WAAP
L7 DDoS protection
We offer protection for your web applications, websites, and APIs from DDoS attacks at the application layer (layer 7) in the OSI model. These attacks are often performed in bursts and aren’t always volumetric in nature.
DDoS protection is always enabled, even if WAAP is in monitor mode. Once a DDoS attack is identified, the system activates a DDoS mode.
TipThe DDoS attack statistics and other related data are available on the DDoS attacks analytics page.
When DDoS mode is activated
DDoS mode is activated if any of the following conditions are met.| Condition | Description | Threshold values |
|---|---|---|
| Global threshold | This mechanism identifies DDoS attacks whose traffic patterns consist of a slow rise in traffic over a set period of time. DDoS mode is activated when the customizable threshold value is met, AND the current number of requests is at least two times (2X) the previous 10-second window. | Default: - This mechanism has a default DDoS threshold of 5,000 requests per 10 seconds. Minimum: - 250 requests per 10 seconds. Maximum: - 50,000 requests per 10 seconds. |
| Burst threshold | This mechanism identifies sudden bursts in traffic. DDoS mode is activated when the customizable threshold value is met, AND the number of requests is at least five times (5X) the last 2-second interval. | Default: - 1,000 requests per 2 seconds. Minimum: - 30 requests per 2 seconds. Maximum: - 10,000 requests per 2 seconds. |
| Sub-second threshold | This threshold protects the origin servers against attacks from traffic bursts. When this threshold is reached, the DDoS mode will activate on the affected origin server (not the WAAP cluster). This mechanism can mitigate bursts of requests without activating DDoS mode when other threshold conditions aren’t met. Mitigated requests are counted as DDoS L7 - Blocked on the Web Application Firewall Requests analytics graph, and they won’t appear on the DDoS attacks over time graph. | Default: - 50 seconds requests per 0.1 seconds. |
InfoYou can adjust the threshold values for all WAAP plans. Contact our support team for assistance.
What happens when DDoS mode is activated
- Every request is challenged with JavaScript validation. This challenge detects if a valid user and not an automated tool is making the request. If a user passes the validation, they will not be challenged on future requests.
- DDoS mode will be active for a minimum duration of 10 minutes and then for the duration of the attack.
- Any automated layer traffic is blocked. This action won’t be applied to large search engines, such as Google or Bing.
- WAAP’s bot-detection technology will block bots that share IP addresses with human users or frequently change their IP addresses.
- WAAP DDoS protection uses an AI-driven IP filtering profiler that analyzes daily traffic patterns from known users. This helps the system distinguish normal traffic from traffic that might be part of a DDoS attack.