Intermediate
How to configure DDoS protection settings on DigitalOcean
Quick Answer
DigitalOcean provides built-in DDoS protection through their cloud infrastructure, but you can enhance it by configuring load balancers, firewalls, and monitoring alerts. The platform automatically mitigates basic DDoS attacks, while advanced protection requires additional configuration through their security features.
Prerequisites
- Active DigitalOcean account
- Existing droplet or load balancer
- Basic understanding of network security
- Admin access to DigitalOcean control panel
1
Access the DigitalOcean Control Panel
Log into your DigitalOcean account and navigate to the main dashboard. Click on Networking in the left sidebar menu to access network security options. This section contains all DDoS protection and firewall configuration tools.
Tip
Bookmark the networking section for quick access to security settings.
2
Configure Cloud Firewalls
Click on Firewalls and then Create Firewall. Set up inbound rules to allow only necessary traffic:
- HTTP (port 80) and HTTPS (port 443) for web traffic
- SSH (port 22) restricted to your IP address
- Block all other unnecessary ports
Tip
Use the most restrictive rules possible while maintaining functionality.
3
Set Up Load Balancer for Traffic Distribution
Navigate to Load Balancers and click Create Load Balancer. Configure the following settings:
- Select your preferred region
- Choose Regional for better DDoS resilience
- Enable Sticky Sessions if needed
- Add your droplets to the backend pool
Tip
Regional load balancers offer better DDoS protection than node-specific ones.
4
Enable Monitoring and Alerts
Go to Monitoring in the main menu and click Create Alert Policy. Set up alerts for:
- High network traffic (incoming/outgoing)
- CPU usage spikes above 80%
- Unusual connection patterns
Tip
Set conservative thresholds initially and adjust based on your normal traffic patterns.
5
Configure Rate Limiting on Applications
While DigitalOcean provides infrastructure-level protection, implement application-level rate limiting. For nginx, add this to your server configuration:
limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;
limit_req zone=one burst=20;Tip
Combine infrastructure and application-level protection for comprehensive DDoS defense.
6
Review and Test Protection Settings
Navigate to Graphs under the Monitoring section to review traffic patterns. Test your configuration by:
- Checking firewall rules are blocking unwanted traffic
- Verifying load balancer health checks
- Testing alert notifications
Tip
Document your normal traffic patterns to quickly identify anomalies during attacks.
Troubleshooting
Legitimate traffic being blocked by firewall rules
Review your firewall configuration under Networking > Firewalls and add specific allow rules for legitimate IP ranges or services. Check the firewall logs to identify blocked traffic patterns.
Load balancer showing unhealthy backend droplets
Verify that your droplets are responding correctly by checking the Health Checks configuration. Ensure the health check path returns a 200 status code and adjust timeout settings if needed.
False positive DDoS alerts triggering frequently
Adjust your monitoring alert thresholds under Monitoring > Alert Policies. Increase the threshold values or modify the time window to reduce false positives while maintaining protection.
Application still experiencing performance issues during attacks
Implement additional application-level protections like rate limiting, CAPTCHA systems, or consider upgrading to higher-tier droplets with more resources. Review your database connections and optimize queries.
Ready to get started with DigitalOcean?
Put this tutorial into practice. Visit DigitalOcean and follow the steps above.
Visit DigitalOcean →