Understanding VergeCloud’s DDoS Challenge Modes
Understanding VergeCloud’s DDoS Challenge Modes
VergeCloud’s DDoS protection uses multiple layers of mitigation to protect against both network-level (Layer 3 & 4) and application-level (Layer 7) attacks. Each challenge mode handles threats differently. This guide explains each type to observe their behavior.
No Challenge Mode (L3/L4 Protection Only)
What It Is:
This mode protects your applications against network-layer attacks such as:
TCP SYN floods
UDP floods
ICMP/volumetric attacks
IP spoofing
Protection is applied at the edge without introducing any delays or browser-level checks.
How VergeCloud Does It Using Anycast:
When you enable No Challenge Mode, your domain is pointed to a VergeCloud Anycast IP address. This IP is globally advertised by multiple edge locations in our network.
Anycast ensures that all traffic — including attack traffic — is routed to the nearest VergeCloud edge.
Here’s what happens next:
The VergeCloud edge node receives and inspects traffic before forwarding it to your origin server.
If the system detects Layer 3 or Layer 4 anomalies (e.g., floods, spoofed IPs, malformed packets), it:
Drops the packets immediately at the edge.
Optionally rate-limits the traffic source.
Logs the event for your visibility.
Clean traffic is passed through without requiring cookies, JavaScript, or CAPTCHA challenges — making this mode fully transparent to human users and API clients.
This Anycast-based architecture distributes traffic globally, preventing attackers from overwhelming a single point in your infrastructure.
Cookie Challenge
What it is:
Blocks bots by setting and validating a cookie on the client.
Legitimate browsers pass; headless tools or bots without cookie support are blocked.
Screenshot
JavaScript Challenge
What it is:
Sends a JS-based challenge that the browser must solve (often a dynamic math or timing check).
Defeats bots that don’t execute JavaScript.
Screenshot
Captcha Challenge
What it is:
Forces users to solve a CAPTCHA (e.g., Google reCAPTCHA or VergeCloud native) to proceed.
Blocks even advanced bots and requires human interaction.
Screenshot
Conclusion
By understanding how each mode works, you can ensure that VergeCloud is not only active but also effectively protecting your infrastructure in real time.
Choose the right challenge level for your use case, and combine it with monitoring and analytics to stay one step ahead of DDoS threats.
Related Articles
Understanding VergeCloud CDN Headers
Intoduction When a website utilizes VergeCloud CDN for performance enhancement and security, visitor requests are directed to VergeCloud’s CDN servers instead of directly reaching the website's main server. In return, the CDN edge server sends ...Understanding the Set-Cookie Header
Understanding the Set-Cookie Header and Caching Behavior The Set-Cookie HTTP response header is used by servers to store cookies on the user's browser. These cookies enable stateful sessions, user personalization, and authentication workflows. ...VergeCloud’s X-Cache and X-Time Headers Explained
Once VergeCloud's CDN service is activated, the system includes the x-cache and x-time headers in the responses to user requests. What Does X-Cache Mean? The x-cache header can have several possible values: MISS, HIT, and BYPASS. MISS: The requested ...VergeCloud Error Codes
Understanding VergeCloud Error Codes While using VergeCloud services, users may encounter specific error codes unique to the platform. These codes signify issues or violations of rules configured on VergeCloud. This guide explains common VergeCloud ...DMARC Record and Configuration in VergeCloud User Panel
DMARC, which stands for Domain-based Message Authentication, Reporting, and Conformance, is a crucial email authentication protocol provided by VergeCloud. It leverages two existing mechanisms, SPF (Sender Policy Framework) and DKIM (DomainKeys ...