DDoS defense is defense in depth: no single control stops every attack, so you stack layers that each absorb, filter, or block a different class of traffic. The order matters — push as much work as possible to the edge, away from your origin.
DDoS defense is defense in depth: no single control stops every attack, so you stack layers that each absorb, filter, or block a different class of traffic. The order matters — push as much work as possible to the edge, away from your origin.
429 Too Many Requests. Stops abusive clients without harming normal ones.The mental model is absorb -> filter -> block:
Internet flood
-> CDN + anycast : ABSORB volume across global PoPs
-> scrubbing : drop obvious junk (L3/L4 floods)
-> WAF : FILTER malicious HTTP (L7)
-> rate limiting : throttle abusive clients (429)
-> origin (autoscaled) : serve the clean remainder
-> ISP null-route : last resort if origin IP is overwhelmed
Volumetric attacks die at the CDN/scrubbing layer; application-layer attacks that look like real traffic get filtered by the WAF and rate limiter.
Relying on one layer fails predictably: a WAF cannot stop a 1 Tbps flood (the pipe saturates first), and a CDN alone will happily pass a clever HTTP flood through to your origin. Layering means each attack class meets a control designed for it, and the origin only ever sees traffic the outer layers could not handle on their own.