Framer's DDoS Protection Method

In the event of an attack on Framer, a challenge page, or loading spinner, is presented to visitors.

If you see this screen, it indicates the site is currently under attack. Framer is actively defending by blocking bot traffic and preventing down-time. It may seem like a quick verification step to users, but it's actually a crucial security stage to protect the site.

What is a DDoS Attack?

Websites can be exposed to various external attacks, and among them, DDoS (Distributed Denial of Service) attacks are quite common. A DDoS attack involves loading a site repeatedly from numerous computers at the same time, overloading the server, ultimately causing the site to go down.

How DDoS Attacks Work

During a DDoS attack, a bot or botnet floods the website with a large number of HTTP requests and traffic, overwhelming the site. The service can be delayed or interrupted as numerous computers simultaneously launch a saturation attack, pushing regular visitors out.

Sometimes hackers also try to infiltrate databases or servers during the attack to gain access to critical information. DDoS attacks can exploit security vulnerabilities and target any endpoint that is publicly accessible via the internet. These attacks can last from hours to days and can cause multiple service interruptions even from a single attack. Furthermore, the damage can occur regardless of whether the devices are personal or business-oriented. (Source)

Due to the high risk of such attacks, Framer employs an active protection system that automatically defends against them.

How Framer Blocks Attacks

Framer effectively prevents these attacks by using rate limiting technology. This method monitors for abnormal page reload frequencies from the same group of visitors and blocks such traffic. If traffic exceeds normal user behavior frequencies, it is treated as potential bot activity and is blocked.

However, normal users can sometimes be detected as bots, so Framer requests the user's browser to solve a CPU-based puzzle automatically. This process is very quick, taking roughly 0.5 seconds on a fast computer, and site access is granted as soon as the puzzle is completed.

While it's practically invisible to ordinary visitors, bots that send millions of requests per second would take years to solve the puzzle. This method effectively blocks bots while ensuring that regular users can surf the web without interruption.

Possible Phenomena During an Attack

• 429 (Too Many Requests) Response Issued
  During an attack, the site may return a 429 status code, and a challenge page may be shown. This could trigger uptime alerts, but it indicates the site is being protected correctly.

• Adjust Notifications as Needed
  You can configure monitoring tools to ignore 429 alerts. Once the attack ends, the protection automatically deactivates, and all visitor challenge pages disappear. You can set alerts to ignore 429 responses if needed.

Does an Attack affect SEO?

Fortunately, there is no negative impact on SEO. Search engine crawlers that receive a 429 code simply see it as “too many requests right now, try again later,” and will return to crawl normally once the attack is over.

Frequently Asked Questions (FAQ)

Q. Are DDoS attacks only targeted at large corporations or famous sites?

• No. All websites can be targets, regardless of size. In 2020, even Amazon Web Services was subjected to a large-scale attack. Sites with security vulnerabilities are at higher risk.

Q. Does a challenge page mean my site is completely blocked?

• No. Framer maintains service availability by allowing only normal users through a challenge page (requesting the browser to automatically solve a CPU-based puzzle).

Q. Can data breaches occur simultaneously with a DDoS attack?

• Yes. There are cases where attempts are made to access databases simultaneously with traffic attacks, so strengthening basic web security is essential.

This article is a translated and adapted version of the Framer official blog’s ‘How does our active DDoS protection work?’.