L3-L4 DDoS Protection


Utilize StackPath's L3-L4 DDoS protection feature to provide supplemental security for your workloads. Detect and mitigate L3 and L4 volumetric DDoS attacks without incurring any additional latency for your clean traffic

This feature requires that you have an active subscription to DDoS services. To learn more about our DDoS package offerings, please see here.

At this time, the StackPath API only supports enabling/disabling L3-L4 DDoS Protection on a workload.

Supported PoPs

Please see L3-L4 DDoS Protection PoPs for a list of locations that currently support L3-L4 DDoS protection. This list will be updated as more PoPs are configured to support this feature.


StackPath offers three types of DDoS packages: Standard, Professional and Enterprise.

Billing for Standard customers is usage-based (pay-as-you-use) as determined by instance hours.

Professional and Enterprise customers are billed according to a monthly commit, where a certain number of protected instance hours are provided at the beginning of each billing cycle. Consuming instance hours beyond the monthly limit will result in overage charges.

Instance hours are defined by the number of hours where L3-L4 DDoS Protection is enabled on running instances. There can be any combination of instance hours. For example, 1 instance consumed for 1 hour or 2 instances consumed for 30 minutes each are both equal to 1 instance hour.

StackPath bills in 1-second increments with a 5-second minimum per instance. The cost of each instance hour will vary based on the DDoS package as shown in the table below:

Protected Instance HoursN/A7200/month72,000/month


$0.06 each additional hour

$0.05 each additional hour

For this scenario, we are using L3-L4 DDoS Protection with a Professional DDoS package, in which we are given 7200 protected instance hours for the month.

Here are few different cases where 7200 instance hours is consumed:

  • 10 instances running constantly for the entire month (each month == 720 hours) 
  • 20 instances running 12 hours a day 
  • 40 instances running 6 hours a day 

Enabling L3-L4 DDoS Protection

L3-L4 DDoS protection is disabled by default upon initial creation of a workload using the API.

When creating a new workload, enable DDoS Protection by adding the annotation workload.platform.stackpath.net/ddos-service-class as shown in the example below:

"workload": {                    
"name": "test workload",  
"slug": "test-workload",  
"metadata": {    
"annotations": { 
"workload.platform.stackpath.net/ddos-service-class": "stackpath-edge/base",  
"spec": {...},                   
"targets": {...}  

Disabling L3-L4 DDoS Protection

Disable DDoS protection by replacing the annotation's value with an empty string via a PATCH request when updating the workload.

"workload": {                    
"name": " test workload,  
"slug": " test-workload ",  
"metadata": {                
"version": "1",  
"annotations": {                     
"workload.platform.stackpath.net/ddos-service-class": ""  

A PUT request to the same endpoint containing the full workload configuration, omitting the workload annotation, will also disable L3-L4 DDoS Protection.