal Sciences) can provide additional Layer 7 protection that can be deployed at the app or API origin server complementing our built-in Layer 3 and 4 protection.

Full configurability

Our service is highly configurable: if you identify signs of a potential DDoS attack, you can use our configuration control panel or upload custom VCL to block certain URLs, client types, geographies, or types of requests. We also keep a history of previous configurations so you can quickly roll back changes if needed.

ddos attack icon

DDoS protection and mitigation service

Basic DDoS Protection is included for all Fastly delivery customers. Fastly also offers a 12-month DDoS Protection and Mitigation Service as an add-on to your Fastly edge cloud service.

Immediate onboarding

We’ll work together to immediately transition you to Fastly's CDN service if you're not already a customer.

Emergency configuration and deployment support

Fastly partners with you to configure your service map and provide an initial filter policy to immediately block an attack.

Ongoing attack mitigation support

Our team can create custom VCL filters to deal with changing attacks or new attacks, and isolate malicious traffic on your behalf.

Incident response plan

Fastly provides a plan that identifies how communication and escalation will occur between you, your staff, and Fastly if an attack occurs. The plan will also describe mitigation and defense details such as any DDoS filters that we can insert into VCL prior to or during an attack.

“Fastly’s DDoS mitigation capabilities allow us to quickly scale while remaining protected from a wide range of security threats."
Tom Hayman
Head of Platform Engineering

DDoS mitigation and protection features

Access to Origin Shielding
Access to Fastly cache IP space
Custom DDoS filter creation abilities
Stop reflection and amplification (DRDoS)
Stop ping floods, ICMP floods, UDP abuse
Layer 3, 4 and 7 protection

Looking for more?

Data sheet

DDoS Mitigation data sheet


How DDoS mitigation services can protect your business

Data sheet

Answers to some of the most frequently-asked DDoS questions

White paper

What to Look for When Choosing a CDN for DDoS Protection