| copyright |
|
||
|---|---|---|---|
| lastupdated | 2026-02-06 | ||
| keywords | |||
| subcollection | cis |
{{site.data.keyword.attribute-definition-list}}
{: #preventing-ddos-attacks}
An effective way to prevent DDoS attacks targeting your web servers is to reduce the requests that reach those servers. Requests can come to your origin server from your web application and from direct connections to the server itself. {: shortdesc}
{: caption="The paths requests can take to your servers" caption-side="bottom"}
{: #reduce-app-requests-to-origin}
{: #ddos-prevent-cache}
A cache stores copies of frequently accessed resources such as images and CSS files. When a resource is cached—whether on a user’s browser or a Content Delivery Network (CDN) server—requests for that resource do not have to go to your origin server. These resources are instead served directly by the cache.
During a DDoS attack, caching reduces the number of requests that go to your origin server, which makes it harder for your server to get overwhelmed by traffic.
{: caption="Reduce requests to the origin by using caching" caption-side="bottom"}
{: #ddos-prevent-waf}
A WAF creates a shield between a web application and the internet. The WAF checks incoming web requests and filters potentially malicious traffic to mitigate common attacks.
{: caption="Reduce requests to the origin by using WAF" caption-side="bottom"}
{: #prevent-external-connections}
Generally, your origin server should accept only requests that come from your web application, especially in the context of DDoS attacks. Traffic that bypasses your web application also bypasses any WAF or caching you have and has a stronger chance of overwhelming your origin.
{: caption="Prevent external connection requests to the origin" caption-side="bottom"}
{: #ddos-related-links}