# DDoS Protection

### overview

Check Point WAF SaaS provides integrated Distributed Denial-of-Service (DDoS) protection designed to maintain the availability, resiliency, and stability of customer-facing applications and APIs during malicious traffic events and large-scale denial-of-service attacks.

The service combines globally distributed traffic mitigation capabilities with application-layer security controls to automatically detect and mitigate a broad range of network and application-level attack vectors. DDoS protections are integrated directly into the Check Point WAF SaaS platform and operate continuously as part of the managed security service.

The platform is designed to minimize operational overhead for customers by automatically handling traffic analysis, attack detection, mitigation activation, and protection enforcement without requiring customer-side infrastructure changes or dedicated DDoS management expertise.

DDoS protection capabilities described in this document apply to Check Point WAF SaaS deployments only.

{% hint style="warning" %}
**Disclaimer**

DDoS mitigation uses adaptive detection and automated protections designed to block large-scale abusive traffic while minimizing impact on legitimate users.

During certain large-scale or highly distributed attacks, some requests may still reach the protected application until additional mitigations or manual tuning are applied. Requests containing malicious payloads continue to be inspected and enforced by the WAF security engine.

Additional controls such as geo-restrictions, rate limiting, or custom mitigation policies may be required in some attack scenarios.
{% endhint %}

{% hint style="info" %}
This protection engine is available for CloudGuard WAF SaaS. It is not available with local editions of the product such as Gateway &  Agent.
{% endhint %}

### DDoS Protection Capabilities&#x20;

* Always-On Detection & Mitigation&#x20;
  * Check Point WAF SaaS continuously monitors inbound traffic patterns and automatically activates mitigation controls when malicious traffic characteristics or denial-of-service behaviors are identified.&#x20;
* Infrastructure Layer Protection (L3/L4)&#x20;
  * Protection against SYN floods, UDP floods, reflection/amplification attacks, DNS floods, connection exhaustion attacks, and volumetric attacks.&#x20;
* Application Layer Protection (L7)&#x20;
  * Protection against HTTP/HTTPS floods using behavioral analysis, automated request rate enforcement, reputation-based protections, bot mitigation, and AI-driven anomaly detection.
* Adaptive Traffic Analysis&#x20;
  * The platform continuously profiles normal traffic behavior and dynamically establishes traffic baselines used for anomaly detection and mitigation decisions.&#x20;
* Health-Aware Mitigation&#x20;
  * Traffic behavior is correlated with service and application health indicators to improve mitigation precision and reduce false positives.&#x20;
* Global Resiliency & Distributed Mitigation&#x20;
  * The architecture is designed to absorb large-scale attack traffic while maintaining service availability and reducing single points of failure.&#x20;
* Automated Mitigation Operations&#x20;
  * No setup is needed - customers are not required to configure DDoS-specific mitigation policies or maintain dedicated DDoS infrastructure.&#x20;
* Financial Protection&#x20;
  * Customers are not charged for malicious DDoS traffic or abnormal attack-related usage generated during validated attack events handled by the platform.&#x20;

### Operational Visibility&#x20;

Check Point WAF SaaS provides operational visibility into active DDoS events through the DDoS dashboard. \
&#x20;\
The dashboard is populated during attack events and provides visibility into attack timelines, mitigation activities, and attack-related operational details. \
&#x20;\
Check Point maintains 24x7 operational monitoring and DDoS response processes to support mitigation and service continuity during significant attack events.&#x20;

### Shared Responsibility & SLA Considerations&#x20;

Check Point WAF SaaS is designed to provide automated DDoS detection and mitigation capabilities as part of the managed security service. \
&#x20;\
Check Point uses commercially reasonable efforts to detect, mitigate, and minimize the impact of denial-of-service attacks affecting protected customer applications and APIs. \
&#x20;\
The service does not provide a guaranteed mitigation-time SLA for all attack scenarios. However, DDoS protections are continuously monitored, maintained, and enhanced as part of ongoing platform operations and security engineering processes. \
&#x20;\
Check Point WAF SaaS is backed by Check Point enterprise-grade 24x7 operational support and monitoring processes to help maintain service availability and operational responsiveness during security events.&#x20;

### Summary&#x20;

Check Point WAF SaaS delivers integrated enterprise-grade DDoS protection designed to help organizations maintain application availability during denial-of-service attacks while minimizing operational complexity. \
&#x20;\
The platform combines continuous traffic monitoring, automated attack detection, infrastructure and application-layer mitigation, AI-driven behavioral analysis, integrated bot protections, global resiliency architecture, and managed operational simplicity.&#x20;

## The DDoS Dashboard

The DDoS dashboard is populated when an attack happens and gives security teams live visibility and control of attack details. As needed, upon attack, you will also be contacted by our DRT team.

<figure><img src="/files/AjHhhuoBK5kqT8rjepq9" alt=""><figcaption></figcaption></figure>

## Example Scenario

An attacker launches a sophisticated HTTP/2 flood on your login API.

* CloudGuard WAF SaaS detects anomalies against your traffic baseline.
* Edge PoPs begin filtering out malicious sessions.
* DDoS mitigation activates without affecting real users.
* The dashboard shows the attack timeline, response actions, and forensic logs.
* The DRT monitors and notifies your team if escalation is needed.

&#x20;Related:

{% content-ref url="/pages/FRoNSqtX7n54YLUTh4sp" %}
[Rate Limit](/additional-security-engines/rate-limit.md)
{% endcontent-ref %}

{% content-ref url="/pages/SDQdQL2KlKAGZhmPkMBX" %}
[Anti-Bot](/additional-security-engines/anti-bot.md)
{% endcontent-ref %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://waf-doc.inext.checkpoint.com/concepts/ddos-protection.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.