DDoS Mitigation
Learn how the Vercel Firewall mitigates against DoS and DDoS attacksDDoS Mitigation is available on all plans
Vercel provides automatic DDoS mitigation for all deployments, regardless of the plan that you are on. We block incoming traffic if we identify abnormal or suspicious levels of incoming requests. It works by:
- Monitoring traffic: Vercel Firewall continuously analyzes incoming traffic to detect signs of DDoS attacks. This helps to identify and mitigate threats in real-time
- Blocking traffic: Vercel Firewall filters out malicious traffic while allowing legitimate requests to pass through
- Scaling resources: During a DDoS attack, Vercel Firewall dynamically scales resources to absorb the increased traffic, preventing your applications or sites from being overwhelmed
If you need further control over incoming traffic, you can temporarily enable Attack Challenge Mode to challenge all traffic to your site, ensuring only legitimate users can access it.
A Denial of Service (DoS) attack happens when one device attempts to exhaust the resources of a system using methods such as sending a large amount of data to a server or network and exploiting a recursion bug. These attacks can often be mitigated by finding and closing off the connection to the source of the attack.
A Distributed Denial of Service (DDoS) attack happens when multiple connected devices are used to simultaneously overwhelm a site with targeted, fake traffic. The goal of DoS and DDoS attacks is to disrupt access to the servers hosting the site.
The OSI model is a concept that outlines the different communication steps of a networking system. Different attack types can target different layers of the OSI model.
DDoS attacks often target the network (layer 3), transport (layer 4), and application (layer 7) layers of the OSI model. Vercel mitigates against these attacks, and protects the entire platform and all customers from attacks that would otherwise affect reliability.
The goal of a layer 3 (L3) DDoS attack is to slow down and ultimately crash applications, servers, and entire networks. These attacks are often used to target specific IP addresses, but can also target entire networks.
The goal of a layer 4 (L4) DDoS attack is to crash and slow down applications. They target the 3-way-handshake performed on TCP connections. This is often called a SYN flood. Layer 4 DDoS attacks are used to target specific ports, but can also target entire protocols.
The goal of a Layer 7 (L7) DDoS attack is to crash and slow down software at the application layer by targeting protocols such as HTTP, which is often done with GET and POST requests. They are often silent and look to leverage vulnerabilities by sending many innocuous requests to a single page. Vercel provides sophisticated proprietary L7 mitigation and is constantly tuning and adjusting attack detection techniques.
Vercel mitigates against L3, L4, and L7 DDoS attacks regardless of the plan you are on. The Vercel Firewall uses hundreds of signals and detection factors to fingerprint request patterns, determining if they appear to be an attack, and challenging or blocking requests if they appear illegitimate.
However, there are other steps you can take to protect your site during DDoS attacks:
- Enable Attack Challenge Mode to challenge all visitors to your site. This is a temporary measure and provides another layer of security to ensure all traffic to your site is legitimate
- You can set up IP Blocking to block specific IP addresses from accessing your projects. Enterprise teams can also receive dedicated DDoS support
- You can add Custom Rules to deny or challenge specific traffic to your site based on the conditions of the rules
- You can also use Edge Middleware to block requests based on specific criteria or to implement rate limiting.
Pro teams can set up Spend Management to get notified or to automatically take action, such as using a webhook or pausing your projects when your usage hits a set spend amount.
Bypass System-level Mitigations are available on Pro and Enterprise plans
While Vercel's system-level mitigations (such as DDoS protection) safeguards your websites and applications, it can happen that they block traffic from trusted sources like proxies or shared networks in situations where traffic from these proxies or shared networks was identified as malicious. You can temporarily disable all automatic mitigations for a specific project. This can be useful on business-critical events such as Black Friday.
To temporarily disable all automatic mitigations for a specific project:
- Click the menu button with the ellipsis icon at the top right of the Firewall tab for your project.
- Then select Disable System Mitigations.
This will not disable any Web Application Firewall IP Blocking, Custom Rule or Managed Ruleset set up on your project.
Review the warning in the Disable All System Mitigations dialog and confirm that you would like to disable all automatic mitigations for that project for the next 24 hours.
You are responsible for all usage fees incurred when using this feature, including illegitimate traffic that may otherwise have been blocked.
In situations where you need a more granular and permanent approach, you can use System Bypass Rules to ensure that essential traffic is never blocked by DDoS protection.
This feature is available for Pro and Enterprise customers. Learn how to set up a System Bypass rule for your project and limits that apply based on your plan.
Vercel automatically mitigates against L3, L4, and L7 DDoS attacks at the platform level for all plans. Vercel does not charge customers for traffic that gets blocked by the Firewall.
Usage will be incurred for requests that are successfully served prior to us automatically mitigating the event. Usage will also be incurred for requests that are not recognized as a DDoS event, which may include bot and crawler traffic.
For an additional layer of security, we recommend that you enable Attack Challenge Mode when you are under attack, which is available for free on all plans. While some malicious traffic is automatically challenged, enabling Attack Challenge Mode will challenge all traffic, including legitimate traffic to ensure that only real users can access your site.
You can monitor usage in the Vercel Dashboard under the Usage tab, although you will receive notifications when nearing your usage limits.
Was this helpful?