LogoLogo
  • ShieldsGuard - User Guide
  • Installation Steps
    • Shields Guard Installation
    • Shields Guard SEG Installation
  • Getting Started
    • 1. General Welcome and Site Management Panel
    • 2. Overview
      • 2.1 Today's Data
      • 2.2 Country Statistics
      • 2.3 URL Statistics
      • 2.4 IP Statistics
      • 2.5 HTTP Status Statistics
    • 3. Protection
      • 3.1 DDoS Protection
        • 3.1.1 Google Recaptcha Setup
        • 3.1.2 Friendly Captcha Setup
      • 3.2 WAF – Web Application Firewall
    • 4. Security Rules
      • 4.1 BlackList & WhiteList
      • 4.2 User Agent Filtering
      • 4.3 Query String Filtering
      • 4.4 HTTP Header Filtering
      • 4.5 Block POST Values
      • 4.6 Custom Headers
      • 4.7 Block URL Requests
      • 4.8 URL Path Blocking
      • 4.9 Encrypt Path
      • 4.10 Remove Request Value
      • 4.11 Exclude Directories from Protection
    • 5. Logs
      • 5.1 Access Log
      • 5.2 Security Log
    • 6. Asset Management
      • 6.1 Asset Management
      • 6.2 Network Topology
      • 6.3 Vulnerability Scan
    • 7. Access
  • 8. DNS
  • 9. SSL
  • 10. Subdomain Manage
  • 11. Edit Page
  • ShieldsGuard SEG
    • 1. SEG Dashboard
    • 2. Reporting
    • 3. Analyzed
      • 3.1 Files
      • 3.2 URL
      • 3.3 Mail
      • 3.4 Domain
    • 4. Mail Settings
      • 4.1 File
      • 4.2 Mail Body
      • 4.3 Sender Domain
Powered by GitBook
On this page
  • 🔍 DDoS Protection Modes Explained
  • 🔧 Advanced Configuration Options
  • ✅ Best Practice Recommendations
  • 🧠 Summary
Export as PDF
  1. Getting Started
  2. 3. Protection

3.1 DDoS Protection

Previous3. ProtectionNext3.1.1 Google Recaptcha Setup

Last updated 9 days ago

🛡️ Overview

The DDoS Protection module in ShieldsGuard is your first line of defense against traffic-based denial-of-service attacks. Whether it’s volumetric floods, bot-driven login abuse, or application-layer overload, this protection engine enables you to mitigate threats before they impact your infrastructure.

⚠️ Important: After first setup, the DDoS Protection feature is disabled by default. To activate protection, you must manually select one of the available protection modes from the panel.

These modes are:

  • JavaScript Verification

  • Google Captcha

  • Friendly Captcha

Until one is selected and configured, your website will remain vulnerable to automated traffic-based attacks.

⚙️ Activating Protection

  1. Navigate to Protection > DDoS Protection from the left sidebar.

  2. Locate the DDoS Protection status section at the top.

  3. Choose a protection mode from the dropdown:

    • Javascript Verification

    • Google Captcha

    • Friendly Captcha

  4. Configure the selected mode using the provided forms.

  5. Your protection will be enforced immediately after saving.

🔍 DDoS Protection Modes Explained

✅ JavaScript Verification

This mode enforces a lightweight browser-based challenge that filters out non-human traffic like bots, scripts, and scanners that do not support JavaScript execution.

Key Features:

  • Invisible to human users

  • Fast and automatic

  • Effective against basic botnets, curl, wget, and CLI tools

Limitations:

  • Advanced bots using headless browsers (e.g., Puppeteer, Selenium) may pass this challenge

Recommended Use:

  • Public websites

  • Static content delivery

  • When user friction must be minimal

🔐 Google Captcha

Enables Google’s reCAPTCHA to challenge suspicious users and confirm they are human before accessing sensitive areas.

Configuration Required:

  • Google reCAPTCHA Site Key

  • Google reCAPTCHA Secret Key

Variants Supported:

  • reCAPTCHA v2 (checkbox or invisible)

  • reCAPTCHA v3 (score-based)

Advantages:

  • High detection accuracy

  • Widely recognized

  • Free for standard use

Drawbacks:

  • Adds friction to user flow

  • May not comply with strict privacy regulations (e.g., GDPR in EU)

Recommended Use:

  • Login pages

  • Admin panels

  • Account creation / payment flows

🛡️ Friendly Captcha

Friendly Captcha is a modern, privacy-first alternative that uses proof-of-work cryptography instead of solving puzzles.

Fields to Configure:

  • Secret Key (generated from Friendly Captcha panel)

  • Site Key

  • Endpoint Region (EU / US)

Advantages:

  • No user interaction

  • Fully GDPR-compliant

  • Does not collect or track user data

Drawbacks:

  • Requires an active Friendly Captcha subscription

  • Slight delay due to proof-of-work (milliseconds)

Recommended Use:

  • Privacy-focused websites

  • European user bases

  • Sites requiring seamless UX with strong bot defense

🔧 Advanced Configuration Options

Once a protection mode is selected, you can fine-tune how and when it activates:

🍪 Visitor Cookie Duration

Defines how long a visitor stays trusted after passing the challenge.

  • Minimum: 600 seconds (10 minutes)

  • Maximum: 86400 seconds (1 day)

Example Use: Set to 1800 seconds (30 minutes) to avoid re-challenging returning users too often.

⏱️ DDoS Protection Duration

When triggered, this sets how long the protection remains active.

  • Range: 5 to 1440 minutes

Scenario: If set to 60 minutes, the site stays protected for one hour after an attack pattern is detected.

🚨 DDoS Trigger Settings

Define how much traffic is considered suspicious.

  • Time Interval (Seconds): Between 10 and 30 seconds

  • Request Threshold: Between 1 and 5000 requests

Example: If a single IP sends more than 1000 requests in 10 seconds, activate protection.

🌐 IP Rate Limiting

Sets a hard cap on the number of requests per second from a single IP address.

  • Minimum: 5 requests/sec

  • Use Case: Prevents brute-force and scraping attacks

Tip: Start with 500–700 and monitor before lowering. Use tighter limits for login or API routes.

✅ Best Practice Recommendations

Scenario
Recommended Setup

Public Website

JavaScript Verification + Rate Limiting

Login/Authentication

Friendly Captcha + 10-minute cookie

Admin Panel

Google Captcha + Trigger Protection @ 500/10s

High-Traffic App (EU)

Friendly Captcha (EU Endpoint) + Rate Limit 300/s

Payment Gateway/API

Google Captcha + IP Limit 100/s

🧠 Summary

DDoS protection is only effective when properly enabled and tuned. ShieldsGuard provides multiple mechanisms to cover both performance and privacy concerns. The layered control—combining protection mode, duration, trigger thresholds, and IP rate limits—ensures your services stay online even during hostile traffic surges.

Always test your configuration under light load before deploying in production.