Hello,
I am currently experiencing a DDOS attack, and despite having firewall rules in place to block the malicious traffic, I am still seeing unusually high usage in my Vercel usage analytics.
Here are the details of the issue:
- Attack Pattern: At the beginning of each hour, I receive between 1M-2M requests. Fortunately, all the malicious traffic shares the same JA4 digest, and I have successfully set up a firewall rule to block requests with that hash. The attack started on 6 Sep and is still ongoing.
- Firewall Performance: As the attack starts, my firewall rules blocks the first 30k-60k requests until Vercel’s DDOS mitigation kicks in and handles the rest, only allowing around 3.3k requests of normal traffic through.
- Concern: Despite the firewall effectively blocking the majority of the attack, the usage analytics under the “Usage” tab still show approximately 8M edge requests and excessive bandwidth consumption for the past 24 hours.
Given that most of these requests are blocked by the firewall, I am wondering:
- Should denied requests blocked by the firewall be counted towards my usage?
- Am I missing any configuration or setting that would prevent these blocked requests from being included in the usage analytics?
- I don’t understand how I am getting these high usage numbers while only 3.3k of traffic is allowed through the firewall?
- Also, I am on the hobby plan and I have exceeded some usage limits because of the attack. so how much time do I have before the project is paused?
Attached are some images:
-
The firewall traffic for the past 24 hours, showing the DDOS pattern and successful blocking.
-
The usage tab showing the high request count despite the blocked traffic.
