DDoS Protection

ArvanCloud’s protection against DDoS attacks is provided in 4 stages of various complexities so that you can protect your website against malicious DDoS attacks.

You can activate the feature in your ArvanCloud user panel in the CDN service and under the section of DDoS Protection.

Layer 3/4 Protection

ArvanCloud’s basic form of protection against DDoS attacks protects your website against all layer 3/4 attacks. However, this level of protection does not extend to that of layer 7 with more complexity.

For this purpose, ArvanCloud provides three states of protection against Layer 7 DDoS attacks.

Layer 7 Protection

This protection is in the application layer and in three levels.

Cookie Challenge

Activating this option means that ArvanCloud will send a cookie to the user’s browser. The user's browser will be asked to apply the cookie to the next request and resend the request (as this redirect will disrupt your APIs, you can disable this feature by creating a rule in the "Rules" section for the desired API). This challenge helps to recognize and block simple bots.

Google IPs and search engines are exempt from all applicable DDoS protections.

Active Cookie Challenge through API:

curl --location --request PATCH 'https://napi.arvancloud.ir/cdn/4.0/domains/example.com/ddos' \

--header 'authority: napi.arvancloud.ir' \

--header 'accept: application/json, text/plain, */*' \

--header 'accept-language: fa' \

--header 'authorization: APIKEY 1 2 3 4' \

--header 'cache-control: no-cache' \

--header 'content-type: application/json;charset=UTF-8' \

--header 'pragma: no-cache' \

--data-raw '{"mode":"cookie"}'

JS Challenge

Activating this feature means that encryption will be carried out to recognize users to protect your website against DDoS attacks from more complex bots. In this method, a JavaScript file is sent to the user's browser, the user's browser performs the encryption operation and the result is sent in the next request and ArvanCloud confirms it.

Active JS Challenge through API:

curl --location --request PATCH 'https://napi.arvancloud.ir/cdn/4.0/domains/example.com/ddos' \

--header 'authority: napi.arvancloud.ir' \

--header 'accept: application/json, text/plain, */*' \

--header 'accept-language: fa' \

--header 'authorization: APIKEY 1 2 3 4' \

--header 'cache-control: no-cache' \

--header 'content-type: application/json;charset=UTF-8' \

--header 'pragma: no-cache' \

--data-raw '{"mode":" javascript"}' 

Recaptcha Challenge

In the latest and most complex challenge, the user is shown a security code or Captcha and is asked to select the right images. Since the traffic for loading and processing these pages is done outside your server, no load will be applied to your website’s server.

In this case, you can specify the type of challenge captcha according to your needs to be used on the entire domain and in the DDoS challenge.

To enable the Captcha challenge, your CDN product package must be Professional or Enterprise.

Active Captcha Challenge through API:

curl --location --request PATCH 'https://napi.arvancloud.ir/cdn/4.0/domains/example.com/ddos' \

--header 'authority: napi.arvancloud.ir' \

--header 'accept: application/json, text/plain, */*' \

--header 'accept-language: fa' \

--header 'authorization: APIKEY 1 2 3 4' \

--header 'cache-control: no-cache' \

--header 'content-type: application/json;charset=UTF-8' \

--header 'pragma: no-cache' \

--data-raw '{"mode":"recaptcha"}

Change Captcha Type through API:

curl --location --request PATCH 'https://napi.arvancloud.ir/cdn/4.0/domains/example.com/ddos' \
--header 'authority: napi.arvancloud.ir' \
--header 'accept: application/json, text/plain, */*' \
--header 'authorization: API KEY 1 2 3 4' \
--header 'cache-control: no-cache' \
--header 'content-type: application/json' \
--data-raw '{"protection_mode":"captcha","captcha_service":"hcaptcha","ttl":0}'

The captcha_service parameter can have three entries, hCaptcha, arCaptcha and reCAPTCHA, which must be sent in the API request depending on the type of service selected.

In each protection method, you can set a duration for the validity of the authorization so that the user would not need to be authorized all the time.

Disable DDoS Protection on a URL

If the DDoS challenge has caused disruption to a route from your domain (such as the API service), you should enter that route (URL) in ArvanCloud in Glob form so that the DDoS challenge is not applied to it.

To do this, click on New Rule in the custom rules section.

Now you can enter your desired URL along with the list of IPs or all IPs and specify whether the challenge should be applied to them or not.

Tips for using fetch or xhr when the challenge is active

If there is a JavaScript code in your domain (example.com) that makes requests to a subdomain like (sub.example.com), you should follow these points:

Using fetch If you use fetch to make a request, you must include the value of credentials in options. Example:

fetch("https://sub.example.com", { credentials: 'include' });

Using xhr If you are using xhr, you must set the client's withCredentials value to true. Example:

let xhttp = new XMLHttpRequest();

xhttp.open("GET", "https://sub.example.com", true);

xhttp.withCredentials = true;

xhttp.send();

Using ajax If you are using ajax, you must set the xhrFields.withCredentials option to true. Example:

$.ajax("https://sub.example.com", { xhrFields: { withCredentials: true } })

Preflight or CORS Request Management To send a request to a subdomain, Preflight Headers must be managed in a certain way (for example, using page rules).

If you don't need to respond to the sent request (the request is opaque), you can set the mode to no-cors. Example:

fetch("https://sub.example.com", { mode: 'no-cors', credentials: 'include' })