DDoS protection
Always-on L3/4/7 DDoS scrubbing, with non-HTTP transit DDoS for arbitrary TCP / UDP services.
What it is
Every zone gets always-on L3/4/7 scrubbing at no extra cost. For non-HTTP services (game servers, custom TCP/UDP protocols) you can opt into the transit-layer scrubbing tier, which advertises your origin behind our anycast and absorbs floods upstream of your network.
When to use it
- Protect a web origin from volumetric and application-layer floods.
- Protect a TCP/UDP service (game server, custom protocol).
- Get SOC-2 evidence of DDoS controls for compliance audits.
Quickstart
asc edge ddos transit enable --origin 1.2.3.4 --port 27015 --proto udp
asc edge ddos report --zone example.com --from -7dclient.edge.ddos.transit.enable(origin='1.2.3.4', port=27015, proto='udp')
report = client.edge.ddos.report(zone='example.com', from_='-7d')await client.edge.ddos.transit.enable({ origin: '1.2.3.4', port: 27015, proto: 'udp' });Limits & quotas
| Limit | Default | Burst | Notes |
|---|---|---|---|
| HTTP scrubbing capacity | >100 Tbps aggregate | — | Always-on, included |
| Transit scrubbing | $50 / Gbps-mo (commit) | — | Non-HTTP services |
| Per-port transit pricing | $15 / port-mo | — |
Pricing
See pricing. Pay-as-you-go, billed monthly via Stripe.
API surface
POST /v1/edge/ddos/transit/enableGET /v1/edge/ddos/reports
Required scope(s): edge:write. See Scopes.
Security
All access is authenticated and scoped. See Auth & scopes and Network controls.