Skip to main content
We offer protection for your web applications, websites, and APIs from DDoS attacks at the application layer (layer 7) in the OSI model. These attacks are often performed in bursts and aren’t always volumetric in nature. DDoS detection is always active, regardless of whether WAAP is in Monitoring or Protection mode. Once a DDoS attack is identified, the system activates a DDoS mode.
InfoWhen WAAP is in Monitoring mode, DDoS attacks are still detected and DDoS mode is activated. However, no protection is enforced — traffic is passed to the origin as normal. DDoS events are recorded in analytics and marked as DDoS traffic.To enable active DDoS protection, switch your domain to Protection mode.
TipThe DDoS attack statistics and other related data are available on the L7 DDoS analytics page.

When DDoS mode is activated

DDoS mode is activated if any of the following conditions are met.
InfoYou can adjust the threshold values for all WAAP plans. Contact our support team for assistance.

What happens when DDoS mode is activated

  • Every request is challenged with JavaScript validation. This challenge detects if a valid user and not an automated tool is making the request. If a user passes the validation, they will not be challenged on future requests.
  • DDoS mode will be active for a minimum duration of 10 minutes and then for the duration of the attack.
  • Any automated layer traffic is blocked. This action won’t be applied to large search engines, such as Google or Bing.
  • WAAP’s bot-detection technology will block bots that share IP addresses with human users or frequently change their IP addresses.
  • WAAP DDoS protection uses an AI-driven IP filtering profiler that analyzes daily traffic patterns from known users. This helps the system distinguish normal traffic from traffic that might be part of a DDoS attack.