Understanding VergeCloud’s DDoS Challenge Modes
Understanding VergeCloud’s DDoS Challenge Modes
VergeCloud’s DDoS protection uses multiple layers of mitigation to protect against both network-level (Layer 3 & 4) and application-level (Layer 7) attacks. Each challenge mode handles threats differently. This guide explains each type to observe their behavior.
No Challenge Mode (L3/L4 Protection Only)
What It Is:
This mode protects your applications against network-layer attacks such as:
TCP SYN floods
UDP floods
ICMP/volumetric attacks
IP spoofing
Protection is applied at the edge without introducing any delays or browser-level checks.
How VergeCloud Does It Using Anycast:
When you enable No Challenge Mode, your domain is pointed to a VergeCloud Anycast IP address. This IP is globally advertised by multiple edge locations in our network.
Anycast ensures that all traffic — including attack traffic — is routed to the nearest VergeCloud edge.
Here’s what happens next:
The VergeCloud edge node receives and inspects traffic before forwarding it to your origin server.
If the system detects Layer 3 or Layer 4 anomalies (e.g., floods, spoofed IPs, malformed packets), it:
Drops the packets immediately at the edge.
Optionally rate-limits the traffic source.
Logs the event for your visibility.
Clean traffic is passed through without requiring cookies, JavaScript, or CAPTCHA challenges — making this mode fully transparent to human users and API clients.
This Anycast-based architecture distributes traffic globally, preventing attackers from overwhelming a single point in your infrastructure.
Cookie Challenge
What it is:
Blocks bots by setting and validating a cookie on the client.
Legitimate browsers pass; headless tools or bots without cookie support are blocked.
Screenshot
JavaScript Challenge
What it is:
Sends a JS-based challenge that the browser must solve (often a dynamic math or timing check).
Defeats bots that don’t execute JavaScript.
Screenshot
Captcha Challenge
What it is:
Forces users to solve a CAPTCHA (e.g., Google reCAPTCHA or VergeCloud native) to proceed.
Blocks even advanced bots and requires human interaction.
Screenshot
Conclusion
By understanding how each mode works, you can ensure that VergeCloud is not only active but also effectively protecting your infrastructure in real time.
Choose the right challenge level for your use case, and combine it with monitoring and analytics to stay one step ahead of DDoS threats.
Related Articles
DDoS
DDoS Protection on VergeCloud VergeCloud’s DDoS protection ensures that your website remains secure from malicious traffic while maintaining a seamless experience for legitimate users. With advanced filtering at multiple layers, customizable options, ...How to Whitelist VergeCloud’s IP Addresses in Your Firewall
Why You Need Whitelist VergeCloud’s IP Addresses in Your Firewall To ensure smooth and uninterrupted communication between VergeCloud’s edge servers and your main host server, it's crucial to whitelist VergeCloud’s IP addresses in your firewall ...VergeCloud HTTP Headers
Headers Sent by CDN to User and Origin Server When a website utilizes VergeCloud CDN, visitor requests are directed to VergeCloud CDN servers rather than the original server that hosts the site. In reply to these requests, the CDN edge server ...Steps to Activate Cloud Icon for VergeCloud
Checks Before Activating Cloud Icon For Domain Once you've transferred your website to VergeCloud and updated your DNS settings, there are a few steps to complete before activating the Cloud icon for the records in the VergeCloud user panel. These ...Essential Steps Before Changing Nameservers to VergeCloud
Considerations Verify A Records and Their IP Addresses: After registering your domain in the VergeCloud User Panel, the first action is to confirm that the A records have been transferred correctly and that the associated IP address is accurate. ...