# 3.1 DDoS Protection
#### 🛡️ Overview
The **DDoS Protection** module in ShieldsGuard is your first line of defense against traffic-based denial-of-service attacks. Whether it’s volumetric floods, bot-driven login abuse, or application-layer overload, this protection engine enables you to mitigate threats before they impact your infrastructure.
> ⚠️ **Important:** After first setup, the DDoS Protection feature is disabled by default.\
> To activate protection, you **must manually select one of the available protection modes** from the panel.
These modes are:
* **JavaScript Verification**
* **Google Captcha**
* **Friendly Captcha**
Until one is selected and configured, your website will remain vulnerable to automated traffic-based attacks.
***
#### ⚙️ Activating Protection
1. Navigate to **Protection > DDoS Protection** from the left sidebar.
2. Locate the **DDoS Protection** status section at the top.
3. Choose a protection mode from the dropdown:
* `Javascript Verification`
* `Google Captcha`
* `Friendly Captcha`
4. Configure the selected mode using the provided forms.
5. Your protection will be enforced immediately after saving.
***
### 🔍 DDoS Protection Modes Explained
***
#### ✅ JavaScript Verification
This mode enforces a lightweight browser-based challenge that filters out non-human traffic like bots, scripts, and scanners that do not support JavaScript execution.
**Key Features:**
* Invisible to human users
* Fast and automatic
* Effective against basic botnets, curl, wget, and CLI tools
**Limitations:**
* Advanced bots using headless browsers (e.g., Puppeteer, Selenium) may pass this challenge
**Recommended Use:**
* Public websites
* Static content delivery
* When user friction must be minimal
***
#### 🔐 Google Captcha
Enables Google’s reCAPTCHA to challenge suspicious users and confirm they are human before accessing sensitive areas.
**Configuration Required:**
* Google reCAPTCHA **Site Key**
* Google reCAPTCHA **Secret Key**
**Variants Supported:**
* reCAPTCHA v2 (checkbox or invisible)
* reCAPTCHA v3 (score-based)
**Advantages:**
* High detection accuracy
* Widely recognized
* Free for standard use
**Drawbacks:**
* Adds friction to user flow
* May not comply with strict privacy regulations (e.g., GDPR in EU)
**Recommended Use:**
* Login pages
* Admin panels
* Account creation / payment flows
***
#### 🛡️ Friendly Captcha
Friendly Captcha is a modern, privacy-first alternative that uses **proof-of-work cryptography** instead of solving puzzles.
**Fields to Configure:**
* **Secret Key** (generated from Friendly Captcha panel)
* **Site Key**
* **Endpoint Region** (EU / US)
**Advantages:**
* No user interaction
* Fully GDPR-compliant
* Does not collect or track user data
**Drawbacks:**
* Requires an active Friendly Captcha subscription
* Slight delay due to proof-of-work (milliseconds)
**Recommended Use:**
* Privacy-focused websites
* European user bases
* Sites requiring seamless UX with strong bot defense
***
### 🔧 Advanced Configuration Options
Once a protection mode is selected, you can fine-tune how and when it activates:
***
#### 🍪 Visitor Cookie Duration
Defines how long a visitor stays trusted after passing the challenge.
* **Minimum:** 600 seconds (10 minutes)
* **Maximum:** 86400 seconds (1 day)
**Example Use:**\
Set to 1800 seconds (30 minutes) to avoid re-challenging returning users too often.
***
#### ⏱️ DDoS Protection Duration
When triggered, this sets how long the protection remains active.
* **Range:** 5 to 1440 minutes
**Scenario:**\
If set to 60 minutes, the site stays protected for one hour after an attack pattern is detected.
***
#### 🚨 DDoS Trigger Settings
Define how much traffic is considered suspicious.
* **Time Interval (Seconds):** Between 10 and 30 seconds
* **Request Threshold:** Between 1 and 5000 requests
**Example:**\
If a single IP sends more than 1000 requests in 10 seconds, activate protection.
***
#### 🌐 IP Rate Limiting
Sets a hard cap on the number of requests per second from a single IP address.
* **Minimum:** 5 requests/sec
* **Use Case:** Prevents brute-force and scraping attacks
**Tip:**\
Start with 500–700 and monitor before lowering. Use tighter limits for login or API routes.
***
### ✅ Best Practice Recommendations
| Scenario | Recommended Setup |
| --------------------- | ------------------------------------------------- |
| Public Website | JavaScript Verification + Rate Limiting |
| Login/Authentication | Friendly Captcha + 10-minute cookie |
| Admin Panel | Google Captcha + Trigger Protection @ 500/10s |
| High-Traffic App (EU) | Friendly Captcha (EU Endpoint) + Rate Limit 300/s |
| Payment Gateway/API | Google Captcha + IP Limit 100/s |
***
### 🧠 Summary
DDoS protection is only effective when properly **enabled and tuned**. ShieldsGuard provides multiple mechanisms to cover both performance and privacy concerns. The layered control—combining protection mode, duration, trigger thresholds, and IP rate limits—ensures your services stay online even during hostile traffic surges.
> Always test your configuration under light load before deploying in production.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.shieldsguard.com/getting-started/3.-protection/3.1-ddos-protection.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.