Always-on DDoS mitigation

Fastly's globally distributed network was built to absorb DDoS attacks. As part of Fastly's standard CDN services, all customers receive:

  • Access to origin shielding. Fastly allows you to designate a specific point of presence (POP) to host cached content from your origin servers. This POP acts as a "shield" that protects those servers from every cache miss or pass through the Fastly network, reducing the load that directly reaches them.
  • Automatic resistance to availability attacks. Before they're even processed by our caching infrastructure, we filter out Layer 3 and 4 attacks (e.g., Ping floods, ICMP floods, UDP abuse) as well as distributed reflection and amplification (DRDoS) attacks that rely on anonymity to abuse internet protocols (e.g., DNS and NTP).
  • Access to Fastly cache IP space. Fastly provides an API endpoint to any customer who would like to know which IP addresses our caches will use to send traffic from our CDN to your origin servers. We make this data available so you can update firewalls at your origin to ensure only our cache traffic can access your resources.
  • Custom DDoS filter creation abilities. Using custom VCL, we allow you to craft your own DDoS protection rules to protect your network from complex Layer 7 attacks. Once you identify signs of a potential DDoS attack, you can mix and match Fastly VCL with custom VCL to construct filter configurations based on a variety of client and request criteria (e.g., headers, cookies, request path, client IP, geographic location) that block malicious requests before they hit your origin servers.

In addition to these standard DDoS protection services, Fastly offers a DDoS Protection and Mitigation Service. For more information about this or any of our advanced services, including their subscription costs, contact

Back to Top