How WEDOS Protection works in real-world attacks
WEDOS Protection is designed by infrastructure operators, not based on theoretical security models.
Origin: Built by a Datacenter, for Datacenters
All protection layers work together automatically malicious traffic is filtered at the edge,
long before it reaches your infrastructure.
WEDOS took the opposite approach. As an operator of one of Europe’s largest hosting and DNS platforms, we built our protection to defend our own infrastructure under real-world attack conditions.
Every architectural decision reflects that experience. WEDOS Protection is designed not from theory, but from operational reality at scale.
Built for real-world attacks. Not designed in theory.
Global Anycast Architecture
The foundation of WEDOS Protection is a purpose-built global anycast network. It is not leased from a hyperscaler and not assembled from multiple providers.
Every point of presence is fully owned, operated, and maintained by WEDOS.
How it works:
Using BGP Anycast, incoming traffic is automatically routed to the nearest WEDOS PoP. Attack traffic is distributed across more than 100 locations at the same time, regardless of where it comes from or how large it is.
No single node takes the full impact.
There is no single point of failure.
Why it matters at scale:
Volumetric attacks in the terabit range cannot be stopped by sending traffic to a single scrubbing center and hoping capacity is enough.
They are stopped by having more distributed capacity than the attacker can concentrate.
WEDOS Anycast provides that capacity, with one of the densest PoP networks in Europe and a top-tier global footprint.
Traffic scrubbing happens at the edge. Clean traffic reaches your origin. The attack never does.
Multi-Layer Protection Engine
WEDOS Protection operates across the full OSI stack,
simultaneously and automatically, without requiring manual mode
switching between attack types.
L3/L4 Network & Transport
Stops high-volume and protocol-based attacks within seconds.
Key capabilities:
Blocked attack types:
L7 Application Layer
Detects and blocks sophisticated attacks that mimic real users.
Key capabilities:
Blocked attack types:
Observability & Threat Intelligence
Security without visibility is not security. WEDOS Protection provides:
Encryption Architecture
L7 inspection requires temporary decryption of TLS traffic. In most platforms, this happens on shared infrastructure with opaque data handling policies.
In WEDOS Protection, decryption occurs exclusively on dedicated hardware within certified EU data centres, isolated from shared workloads. Traffic is re-encrypted before forwarding to the origin server. No decrypted content is stored. No third party has access to the decryption process or its outputs.
For operators handling sensitive citizen data, financial records, or regulated information, this is not a minor operational detail. It is a prerequisite.
Observability & Threat Intelligence
For operators handling sensitive citizen data, financial records, or regulated information, this is not a minor operational detail. It is a prerequisite.
When something needs fixing, we fix it.
When a new attack vector emerges, we respond across the entire platform, not after a vendor ticket is resolved upstream.
Comprehensive protection
in a single solution
JA4 Fingerprinting
Next-Generation Client Identification
JA4 is a modern method for identifying clients based on their behavior in TLS communication. Unlike the older JA3 approach, it does not produce just a hash, but a structured and human-readable fingerprint (e.g. TLS version, cipher suites, extensions, or protocols).
This makes it possible to detect attackers more reliably. Even if they rotate IP addresses or User-Agents, their tooling still produces the same fingerprint. WEDOS Protection evaluates these fingerprints during the initial connection phase (TLS handshake), allowing threats to be stopped before any HTTP request is processed.
It also enables sharing threat intelligence across the entire platform. What is detected for one customer helps protect all others.
Intelligent Rule Engine
Every website or service faces different types of attacks. That’s why WEDOS Protection allows rules to be configured precisely as needed, at the domain, page, and API level.
Rules can combine multiple factors such as IP address, geolocation, visitor behavior, JA4 fingerprint, or request rate. This enables more accurate distinction between legitimate traffic and attacks.
The level of protection can be easily adjusted using different enforcement levels, from normal operation to aggressive protection during an attack. Changes are applied instantly across the entire network. For larger deployments, rules can also be managed and applied in bulk.
DNS Protection & DNSSEC
DNS is a fundamental part of the internet, but also a frequent target of attacks. WEDOS Protection safeguards DNS against overload (DNS floods), limits excessive traffic, and prevents abuse in amplification attacks.
It also includes full DNSSEC support, ensuring that DNS responses are authentic and have not been altered in transit.
DNS protection at WEDOS is not an add-on. It is built on top of our own large-scale DNS infrastructure, continuously tested in real-world conditions, including active attacks.
Compliance & Certification
ISO 27001
Certified
GDPR
Compliant by Design
NIS2-Ready
Architecture
EU Legal
Jurisdiction
24/7
Monitoring & Incident Response