Current versus Expected behavior
Current behavior:
My project received approximately 2,189,216 requests in a short period, which appears to be a Layer 7 DDoS attack. Vercel’s platform did not automatically detect or block this malicious traffic, resulting in the requests being counted against my Hobby plan quota.
Expected behavior:
I expected Vercel’s DDoS protection to automatically identify and mitigate this abnormal traffic pattern before it consumed my monthly request quota.
Code, configuration, and steps that reproduce this issue
-
Project was deployed and running normally
-
Suddenly received a massive spike of 2.18M+ requests
-
Checked the Usage dashboard and confirmed the traffic spike
-
Manually created and enabled a rate limit rule: “Rate limit static site to 100 req/10min”
-
Published version #1 with this change
Current Firewall Configuration:
- Rate Limit Rule: 100 requests per 10 minutes (enabled after attack)
Project information
-
Project Name: vibe-chat
-
Plan: Hobby (Free)
-
Total Requests: 2,189,216
-
Time Period: Last 90 days (Mar 30 - Jun 28)
-
Mitigation Applied: Rate limiting rule (100 req/10min)
Questions
-
Why wasn’t this traffic pattern automatically detected and blocked?
-
Will I be charged or soft-blocked due to exceeding Hobby limits from this attack?
-
What additional protective measures can I take within the Hobby plan’s 3 custom WAF rules limit?
Thank you for any guidance!