Note: this article assumes that your subscription plan includes DDoS mitigation. If your subscription plan does not include DDoS mitigation your site will be taken off the service if it is a target for a DDoS attack.
Incapsula determines whether your site is under a DDoS attack using the request per second threshold defined in the DDoS settings (for additional information see Setting Up the DDoS Mitigation Service). The default threshold is 1000 requests per second.
If traffic to your site exceeds the rate of 1000 requests per second, several things will happen:
A notification will be sent out to your email notifying you on the DDoS attack, your current DDoS settings and some quantitative measures about the attack size.
A notification will be added in the Incapsula Management Console to alert logged in users about the attack.
If your DDoS rule is set to On or Automatic, Incapsula will start mitigating the attack.
When your site’s traffic rate returns to normal, a second notification will be sent out notifying you that the DDoS attack has been terminated. Incapsula will disable the DDoS rule 5 minutes after the request rate has returned to normal to be prepared for another cycle of the attack.