DDoS Protection on VergeCloud

DDoS Mitigation

Overview

VergeCloud’s DDoS protection ensures that your website remains secure from malicious or abusive traffic while maintaining a seamless, interruption-free experience for legitimate users. Using multi-layer filtering, intelligent traffic verification, customizable challenge modes, and firewall automation,
VergeCloud provides comprehensive protection with minimal friction.

VergeCloud defends your infrastructure by:
  1. Filtering malicious traffic across Layer 3/4 (network) and Layer 7 (application)
  2. Offering configurable challenge modes (Cookie, JS Challenge, Captcha)
  3. Supporting TTL configuration for challenge validity
  4. Allowing exclusions for trusted IPs, URLs, or services
  5. Enabling traffic analysis to identify attack patterns
  6. Providing granular firewall rules to block or challenge abusive IPs, fingerprints, or user agents 

Protection Level

Layer 3/4 Protection

Protects your website from volumetric and network-level attacks (SYN floods, UDP floods, amplifiation attacks).
Does not stop sophisticated Layer 7 bot traffic.

Layer 7 Protection

Targets advanced bots and application-layer attacks. VergeCloud offers 3 challenge modes:
Ensures the browser can accept/return cookies.
Stops simple bots.
Lightweight and user-friendly.

JS Challenge

Browser runs a small JavaScript file to validate itself.
Stops bots that cannot execute JS.
Ideal for preventing automated scraping or credential stuffing.

Captcha Challenge

Displays a Captcha (image or puzzle).
Highest verification level.
Best for login pages, checkout flows, or sensitive user actions.

TTL (Time-To-Live)



TTL determines how long a validated challenge remains trusted.
  1. Long TTL → Fewer repeated challenges, better UX
  2. Short TTL → Stronger security but more prompts
Example: If TTL = 30 minutes, a user who passes a challenge won’t be prompted again for the next 30 minutes. 

How to Implement an Effective DDoS Strategy

You don’t want to challenge every user only suspicious traffic.
Follow this progressive strategy:

A. Limit Abusive IP Addresses 

VergeCloud maintains lists of known abusive IP ranges (e.g., abuseip90to100).
Steps:
  1. Go to Security → Firewall → New Rule
  2. Set Field = IP Source Address
  3. Set Operator = From IP List
Use values:
  1. abuseip90to100
  2. abuseip80to90
  3. abuseip70to80
Choose Challenge or Block at the bottom.

B. Limit or Block Most Visited IPs

 
  1. Go to Analytics & Logs → Visited IPs Statistics
  2. Identify IPs generating unusually high traffic
  3. Click the Add Firewall Rule button next to the IP
  4. Apply Challenge or Block action

C. Block Bots Using User Agents or Headers

 
  1. Check your logs for repeated suspicious user-agent strings
  2. Create a firewall rule to Challenge or Block those agents
  3. Useful for automated crawlers and bad scrapers

D. Rate-Limit the Most Visited URLs 

  1. Go to Firewall → New Rule
  2. Select Field = URL and Operator = Equals/Matches
  3. Target URLs under heavy attack
  4. Apply Rate Limit, Challenge, or Block

E. Use JA3 Fingerprinting to Identify Bots

 
  1. Enable JA3 fingerprinting:
    SSL/TLS → Edge Servers → Enable JA3
  2. Download malicious JA3 fingerprints from:
    https://sslbl.abuse.ch/ja3-fingerprints/
  3. Add firewall rules based on JA3 fingerprint
    Block/challenge fingerprints associated with bot frameworks

F. If Attacks Persist — Enable General DDoS Mitigation

Go to your CDN service → DDoS Protection and activate the global protection mode.
You may enable Captcha for all visitors during severe attacks.

Exclusions

Use exclusions to prevent unnecessary challenges:

Supported Exclusions:
  1. Specific URLs or paths (supports glob patterns)
  2. Subnets or IP ranges (CIDR)
  3. Internal services (health checks, monitoring endpoints.

 

 

Disabling DDoS Protection for a Specific URL

  1. Open DDoS → Custom Rules
  2. Click New Rule
  3. Enter the URL path
  4. Set action to No Challenge

JavaScript / Fetch / XHR Considerations

If example.com loads JS that requests sub.example.com, you may need credential-included requests when challenges are active.

Fetch
fetch("https://sub.example.com", { credentials: 'include' });

XHR
let xhttp = new XMLHttpRequest();
xhttp.open("GET", "https://sub.example.com", true);
xhttp.withCredentials = true;
xhttp.send();

Ajax
$.ajax("https: //sub.example.com", { xhrFields: { withCredentials: true }});

CORS / Preflight Notes
If the subdomain does not need to return a response:
fetch("https://sub.example.com", {
  mode: 'no-cors',
  credentials: 'include'
});

Summary

VergeCloud’s DDoS protection provides:
  1. Multi-layer filtering (L3/4 + L7)
  2. Configurable protection modes
  3. Firewall-based bot mitigation (IP, UA, JA3, rate limits)
  4. Flexible TTL and Captcha options
  5. URL and IP exclusions
  6. Developer-friendly support for cross-domain requests
  7. By combining traffic analytics, firewall rules, and adaptive challenges, you can build a layered defense strategy that stops attackers while keeping your user experience intact.

    • Related Articles

    • Understanding VergeCloud’s DDoS Challenge Modes

      VergeCloud’s DDoS protection uses multiple layers of mitigation to protect against both network-level (Layer 3 & 4) and application-level (Layer 7) attacks. Each challenge mode handles threats differently. This guide explains each type to observe ...

    • Getting Started

      Overview Once you’ve created your VergeCloud account and signed in, you can proceed to set up your domain for CDN and security services. If you haven’t created an account yet, please start here: Account Creation and Sign In Guide The following steps ...

    • DNS Cloud Option

      Overview After migrating your website to VergeCloud and completing the necessary DNS configurations, you can view and manage DNS Records for your domain and its subdomains directly from the DNS Records section within the VergeCloud dashboard. This ...

    • Custom Error Pages

      Overview The Custom Pages feature in VergeCloud CDN allows you to personalize the experience your users see whenever your website encounters service interruptions, maintenance periods, or protective security challenges. Instead of showing default ...

    • Log Forwarder Setup Guide

      Log Forwarder Setup Guide The Log Forwarder feature in VergeCloud allows users to stream different types of logs to external systems like Kafka, S3, and Syslog. It provides visibility into HTTP requests, security events, DNS activity, and internal ...