I’ve been going through different blog posts and resources in Vercel. There’s quite some jargon used that’s pretty easy to get confused. Example, Edge Region & Edge Network, Vercel Firewall & WAF, etc.
This is what happens when a user visit a website hosted on Vercel (please correct me if I’m wrong):
- User request from browser (includes DNS resolution)
- Request reaches to the nearest PoP based on location
- PoP sends request to nearest Edge Region 1 (over private network)
- Edge Region 1 responds to the request if the Vercel function is deployed on that region
- Edge Region 1 sends to Region 2 if the function runs there due to its requirement on external database
Source to blog post: Life of a Vercel request: Navigating the Edge Network - Vercel
Now, talking about the security components, expecially DDoS prevention (L3, L4, L7), Firewall, WAF.
“After passing initial evaluation and security checks by the Vercel Firewall, the PoP links the request to one of 18 globally distributed Edge Regions” (Source) - So there’s a firewall component in PoP that blocks certain traffic and if the traffic is not blocked it sends to Edge Network.
In Edge Network there’s Vercel Firewall that takes care of L3, L4, L7 DDoS (L7 just slowloris & HTTP floods). If Vercel Firewall finds the traffic good, it becomes an Edge Request and proceeds to WAF custom rules.
If WAF custom rules allows a request, it goes to routing and then Vercel Edge Cache to see if there’s anything cached. If nothing cached, finally the request reaches Vercel functions and the function responds. (I’ve removed deployment protection stages just to keep things simple)
Also, Fast Data Transfer consists of two parts: incoming requests and outgoing responses, first recognized at the same point as Edge Requests. (Source)
From an attack point of view:
Every L7 request becomes an edge request if Vercel Firewall things the traffic is good. The request body contributes to Fast Data Transfer usage.
Based on this understanding, my questions are:
- If I create a custom rule that blocks a particular IP range, the crawling/DDoS activity from that IP range still contributes to my Edge Request & Fast Data Transfer usage?
- Persistent actions are available to Pro & Enterprise customers. So Hobby users can’t escape from ER & FDT exhausion by determined attackers?
- A misconfigured rate limit rule (say example rule that says if request path matches / then log - this rule doesn’t really do anything) it will still contribute to the usage as ratelimit is charged per million allowed requests?
- Both PoP and Edge Network has Vercel firewall and a request is double checked before it becomes an edge request?
