DDoS Protection Features

DigitalOcean’s DDoS Protection service provides always-on protection from Distributed Denial of Service (DDoS) attacks for your resources. The service monitors your resources for malicious or questionable volumes of incoming traffic and either mitigates or blocks traffic to the resource until the event has concluded.

The DDoS Protection service provides your applicable resources with automatic DDoS mitigation. The service mitigates attacks at the network (layer 3) and transport (layer 4) layers and covers Droplets, Kubernetes clusters, managed databases, load balancers, and assigned reserved IPs.

DDoS Protection is passive and requires no configuration or changes to your applications. The service automatically protects all applicable resources upon their provisioning.

How DDoS Attacks Work and Harm Businesses

In a denial-of-service (DoS) attack, a threat actor denies legitimate users access to information systems, devices, or other network resources by overwhelming the target with malicious traffic. A distributed denial-of-service (DDoS) attack is a type of DoS attack where the overloading traffic originates from multiple attacking machines, thereby amplifying the severity of the attack.

DDoS attacks can result in the loss of revenue for an app or website by impacting the target’s performance and accessibility for its customers. Having a slow, under-performing website can harm the site’s reputation.

Some attacks may also involve extortion, where the attacker demands payment for the discontinuation of the attack.

DigitalOcean DDoS Protection helps users safeguard their DigitalOcean cloud resources from DDoS attacks with always-on protection and automated mitigation, so that customers can run their apps and websites uninterrupted.

Protected Network Layers

DDoS Protection works in OSI network layers 3 and 4. It protects cloud resources from volumetric attacks, such as UDP floods, ICMP floods, TCP floods, and DNS reflection attacks. It also protects from protocol-layer attacks such as SYN floods, BGP attacks and ping-of-death attacks. See our DDoS Attack Types reference for more information.

Mitigation Capacity

When traffic reaches DDoS Protection’s mitigation capacity, we blackhole incoming traffic. Blackholing is a DDoS countermeasure that discards all incoming traffic (legitimate and malicious) to a target IP address, which could lead to the resource being unavailable until the incoming traffic drops below the mitigation capacity.

When your resource is blackholed, the DDoS Protection service sends an email notification to the account owner.