Skip to content

DDoS Protection (Premium)

Service ownership

Owner: security-platform (security-pm@clouddigit.ai) — Status: GA — Last audited: 2026-05-11

Application-layer DDoS protection with WAF integration and an SLA-backed mitigation commitment.

What it adds over Basic

Capability Basic Premium
L3/L4 volumetric mitigation
L7 HTTP-flood mitigation
Behavioural / bot detection
SLA on time-to-mitigate
Attack post-mortem report
24/7 dedicated DDoS NOC bridge during attack

Time-to-mitigate SLA

Attack class Premium SLA
Volumetric (≥ 10 Gbps) < 60 s
Application-layer HTTP flood < 5 min
Slow / behavioural attack < 15 min

Misses against the SLA earn service credits per the SLA reference.

Integration

  • Attaches per-LB or per-CDN-distribution
  • Plays nicely with the WAF (a single rule engine; no double mitigation latency)
  • Logs to SIEM and to your bucket

Pricing

Per-protected-resource-month + a per-Mbps-attacked add-on for very large attacks. See Pricing.

Operate this service

ML-based DDoS protection with higher capacity, advanced traffic profiling, and SLA-backed mitigation.

What's beyond Basic

Feature Basic Premium
Mitigation capacity 50 Gbps 1+ Tbps
L3/L4 protection ✓ (faster onset)
L7 / application layer
Behavioral analysis (ML)
Custom rules
24×7 expert response
SLA best-effort < 60 s mitigation onset

When to upgrade

  • Public-facing apps with paid users (any downtime → revenue loss)
  • Banking, government, news, e-commerce (high-profile target)
  • After an attack that Basic couldn't fully mitigate
  • Compliance requirement

IAM

Role Can do
ddos.viewer View events
ddos.operator Manage rules and allowlists
ddos.responder Engage on-call expert during attack
ddos.admin Configure ML model, baseline tuning

Coverage configuration

Premium can apply per-IP or per-distribution (CDN-fronted):

bash cd network ddos premium enable \ --ip 103.5.7.42 \ --plan high-profile

Tiers: standard (most workloads) and high-profile (added monitoring & expert engagement).

Custom rules

Block known attack patterns specific to your app:

bash cd network ddos premium rule add \ --name block-known-scraper \ --condition "user_agent contains 'evil-scraper/'" \ --action block

Rules are evaluated in order; first match wins.

SLA

  • Mitigation onset: < 60s of attack detection
  • False positive rate: < 0.05%
  • Customer reachable expert: 24×7

Metrics

Metric Healthy Alert
ddos.premium.mitigations_active 0 > 0
ddos.premium.attack_categories none spike (L7/volumetric/protocol)
ddos.premium.legitimate_pct > 99.9% < 99.5% (false positives)
ddos.premium.expert_responses_24h varies
ddos.premium.rule_hits_24h varies per rule

During an attack

Premium customers get a dedicated chat channel + phone line:

  1. Cloud Digit SRE alerts you (no need to discover yourself)
  2. Joint review of attack pattern
  3. Tune rules in real-time
  4. Post-event report within 24 h

Even if you have Premium, monitor your own systems — Cloud Digit handles the infra layer, your app may still see indirect impact (queue depth, downstream timeouts).

Rule tuning

Premium customers should review rule hit-rates monthly:

bash cd network ddos premium rule stats --since 30d

  • Rules with 0 hits: maybe no longer needed
  • Rules with high false-positive ratio (legitimate_pct < 99%): too aggressive
  • New attack patterns observed: add rules

Behavioral baseline

Premium learns per-IP / per-distribution traffic patterns. Baselines refresh:

  • Weekly automatic refresh
  • Manual refresh after large legitimate changes (new region launch, product release):

bash cd network ddos premium baseline reset --ip 103.5.7.42 --reason "traffic pattern change"

Don't reset for short-term spikes.

Coordinated attacks

Some attackers run multi-vector attacks (volumetric + L7 + protocol abuse) simultaneously. Premium's ML correlates across vectors; reports them as a single event:

```bash cd network ddos premium event show

Shows all observed vectors with timing

```

SLA breach

If mitigation didn't start within 60 s of attack detection: Cloud Digit owes you SLA credit. Open a ticket with the attack event ID; SRE investigates and applies credit automatically.

False positives

ddos.premium.legitimate_pct < 99.5%:

  • Recent baseline reset triggered by drift; ML still learning new patterns
  • Aggressive custom rule
  • Pre-declared event ended but rule still active

Engage on-call to tune. Don't disable rules unilaterally — that may expose you to the actual attack.

ML model classifying real traffic as attack

A legitimate burst (campaign, news mention, viral content) gets flagged:

  1. Pre-declare via cd network ddos event declare next time
  2. For unexpected legitimate spikes: engage on-call to add temporary allowlist
  3. Tune baseline after the event normalizes

Mitigation working but app slow

DDoS scrubbing introduces ~5–10 ms latency for legitimate traffic. For most workloads this is negligible. If your app is latency-critical:

  • Verify the latency added matches expectation (ddos.premium.scrub_latency_ms)
  • Consider always-on inline scrubbing for ultra-low-latency profiles (talk to Customer Engineer)

Cost surprise

Premium has a base monthly cost + variable mitigation fees during attacks. After a large attack: review the breakdown:

bash cd network ddos premium bill --month current

The base cost should match contract; mitigation fees should match what's documented.

Attack continued after Premium upgrade

Premium covers L7, but it isn't magic:

  • Some app-layer attacks need WAF-side rules (e.g., specific endpoint flood)
  • Some need source-IP blocking at firewall layer
  • Some need rate-limit at LB

Layered defense remains necessary.

Expert engagement slow

Expected: < 15 minutes for responder-tier engagement.

If slower: - Are you using the documented hotline / chat? - Is the contact pre-registered? Premium customers should pre-register on-call contacts