What is a DDoS attack (short explanation)
A DDoS attack (Distributed Denial of Service) is an attack where a large number of devices send traffic to a target at the same time
(devices are often infected computers, servers, IoT devices, or cloud instances controlled by an attacker).
The goal is to overload the network, server, or application (by exhausting bandwidth, connection limits, CPU, or memory), so legitimate users cannot access the service.
The main strength of a DDoS attack is distribution:
- traffic comes from many locations (different countries, networks, ISPs)
- traffic comes from many IP addresses (making simple IP blocking ineffective)
- traffic often looks repetitive but massive (high packet or request rate)
Volumetric DDoS attacks focus mainly on traffic volume, not on application logic.
Using distribution against distributed attacks
The same principle that makes DDoS attacks powerful is also used for protection.
WEDOS Global Protection runs a globally distributed network of Points of Presence (PoPs)
(each PoP is a physical location with our own network hardware capable of filtering and serving traffic).
Even though a protected website usually has one public IP address, this IP is:
- advertised globally using Anycast
(the same IP address is announced from multiple locations) - propagated through BGP routing
(internet routers automatically send traffic to the nearest or best available PoP) - announced independently by each PoP
(each PoP can accept traffic for the same IP)
As a result:
- users connect to the nearest PoP
(lower latency and faster response) - attack traffic is also absorbed by the nearest PoP
(traffic does not cross continents unnecessarily) - traffic is split geographically, close to its source
(no single location receives the full attack volume)
This removes the biggest advantage of volumetric DDoS attacks: global concentration of traffic.
Traffic absorption and early filtering at each PoP
Once traffic reaches a PoP, filtering starts immediately, before it can reach the origin server.
Network and transport layer filtering (L3 / L4)
Because WEDOS Global Protection focuses on web services, only traffic relevant to web delivery is allowed.
- Only ports 80 (HTTP) and 443 (HTTPS) are accepted
(all other destination ports are dropped without further processing) - All other ports are dropped immediately
- Only TCP and UDP are allowed
- TCP is used for HTTP and HTTPS
- UDP is used mainly for HTTP/3 (QUIC)
- All other protocols are rejected
(for example ICMP floods, GRE, or uncommon IP protocols)
This removes a large amount of volumetric attack traffic at the earliest possible stage.
Early protocol validation
Before full request processing, traffic is checked for basic protocol correctness.
This includes:
- invalid or incomplete TCP handshakes
(for example SYN floods without proper connection completion) - malformed TLS handshakes
(broken or intentionally invalid TLS ClientHello packets) - abnormal connection behavior
(connections that open too fast, too slow, or never complete)
For HTTPS traffic, information from the TLS ClientHello is used:
- presence of SNI (Server Name Indication)
(real browsers usually send SNI; many attack tools do not) - validity of the SNI value
(must match a configured or expected domain)
These checks happen before full HTTP parsing, which significantly reduces resource usage during attacks.
Mandatory HTTP request validation
Only traffic that looks like a real web request is allowed further.
Requests are dropped if they:
- do not contain a valid Host header
(required by HTTP/1.1 and expected by modern web servers) - do not match any configured domain
(prevents random or blind floods to unknown hostnames, enumeration attacks) - are malformed or incomplete
(for example missing request line, invalid headers, broken formatting)
This step filters out many simple flood tools and poorly implemented bots.
Reputation-based filtering
Traffic that passes basic validation is checked against reputation and threat intelligence sources.
This includes:
- known botnets
(IPs associated with malware-controlled devices) - compromised machines
(hosts known to be abused in previous attacks) - abusive IP ranges
(networks with long-term malicious behavior) - historical attack sources
(IPs repeatedly involved in DDoS or abuse incidents)
These lists are:
- continuously updated
- shared across the global network
- applied consistently on all PoPs
Traffic from such sources can be:
- blocked immediately
- heavily rate-limited
- processed with stricter rules
- send to proof of work/captcha challenge
Rate limiting on multiple time windows
All valid traffic is continuously measured.
Rate limits are applied on multiple time windows to catch different attack patterns.
Short-term limits:
- 1 second (burst floods and packet storms)
- 10 seconds (short spikes)
- 1 minute (sustained high request rate)
- 1 hour (long-term pressure)
Advanced and behavioral limits:
- 5 minutes
- 10 minutes
These are used to detect:
- slow floods
- rotating IP attacks
- behavior that looks normal short-term but abusive over time
Flexible dimensions for rate limiting
Limits are not applied only per IP address.
They can be calculated using multiple dimensions, such as:
- domain name
(protects individual websites separately) - request path
(for example/login,/api,/wp-login.php) - source IP address
(classic rate limiting) - JA4 fingerprint
(TLS-based fingerprint identifying client behavior, even across IPs) - combined identifiers
(for example IP + path, JA4 + domain)
This reduces false positives and improves attack precision.
Different behavior for different IP categories
Not all traffic sources are equal.
IP addresses are classified into categories, for example:
- residential networks
(normal end users, typically more tolerant limits) - data centers and cloud providers
(often abused for attacks, stricter thresholds) - proxy and VPN services
(shared IPs, higher risk, special handling) - Tor network
(anonymous traffic, heavily restricted or filtered)
Each category has:
- different rate limits
- different reputation weight
- different mitigation behavior
This reflects real-world usage and improves accuracy during attacks.
CDN caching absorbs most simple attacks
Most volumetric web attacks are technically simple.
They usually target:
- the homepage
(/) - common URLs
(/index.html,/robots.txt) - generated content same for all users
(XML documents, CSV export files)
Because WEDOS Global Protection includes web CDN caching:
- cached content is served directly from the PoP
(no request to the origin server, only cache validation) - repeated requests are handled efficiently
(minimal CPU and backend load)
This allows the system to absorb very large request volumes at the edge.
Under Attack Mode for large-scale incidents
For large or persistent attacks, Under Attack Mode can be activated.
This mode applies:
- stricter rate limits
(lower thresholds, faster blocking) - more aggressive filtering
(tighter protocol and behavior validation) - advanced behavioral analysis
(prioritizing service availability over permissive access)
Under Attack Mode can be:
- enabled manually in the administration
- activated by WEDOS specialists
- triggered automatically based on attack detection
The goal is to keep the service online, even at the cost of reduced comfort for suspicious traffic.
Summary
Volumetric DDoS mitigation in WEDOS Global Protection is based on:
- global Anycast traffic distribution
(splitting attacks geographically) - early traffic absorption close to the source
(reducing backbone and origin load) - strict protocol and request validation
(dropping invalid traffic early) - reputation-based filtering
(blocking known malicious sources) - multi-level and multi-dimensional rate limiting
(fast reaction and long-term behavior detection) - CDN-based offloading of simple attacks
(edge handling of high-volume requests)
This layered approach ensures that even very large distributed attacks lose effectiveness before they can impact protected services.