What can a customer do if their Fastly service is targeted by a DDoS?



  • Peter Wohlers

    Hi Robert-

    There are a few answers to this actually.

    1) Generally speaking, network based attacks up to layer 4 are things you won't see. They get handled further down the stack, below where it gets directed to your actual service. These commonly manifest themselves as 'synflood' or udp-based reflection attacks.

    2) If these are targeted L7 attacks against your service, if they are against cached objects, your service shouldn't really be affected with the exception of increased traffic.

    3) Setting up logging is usually the best way to get visibility into your traffic ( It's a good idea, regardless!).

    4) Typically attack traffic will have signatures, or characteristics that are common to them, but they're not always the same. It may be individual IP addresses or a group of them, it may be a specific URL they are using and often, they will use a User-Agent that is the same across all of them.

    5) If you can identify a pattern, you can do things like either set up an ACL or a synthetic response . The synthetic response would use a condition which can match any number of request parameters (host, URI, User-Agent, etc...) to filter. Attackers often want your origin servers to go down, so I tend to set up the synthetic response to return a 503.

    Ultimately, if you're stumped and having trouble, let us know :smile:


    Comment actions Permalink
  • Austin Spires

    @robertjpayne we can also give you a list of our IP space, which you can use to create an ACL at your origin, making sure that only requests coming through the CDN will reach your servers.

    We can even give you an API endpoint if you email our support team, so you can programmatically check for any changes.

    Comment actions Permalink

Please sign in to leave a comment.