DDoS Protection

Validated on 15 May 2024 • Last edited on 18 Dec 2024

DigitalOcean DDoS Protection provides free, always-on protection from distributed denial-of-service (DDoS) attacks for applicable DigitalOcean resources.

How DDoS Attacks Work

DDoS attacks are malicious attempts to overwhelm servers, routers, load balancers, applications, and other network devices with incoming connections to render them inaccessible.

Learn more about different kinds of DDoS attacks.

In a denial-of-service (DoS) attack, a threat actor renders information systems, devices, or other network resources inaccessible by overwhelming the target with malicious traffic. A distributed denial-of-service (DDoS) attack is a type of DoS attack where the overloading traffic originates from multiple attacking machines, amplifying the severity of the attack.

DDoS attacks use one or more of the following methods:

  • Volumetric attacks: This type of attack overwhelms the resource’s bandwidth with a flood of traffic to keep normal traffic from reaching the resource.

    Volumetric attacks include UDP floods, ICMP floods, TCP floods, and DNS reflection attacks.

  • Protocol layer attacks: This type of attack over-consumes network resources on a server, load balancer, or firewall, slowing down the target resource until it becomes inaccessible. This attack targets the network, transports layers of the OSI stack, and leverages exploits in network protocols.

    Protocol layer attacks include SYN floods, BGP attacks, and ping of death attacks.

  • Application layer attacks: This type of attack targets software running on the resource, such as web application firewalls (WAFs) and web server applications. For example, these attacks may attempt to open and maintain an abnormally large number of connections to a web server, or bombard an application with large POST payloads. These attacks can be particularly effective because they consume both application-level and network-level resources.

    Application layer attacks include BGP hijacking, HTTP and HTTPS floods, and Slowloris attacks.

  • Multi-vector Attack: This type of attack simultaneously targets application and network level resources. Unlike single vector attacks, multi-vector attacks use several different types of traffic to overwhelm the target, such as flooding the target with HTTP traffic and UDP traffic.

DDoS attacks can impact an app or website’s performance and availability for users, which may in turn cause a loss of revenue for business or harm the site’s reputation. Some attacks may also involve extortion, where the attacker demands payment for the discontinuation of the attack.

How DDoS Protection Works

DigitalOcean DDoS Protection helps safeguard DigitalOcean cloud resources from DDoS attacks by monitoring applicable resources for malicious or questionable volumes of incoming traffic. If DDoS Protection detects an attack, it provides automatic mitigation until the event is concluded or until the traffic reaches the mitigation capacity.

When traffic reaches DDoS Protection’s mitigation capacity, we send an email notification to the account owner and blackhole incoming traffic. Blackholing is a DDoS countermeasure that discards all incoming traffic (legitimate and malicious) to a target IP address, which could lead to the resource being unavailable until the incoming traffic drops below the mitigation capacity.

Scope of Protection

DDoS Protection is available and active for all DigitalOcean customers at no additional charge. It automatically protects all applicable resources starting from when you provision them, and requires no configuration or changes to your infrastructure or applications.

Protected Resources

DDoS Protection protects the following resources:

  • DigitalOcean Droplets
  • DigitalOcean Kubernetes (DOKS) clusters
  • DigitalOcean Managed Databases
  • DigitalOcean Load Balancers
  • Assigned reserved IPs

App Platform has native DDoS protection built into the platform.

Block storage and Spaces are not protected by DDoS Protection and don’t count towards your monthly resource usage.

Protected OSI Layers

DDoS Protection mitigates attacks on the network (layer 3) and transport (layer 4) layers of the OSI model. DDoS Protection does not support application layer (layer 7) protection.

In different terms, DDoS Protection protects against volumetric attacks (like UDP floods, ICMP floods, TCP floods, and DNS reflection) and protocol-layer attacks (like SYN floods, BGP attacks and ping of death).

Control Panel Blog Pricing Careers Terms Privacy Status API Docs Tutorials Support