DDoS MitigationLearn how the Vercel Firewall mitigates against DoS and DDoS attacks
Vercel Firewall offers robust DDoS mitigation to defend your applications and websites against various types of DDoS attacks. It works by:
- Monitoring traffic: Vercel Firewall continuously analyzes incoming traffic to detect signs of DDoS attacks. This helps to identify and mitigate threats in real-time
- Blocking traffic: Vercel Firewall filters out malicious traffic while allowing legitimate requests to pass through
- Scaling resources: During a DDoS attack, Vercel Firewall dynamically scales resources to absorb the increased traffic, preventing your applications or websites from being overwhelmed
A Denial of Service (DoS) attack happens when one device attempts to exhaust the resources of a system by sending a large amount of data to a server or network. These attacks can often be mitigated by finding and closing off the connection to the source of the attack.
A Distributed Denial of Service (DDoS) attack happens when multiple connected devices are used to simultaneously overwhelm a website with targeted, fake traffic. The goal of DoS and DDoS attacks is to disrupt access to the servers hosting the website.
The OSI model is a concept that outlines the different communication steps of a networking system. Different attack types can target different layers of the OSI model.
DDoS attacks often target the network (layer 3) and transport (layer 4) layers of the OSI model. Vercel mitigates against these attacks, and protects the entire platform and all customers from attacks that would otherwise affect reliability.
The goal of a layer 3 (L3) DDoS attack is to slow down and ultimately crash applications, servers, and entire networks. These attacks are often used to target specific IP addresses, but can also target entire networks.
The goal of a layer 4 (L4) DDoS attack is to crash and slow down applications. They target the 3-way-handshake performed on TCP connections. This is often called a SYN flood. Layer 4 DDoS attacks are used to target specific ports, but can also target entire protocols.