DDoS Protection
Validated on 15 May 2024 • Last edited on 17 Apr 2025
DigitalOcean DDoS Protection provides free, always-on protection from distributed denial-of-service (DDoS) attacks for applicable DigitalOcean resources.
How DDoS Attacks Work
DDoS attacks are malicious attempts to overwhelm servers, routers, load balancers, applications, and other network devices with incoming connections to render them inaccessible.
DDoS attacks can impact an app or website’s performance and availability for users, which may in turn cause a loss of revenue for business or harm the site’s reputation. Some attacks may also involve extortion, where the attacker demands payment for the discontinuation of the attack.
How DDoS Protection Works
DigitalOcean DDoS Protection helps safeguard DigitalOcean cloud resources from DDoS attacks by monitoring applicable resources for malicious or questionable volumes of incoming traffic. If DDoS Protection detects an attack, it provides automatic mitigation until the event is concluded or until the traffic reaches the mitigation capacity.
When traffic reaches DDoS Protection’s mitigation capacity, we send an email notification to the account owner and blackhole incoming traffic. Blackholing is a DDoS countermeasure that discards all incoming traffic (legitimate and malicious) to a target IP address, which could lead to the resource being unavailable until the incoming traffic drops below the mitigation capacity.
Scope of Protection
DDoS Protection is available and active for all DigitalOcean customers at no additional charge. It automatically protects all applicable resources starting from when you provision them, and requires no configuration or changes to your infrastructure or applications.
Protected Resources
DDoS Protection protects the following resources:
- DigitalOcean Droplets
- DigitalOcean Kubernetes (DOKS) clusters
- DigitalOcean Managed Databases
- DigitalOcean Load Balancers
- Assigned reserved IPs
App Platform has native DDoS protection built into the platform.
Block storage and Spaces are not protected by DDoS Protection and don’t count towards your monthly resource usage.
Protected OSI Layers
DDoS Protection mitigates attacks on the network (layer 3) and transport (layer 4) layers of the OSI model. DDoS Protection does not support application layer (layer 7) protection.
In different terms, DDoS Protection protects against volumetric attacks (like UDP floods, ICMP floods, TCP floods, and DNS reflection) and protocol-layer attacks (like SYN floods, BGP attacks and ping of death).