DDoS Mitigation

DDoS protection at the network edge

Schedule a demo

Fastly’s high-bandwidth, globally distributed network is built to absorb DDoS attacks. Our entire network acts as a DDoS scrubbing center, so you don’t sacrifice performance for protection. We allow you to respond in real time, filtering malicious requests at the network edge before they get near your origin.

The edge network built to stop DDoS attacks

Protect your origin from volumetric attacks with our globally distributed network that provides visibility at scale and insights into malicious traffic. Block bad traffic by updating security policies in seconds as you keep-up with changing attack patterns.

Bandwidth that outstrips the largest attacks

As DDoS attacks continue to grow in size, so too should your protection. With 265+ Tbps of globally distributed network capacity, Fastly is built to absorb even the largest DDoS attacks. 

We filter malicious requests at the network edge, before they reach your origin, so you can focus on keeping your business running.

Visibility for better mitigation

HTTP(S) traffic can be hard to see at scale, especially when you are under attack. There can be a fine line between the thundering herd of a viral campaign, a DDoS attack or abusive bot behavior. Fastly’s real-time and flexible logging capabilities provide the insights you need to block attack traffic while letting legitimate users access your site.

Flexibility to keep up with evolving attacks

Many DDoS attacks evolve in real time to avoid blocking. Fastly’s edge cloud platform helps you stay ahead with the ability to update your security policies and push changes around the globe within seconds: our median deployment time is 13 seconds.

How it works

Network layer attacks

Fastly sees all bidirectional traffic (encrypted and unencrypted) between browsers and your web server. We automatically filter all non-HTTP / HTTPS traffic at our global nodes, blocking highly disruptive Layer 3 and Layer 4 attacks. We also protect against Ping floods, ICMP floods, reflection / amplification attacks, transaction floods, resource exhaustion, and UDP abuse.

Application layer attacks

Fastly’s edge cache nodes act as enforcement points. Using Varnish Configuration Language (VCL), we apply rules to protect your network from complex Layer 7 attacks.  We inspect the entire HTTP / HTTPS requests, and block based on client and request criteria, like headers, cookies, request path, and client IP, or indicators like geolocation. Our next-gen WAF (formerly Signal Sciences) can provide additional Layer 7 protection that can be deployed at the app or API origin server complementing our built-in Layer 3 and 4 protection.

Full configurability

Our service is highly configurable: if you identify signs of a potential DDoS attack, you can use our configuration control panel or upload custom VCL to block certain URLs, client types, geographies, or types of requests. We also keep a history of previous configurations so you can quickly roll back changes if needed.

ddos attack icon

DDoS protection and mitigation service

Basic DDoS Protection is included for all Fastly delivery customers. Fastly also offers a 12-month DDoS Protection and Mitigation Service as an add-on to your Fastly edge cloud service.

Immediate onboarding

We’ll work together to immediately transition you to Fastly's CDN service if you're not already a customer.

Emergency configuration and deployment support

Fastly partners with you to configure your service map and provide an initial filter policy to immediately block an attack.

Ongoing attack mitigation support

Our team can create custom VCL filters to deal with changing attacks or new attacks, and isolate malicious traffic on your behalf.

Incident response plan

Fastly provides a plan that identifies how communication and escalation will occur between you, your staff, and Fastly if an attack occurs. The plan will also describe mitigation and defense details such as any DDoS filters that we can insert into VCL prior to or during an attack.

“Fastly’s DDoS mitigation capabilities allow us to quickly scale while remaining protected from a wide range of security threats."
Tom Hayman
Head of Platform Engineering

DDoS mitigation and protection features

Access to Origin Shielding

Fastly’s powerful Origin Shield feature maximizes computing resources for outdated content requests by designating a specific POP to serve as a “shield” for your origin servers.

Access to Fastly cache IP space

Fastly provides an API endpoint so customers can know which IP addresses our caches will use to send traffic from our CDN to your origin server, enabling you to update firewalls at the origin so only our cache traffic can access your resources.

Custom DDoS filter creation abilities

Fastly empowers customers to upload custom VCL to block certain URLs, client types, geographies, or types of request for immediate response to DDoS attacks.

Stop reflection and amplification (DRDoS)

Distributed Reflection Denial of Service (DRDoS) attacks take down a victim's network by overhwleming it with response requests sent from a different or spoofed origin.

Stop ping floods, ICMP floods, UDP abuse

Ping Floods (also known as ICMP floods) aim to overhwhelm a network with ICMP echo requests, impacting both outgoing and incoming bandwidth.

Layer 3, 4 and 7 protection

Fastly's DDoS protection provides real-time response and malicious request mitigation at both the network layer (Layer 3 and 4) and application layer (Layer 7).

Looking for more?

Data sheet

DDoS Mitigation data sheet

Learn how we enable you to fortify your digital infrastructure and defend against disruptive DDoS threats.


How DDoS mitigation services can protect your business

Web page

Fastly Edge Cloud Platform

Ensure your websites, applications, and services are able to scale to meet the demand of your users and are delivered securely and as fast as possible with Fastly.

Data Sheet

Fastly Managed Security Service

Stay ahead of web application threats with Fastly’s most complete security coverage offering. Expert protection, 24/7 peace of mind.