Guide to DDoS Mitigation with VergeCloud for Websites

VergeCloud DDoS Mitigation: A Practical How-To Guide

VergeCloud’s advanced DDoS mitigation ensures that your website remains secure from malicious or abusive traffic while maintaining a seamless, interruption-free experience for legitimate users. Using multi-layer filtering, intelligent traffic verification, customizable challenge modes, and firewall automation, VergeCloud delivers strong protection with minimal friction, even during high-volume or sophisticated attacks.

VergeCloud defends your infrastructure by:

  1. Filtering malicious traffic across Layer 3/4 (network) and Layer 7 (application)
  2. Offering configurable challenge modes (Cookie, JS Challenge, Captcha)
  3. Supporting TTL configuration for challenge validity
  4. Allowing exclusions for trusted IPs, URLs, or services
  5. Enabling traffic analysis to identify attack patterns
  6. Providing granular firewall rules to block or challenge abusive IPs, fingerprints, or user agents

How VergeCloud Protects Your Site at Every Layer

DDoS Protection

Layer 7 Protection

Targets advanced bots and application-layer attacks that attempt to mimic legitimate user behavior. VergeCloud offers three challenge modes:

  1. Ensures the browser can accept and return cookies
  2. Stops simple bots
  3. Lightweight and user-friendly

JS Challenge

  1. Requires the browser to execute a small JavaScript file for validation
  2. Stops bots that cannot execute JavaScript
  3. Ideal for preventing automated scraping or credential stuffing

Captcha Challenge

  1. Displays an image- or puzzle-based Captcha
  2. Provides the highest verification level
  3. Best suited for login pages, checkout flows, or sensitive user actions

How TTL Affects DDoS Challenge Validity

TTL

TTL (Time-To-Live) determines how long a successfully validated challenge remains trusted.

  • Long TTL results in fewer repeated challenges and a better user experience

  • Short TTL provides stronger security but may introduce more frequent prompts

For example, if TTL is set to 30 minutes, a user who passes a challenge will not be prompted again for the next 30 minutes.

How to Implement an Effective DDoS Strategy

You should avoid challenging every user and instead focus on suspicious or abusive traffic. A progressive strategy helps balance security and usability.

A. Limit Abusive IP Addresses 

VergeCloud maintains lists of known abusive IP ranges (e.g., abuseip90to100).
Steps:
  1. Go to Security → Firewall → New Rule
  2. Set Field = IP Source Address
  3. Set Operator = From IP List
Use values:
  1. abuseip90to100
  2. abuseip80to90
  3. abuseip70to80
Choose Challenge or Block at the bottom.

B. Limit or Block Most Visited IPs

 Visited IPs Statistics
  1. Go to Analytics & Logs → Visited IPs Statistics
  2. Identify IPs generating unusually high traffic
  3. Click the Add Firewall Rule button next to the IP
  4. Apply Challenge or Block action

C. Block Bots Using User Agents or Headers

How to add firewall rule 
  1. Review logs for repeated suspicious user-agent strings
  2. Create firewall rules to challenge or block those agents
  3. Particularly effective against automated crawlers and scrapers

D. Rate-Limit the Most Visited URLs 

  1. Go to Firewall → New Rule
  2. Select Field = URL and Operator = Equals/Matches
  3. Target URLs under heavy attack
  4. Apply Rate Limit, Challenge, or Block

E. Use JA3 Fingerprinting to Identify Bots

Activate JA3 Fingerprint 
  1. Enable JA3 fingerprinting:
    SSL/TLS → Edge Servers → Enable JA3
  2. Download malicious JA3 fingerprints from:
    https://sslbl.abuse.ch/ja3-fingerprints/
  3. Add firewall rules based on JA3 fingerprint
    Block/challenge fingerprints associated with bot frameworks

F. If Attacks Persist — Enable General DDoS Mitigation

Go to your CDN service → DDoS Protection and activate the global protection mode.
You may enable Captcha for all visitors during severe attacks.

Using Exclusions to Avoid Unnecessary Challenges

Use exclusions to prevent unnecessary challenges:

Supported Exclusions:
  1. Specific URLs or paths (supports glob patterns)
  2. Subnets or IP ranges (CIDR)
  3. Internal services (health checks, monitoring endpoints.

Bypass Ddos Protection
  

Disabling DDoS Protection for a Specific URL

  1. Open DDoS → Custom Rules
  2. Click New Rule
  3. Enter the URL path
  4. Set action to No Challenge

Best Practices for JS and XHR Under DDoS Mitigation

If example.com loads JavaScript that makes requests to sub.example.com, credential-included requests may be required when challenges are active.

Fetch example: fetch("https://sub.example.com", { credentials: 'include' });

XHR example: let xhttp = new XMLHttpRequest(); xhttp.open("GET", "https://sub.example.com", true); xhttp.withCredentials = true; xhttp.send();

Ajax example: $.ajax("https://sub.example.com", { xhrFields: { withCredentials: true }});

CORS and Preflight Notes

If the subdomain does not need to return a response:

fetch("https://sub.example.com", { mode: 'no-cors', credentials: 'include' });

Note on images: Any images included in this article should use clear, descriptive alt text to ensure accessibility and improve clarity for all users.

Summary

VergeCloud’s DDoS protection offers multi-layer filtering across L3/4 and L7, configurable challenge modes, firewall-based bot mitigation using IPs, user agents, JA3 fingerprints, and rate limits, along with flexible TTL controls and exclusion rules. Built into a secure CDN, this approach allows you to stop attackers effectively while preserving a smooth experience for legitimate users. By combining traffic analytics, adaptive challenges, and precise firewall controls, you can maintain availability even under sustained attack conditions.

    • Related Articles

    • VergeCloud Page Rules: A Practical Guide to Fine-Tuning Your Site

      VergeCloud Page Rules allow you to customize and fine-tune how your domain behaves within the VergeCloud secure CDN ecosystem. They give you granular control over performance, security, caching, redirects, and request handling at the edge. Instead of ...

    • VergeCloud Firewall: A Step-by-Step Configuration Guide

      The VergeCloud Firewall provides granular control over the HTTP(S) traffic flowing to your website or application. Serving as an intelligent security layer at the edge, it allows you to filter requests, protect critical endpoints, block malicious ...

    • Log Forwarder Setup Guide

      The Log Forwarder feature in VergeCloud allows users to stream different types of logs to external systems like Kafka, S3, and Syslog. It provides visibility into HTTP requests, security events, DNS activity, and internal platform operations. Use ...

    • Known Crawler Whitelisting in VergeCloud

      Overview Automated bots often referred to as crawlers or spiders are programs that systematically browse the web. Search engines, analytics platforms, AI services, and other online tools rely on these bots to index content, collect website ...

    • Essential Steps Before Changing Nameservers to VergeCloud

      Overview When you add a new domain to the VergeCloud User Panel, one of the first and most important tasks is confirming that your DNS settings are correct. Proper DNS management determines whether your website loads, whether email services function, ...