Skip to content

DDoS Protection (Basic)

Service ownership

Owner: security-platform (security-pm@clouddigit.ai) — Status: GA — Last audited: 2026-05-11

Always-on, network-layer DDoS protection at the Cloud Digit edge. Free, on by default for every public IP.

What it covers

  • Volumetric L3/L4 attacks (UDP floods, SYN floods, ICMP floods, amplification — DNS, NTP, memcached, etc.)
  • Per-IP rate limiting against the most common reflection vectors
  • Anti-spoof at the edge (uRPF + BGP-FlowSpec mitigations)

What it does NOT cover

  • Application-layer (L7) attacks — see DDoS Premium for L7
  • HTTP request floods — pair with a WAF
  • Slowloris / partial-request attacks — handled by Load Balancer timeouts and WAF rules

Detection and mitigation

  • Detection: continuous flow telemetry from edge routers; anomaly thresholds tuned per protocol
  • Mitigation: scrubbing at the edge (BDIX-side and international transit), no on-customer-resource mitigation appliance needed

Pricing

Free. Always on, no opt-in.

Operate this service

Always-on volumetric DDoS protection — included free with every Cloud Digit public IP.

What it covers

  • L3/L4 floods (SYN, UDP, ICMP, amplification)
  • Up to 50 Gbps of mitigation
  • Automatic signature-based detection
  • Rate-limiting per source IP

Doesn't cover: L7 attacks (HTTP floods, slowloris) — those need WAF or DDoS Premium.

IAM

Role Can do
ddos.viewer View mitigation events, traffic baselines
ddos.operator Manage allowlists, declare scheduled events
ddos.admin Above + policy tuning (rare; defaults usually fit)

Allowlist

To prevent legitimate burst traffic from being rate-limited:

bash cd network ddos allowlist add --source-cidr 203.0.113.0/24 --reason "partner ISP"

Allowlist entries should have expiry to force periodic review.

Scheduled events

For known traffic spikes (campaign, sports event), pre-declare:

bash cd network ddos event declare \ --start "2026-06-01T18:00:00+06:00" \ --end "2026-06-01T22:00:00+06:00" \ --expected-rps 50000 \ --reason "Eid promotional campaign"

The protection tunes thresholds upward for that window.

Default thresholds

Cloud Digit auto-baselines normal traffic over 14 days. The default kicks in at ~5× baseline. Tune per IP if you have predictable spike patterns that look anomalous to the baseline.

Metrics

Metric Healthy Alert
ddos.mitigations_active 0 > 0
ddos.bytes_scrubbed_24h low spikes
ddos.attack_events_24h varies
ddos.false_positive_rate < 0.1% > 1% (tune thresholds)

Active mitigation

When mitigation is active for an IP:

```bash cd network ddos status --ip 103.5.7.42

Shows: attack type, mitigation active duration, packets scrubbed

```

Mitigation continues until attack subsides + 5-minute cooldown.

Post-attack review

After every attack event: - Was the mitigation effective? - Did legitimate users see impact? - Are there allowlist gaps that caused false positives? - Could the workload benefit from upgrading to DDoS Premium?

bash cd network ddos event report --event-id <id>

Layered defense

DDoS Basic at L3/L4. Pair with: - WAF for L7 (HTTP-layer attacks) - CDN absorbing the bulk of traffic at edge - Load balancer's connection rate-limit for slowloris

Defense in depth — no single layer catches everything.

Capacity reservations

For high-profile customers (banking, government, news): pre-arrange a capacity reservation during expected high-risk windows (elections, BFRS-stage releases). Cloud Digit allocates dedicated scrubbing capacity for the duration.

Legitimate traffic dropped

Symptoms: a known good source can't reach your service during mitigation.

  • Add the source CIDR to allowlist
  • Pre-declare the expected event (campaigns, software rollouts)
  • Verify the traffic isn't being mistaken for an attack pattern (e.g., huge ICMP flood from a misconfigured ping monitor)

Mitigation didn't kick in

Symptoms: ongoing attack, but ddos.mitigations_active = 0:

  • Attack volume below threshold (e.g., slow trickle attacks) — Basic targets volumetric; consider Premium
  • Attack at L7 (HTTP layer) — Basic doesn't cover; need WAF
  • Attack from many low-volume sources — basic rate-limit per source doesn't trigger; need Premium ML-based separation

Mitigation false positive

ddos.false_positive_rate climbing:

  • Baseline drifted (the platform learns normal traffic; a new "normal" with high volume can confuse it)
  • Use scheduled-events for legitimate high-volume periods
  • Tune per-IP threshold (admin role)

Recovering after attack

The mitigation cooldown is 5 minutes. If your IP is still being mitigated 30 min after attack:

  • Attack ongoing (lower-volume but persistent)
  • cd network ddos status shows current state

If clear and still mitigated: ticket.

Service unreachable during mitigation

Mitigation should be transparent to legitimate traffic. If your monitoring shows your own service unreachable during mitigation:

  • Monitor source IP not allowlisted
  • Monitor doing high-volume probing that looks attack-like
  • Verify with a third-party uptime check

Cost spike

DDoS Basic is included free with public IPs — no separate cost. If you see DDoS-attributed costs:

  • You may have DDoS Premium enabled
  • Mitigation may have temporarily required upgrading link capacity (BDIX scrubbing) — rare