Understanding VergeCloud’s DDoS Challenge Modes
VergeCloud’s DDoS protection uses multiple layers of mitigation to protect against both network-level (Layer 3 & 4) and application-level (Layer 7) attacks. Each challenge mode handles threats differently. This guide explains each type to observe their behavior.
What It Is:
This mode protects your applications against network-layer attacks such as:
TCP SYN floods
UDP floods
ICMP/volumetric attacks
IP spoofing
Protection is applied at the edge without introducing any delays or browser-level checks.
How VergeCloud Does It Using Anycast:
When you enable No Challenge Mode, your domain is pointed to a VergeCloud Anycast IP address. This IP is globally advertised by multiple edge locations in our network.
Anycast ensures that all traffic — including attack traffic — is routed to the nearest VergeCloud edge.
Here’s what happens next:
The VergeCloud edge node receives and inspects traffic before forwarding it to your origin server.
If the system detects Layer 3 or Layer 4 anomalies (e.g., floods, spoofed IPs, malformed packets), it:
Drops the packets immediately at the edge.
Optionally rate-limits the traffic source.
Logs the event for your visibility.
Clean traffic is passed through without requiring cookies, JavaScript, or CAPTCHA challenges — making this mode fully transparent to human users and API clients.
This Anycast-based architecture distributes traffic globally, preventing attackers from overwhelming a single point in your infrastructure.
Cookie Challenge
What it is:
Blocks bots by setting and validating a cookie on the client.
Legitimate browsers pass; headless tools or bots without cookie support are blocked.
Screenshot
JavaScript Challenge
What it is:
Sends a JS-based challenge that the browser must solve (often a dynamic math or timing check).
Defeats bots that don’t execute JavaScript.
Screenshot
Captcha Challenge
What it is:
Forces users to solve a CAPTCHA (e.g., Google reCAPTCHA or VergeCloud native) to proceed.
Blocks even advanced bots and requires human interaction.
Screenshot
Conclusion
By understanding how each mode works, you can ensure that VergeCloud is not only active but also effectively protecting your infrastructure in real time.
Choose the right challenge level for your use case, and combine it with monitoring and analytics to stay one step ahead of DDoS threats.
Related Articles
DDoS Mitigation
Overview VergeCloud’s DDoS protection ensures that your website remains secure from malicious or abusive traffic while maintaining a seamless, interruption-free experience for legitimate users. Using multi-layer filtering, intelligent traffic ...How to Whitelist VergeCloud’s IP Addresses in Your Firewall
Overview To ensure seamless communication between VergeCloud’s edge servers and your origin or main server, it is essential to whitelist VergeCloud’s IP addresses in your firewall configuration. Without whitelisting, your firewall may block ...Using Layer 4 Network on VergeCloud
Overview The VergeCloud Layer 4 Proxy enhances security and performance for applications using TCP protocol. It is ideal for non-HTTP traffic such as email, FTP, SSH, VoIP, or gaming. By proxying connections through VergeCloud’s edge, your origin ...Known Crawler Whitelisting in VergeCloud
Overview Automated bots often referred to as crawlers or spiders are programs that systematically browse the web. Search engines, analytics platforms, AI services, and other online tools rely on these bots to index content, collect website ...Steps to Activate Cloud Icon for VergeCloud
Overview Before you activate the Cloud icon for your domain in VergeCloud, it’s important to make sure your server and DNS setup are fully prepared to work with the platform. Turning on the Cloud icon changes the way traffic reaches your website, ...