DDoS Mitigation
VergeCloud DDoS Protection
VergeCloud offers robust protection against DDoS attacks, designed in four stages to safeguard your website from malicious intrusions. This guide will help you understand how to implement and manage DDoS protection effectively through the VergeCloud dashboard and API.
Glossary Before Configuration
- DDoS: Distributed Denial of Service; an attempt to make a machine or network resource unavailable to its intended users by overwhelming it with traffic.
- Layer 3/4 Attacks: Network-layer attacks that target the infrastructure of a network, disrupting data flow.
- Layer 7 Attacks: Application-layer attacks that aim to exploit vulnerabilities in web applications.
- Cookie Challenge: A method used to verify users by requiring a browser cookie to be sent back with requests.
- Captcha: A security measure that requires users to perform a task to verify they are human.
Protection Levels
Layer 3/4 Protection
VergeCloud’s fundamental DDoS protection safeguards your website against all Layer 3/4 attacks, although it does not cover the more complex Layer 7 attacks.
Layer 7 Protection
This protection operates at the application layer and includes three distinct levels:
- Cookie Challenge: When enabled, VergeCloud sends a cookie to the user’s browser. The user must apply the cookie in subsequent requests. This helps to identify and block simple bots.
- JS Challenge: This method sends a JavaScript file to the user's browser, requiring it to perform an encryption operation to confirm its legitimacy.
- Captcha Challenge: This advanced challenge displays a Captcha to the user, ensuring that no load is placed on your server during traffic processing.
How To implement a DDoS strategy?
You don't want all of your users to see a challenge accessing to your website:
A- Limit the Abused IP Addresses
B- Limit or block most visited IPs
C- Use headers or user agents to block bots
D- Use rate limiting for most visited URLs
E- Use JA3 fingerprinting to recognize bots
F- if none of the above solved your problem, turn on general DDoS mitigation
A- Limit the Abused IP Addresses
So first strategy would be limiting the access of abuse IP addresses to your website. these are the addresses we've collected over a time which were involved in DDoS attacks.
1- Go to Security -> Firewall in the left menu and click new rule.
2- After entering Name and description you need to select Field = IP Source Address and Operator = From IP List and Value = abuseip90to100
3- select OR operator and fill 2 more rows with abuseip80to90 and abuseip70to80
4- on the bottom of page you can select challenge or Block.
B- Limit or block most visited IPs
you can find the most visited IPS from left menu under Analytics & Logs -> Visited IPs Statistics
in front of each row you can find a button to add a firewall rule on this IP.
in front of each row you can find a button to add a firewall rule on this IP.
C- Use headers or user agents to block bots
Add Firewall Rule to challenge every incoming connection with most repeated user agents in your logs.
D- Use rate limiting for most visited URLs
Add Firewall Rule to challenge every incoming connection to the most repeated URL in your logs.
E- Use JA3 finger printing to recognize bots
You need to enable JA3fingerprint from left side menu SSL/TLS -> Edge Servers
You can download a list of malicious JA3 fingerprints from here:
then you can go to firewall and add a rule base of JA3 fingerprint and block or challenge malicious ones.F- if none of the above solved your problem, turn on general DDoS mitigation
To enable DDoS protection, navigate to the CDN service in your VergeCloud user panel, and find the DDoS Protection section.
you can turn on captcha challenge for all of the visitors as below.
Disable DDoS Protection on a URL
If DDoS challenges disrupt a specific route, enter the URL in VergeCloud to exempt it from challenges. Use the "New Rule" option in the custom rules section.
Tips for Using Fetch or XHR When the Challenge is Active
If your domain (example.com) contains JavaScript that requests a subdomain (sub.example.com), consider the following:
Using Fetch
fetch("https://sub.example.com", { credentials: 'include' });
Using XHR
let xhttp = new XMLHttpRequest();
xhttp.open("GET", "https://sub.example.com", true);
xhttp.withCredentials = true;
xhttp.send();
Using Ajax
$.ajax("https://sub.example.com", { xhrFields: { withCredentials: true } });
Preflight or CORS Request Management
For subdomain requests, manage Preflight Headers as needed. If the request does not need a response, set the mode to no-cors:
fetch("https://sub.example.com", { mode: 'no-cors', credentials: 'include' });
Related Articles
Rate Limiting
Rate Limiting on VergeCloud Introduction Rate limiting is a mechanism to manage the flow of incoming traffic to a network. VergeCloud’s Rate Limiting feature enables users to control the number of requests a user can make per specified time period ...Custom Error Pages
Custom Pages The custom pages feature within the VergeCloud CDN Service enables you to replace or customize various pages of your website, including Error Pages and Under Construction Pages. While these pages initially appear in VergeCloud's standard ...DNS Cloud Option
DNS Records Cloud Option After migrating your website to VergeCloud and completing your DNS configurations, you can view and manage the A Records of your domain and its subdomains under the DNS Records section in the CDN settings of your user ...Getting Started
The first step in utilizing our CDN service involves registering your domain within your VergeCloud account. Read more about CDN. This guide will walk you through the necessary steps. NOTICE DNSSEC: Ensure that DNSSEC is disabled on your domain ...