> ## Documentation Index
> Fetch the complete documentation index at: https://gcore-doc-1256a.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# L7 DDoS protection

We offer protection for your web applications, websites, and APIs from DDoS attacks at the [application layer](https://en.wikipedia.org/wiki/OSI_model) (layer 7) in the OSI model. These attacks are often performed in bursts and aren't always volumetric in nature.

DDoS detection is always active, regardless of whether WAAP is in **Monitoring** or **Protection** mode. Once a DDoS attack is identified, the system activates a DDoS mode.

<Info>
  **Info**

  When WAAP is in **Monitoring** mode, DDoS attacks are still detected and DDoS mode is activated. However, no protection is enforced — traffic is passed to the origin as normal. DDoS events are recorded in analytics and marked as DDoS traffic.

  To enable active DDoS protection, switch your domain to [Protection mode](/waap/getting-started/configure-waap-for-a-domain#step-8-enable-protection-mode).
</Info>

<Tip>
  **Tip**

  The DDoS attack statistics and other related data are available on the [L7 DDoS](/waap/analytics#l7-ddos-page) analytics page.
</Tip>

## When DDoS mode is activated

DDoS mode is activated if any of the following conditions are met.

| Condition            | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | Threshold values                                                                                                                                                                                                             |
| -------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Global threshold     | This mechanism identifies DDoS attacks whose traffic patterns consist of a slow rise in traffic over a set period of time.<br /><br />DDoS mode is activated   when the customizable threshold value is met, AND the current number of requests is at least two times (2X) the previous 10-second window.                                                                                                                                                                                                                                                                                                            | **Default**:<br />- This mechanism has a default DDoS threshold of 5,000 requests per 10 seconds.<br /><br />**Minimum**:<br />- 250 requests per 10 seconds.<br /><br />**Maximum**:<br />- 50,000 requests per 10 seconds. |
| Burst threshold      | This mechanism identifies sudden bursts in traffic.<br /><br />DDoS mode is activated   when the customizable threshold value is met, AND the number of requests is at least five times (5X) the last 2-second interval.                                                                                                                                                                                                                                                                                                                                                                                             | **Default**:<br />- 1,000 requests per 2 seconds.<br /><br />**Minimum**:<br />- 30 requests per 2 seconds.<br /><br />**Maximum**:<br />- 10,000 requests per 2 seconds.                                                    |
| Sub-second threshold | This threshold protects the origin servers against attacks from traffic bursts.<br /><br />When this threshold is reached, the DDoS mode will activate on the affected origin server (not the WAAP cluster).<br /><br />This mechanism can mitigate bursts of requests without activating DDoS mode when other threshold conditions aren't met. Mitigated requests are counted as DDoS L7 - Blocked   on the [Web Application Firewall Requests](/waap/analytics#web-application-firewall-requests) analytics graph, and they won't appear on the [DDoS attacks over time](/waap/analytics#attacks-over-time) graph. | **Default**:<br />- 50 seconds requests per 0.1 seconds.                                                                                                                                                                     |

<Info>
  **Info**

  You can adjust the threshold values for all WAAP plans. Contact [our support team](mailto:support@gcore.com) for assistance.
</Info>

## What happens when DDoS mode is activated

* Every request is challenged with JavaScript validation. This challenge detects if a valid user and not an automated tool is making the request. If a user passes the validation, they will not be challenged on future requests.
* DDoS mode will be active for a minimum duration of 10 minutes and then for the duration of the attack.
* Any automated layer traffic is blocked. This action won't be applied to large search engines, such as Google or Bing.
* WAAP's bot-detection technology will block bots that share IP addresses with human users or frequently change their IP addresses.
* WAAP DDoS protection uses an AI-driven IP filtering profiler that analyzes daily traffic patterns from known users. This helps the system distinguish normal traffic from traffic that might be part of a DDoS attack.
