Setting Up the DDoS Mitigation Service

Created at:

Access the DDoS settings:

  1. Log in to your account.
  2. On the sidebar, click Websites (default).
  3. Click a site name to access the site's dashboard.
  4. On the sidebar, click Settings.
  5. Click WAF.

The DDoS mitigation rule has three basic modes:





All DDoS mitigation rules are disabled.


All DDoS mitigation rules are enabled.

Automatic (recommended)

DDoS mitigation rules are activated automatically when Incapsula detects that your site is under a DDoS attack.

If the DDoS mode is set to Automatic, Incapsula only enables the DDoS rules when known DDoS attack patterns are detected or the request rate to the site exceeds a certain threshold. The threshold is set by default to 1,000 requests per second, but can be adjusted using the Advanced DDoS Settings option.


The recommended mode for the DDoS rule is Automatic. This allows users to make sure DDoS attacks are mitigated instantly as soon as a DDoS attack starts while minimizing the impact on the normal web site behavior. This is recommended since we have learned that not all users are aware of all legitimate bots that access their website and enabling the DDoS rules might cause those bots to be blocked if whitelist rules are not set up in advance.
If the DDoS mode is set to Automatic, Incapsula will enable the DDoS rules only when the traffic to the site exceeds a certain threshold. This threshold is set by default to 1000 requests per second and can be modified in the Advanced DDoS Settings (see below).


Advanced DDoS Settings:

The advanced DDoS settings can be accessed by clicking on Advanced Settings in the DDoS rule settings. Three types of advanced settings are available:

Option Description
Challenge for Unknown Clients After Incapsula has determined that a DDoS attack is underway, it challenges suspicious bots with a set of tests to filter out any kind of malicious visitor. Except for the CAPTCHA challenge, these challenges do not affect the user experience.
  • No Challenge: Requests from suspicious bots are not challenged in any way.
  • Cookie Support: Suspicious bots are challenged for Cookie support.
  • Javascript Support: Suspicious bots are challenged for Javascript support.
  • Human Interaction (CAPTCHA): Suspicious bots are required to complete a CAPTCHA test.
Consider Site to Be under DDoS

Specifies the request rate threshold beyond which Incapsula enables DDoS mitigation rules.

Tip: If you are activating a marketing campaign and expect a significant increase in traffic over a short period of time, you may want to increase this value so it is not considered a DDoS attack.

Block Non-essential Bots Blocking non-essential bots is designed to overcome attacks carried out by bots that disguise themselves as a legitimate service that is classified by Incapsula’s client classification engine.This option should be used only in extreme situations and after consulting with Incapsula’s 24x7 support team.


Add whitelist rules

The Incapsula DDoS whitelist lets you specify conditions under which the DDoS rules will not analyze a request. Any item that you enter into the whitelist is considered trusted and safe by Incapsula.

A whitelist rule will match only if all match criteria are satisfied. If you want to whitelist multiple and non-related scenarios, you can add multiple whitelist rules.

To add an item to the whitelist:

  1. In the DDoS section, click Add whitelist:

The following displays:

  1. In the Add whitelist rule on field, select the type of item to be added to the whitelist, such as URL, Client app ID, IP, Country, User Agent or HTTP parameter.

  2. In the field to the right, fill in the value to be whitelisted.

  3. Click Add.

  4. Add additional rules as needed by following the steps above.

  5. Click Confirm.

Tip: Alternatively, you can add an item to the WAF whitelist directly from the Events page if you have identified a false positive event.


For additional information, see also:

Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request


  • Avatar


    This threshold is set by default to 500 requests per second
    Now, I think this default setting is 1000 requests per second in the Advanced DDoS Settings.
    Please let me know correct default setting.

  • Avatar

    Hi, there is a typo on the last line:

    "For additional inofmration, see also: DDoS Mitigation Service"

Powered by Zendesk