Back to Blog

Summary: DigitalOcean includes free Layer 3/4 DDoS protection for all resources but offers no application-layer coverage or attack visibility. Cloudflare provides free HTTP/HTTPS DDoS protection that works with any provider, including DigitalOcean and AWS. AWS Shield Standard is free for all AWS accounts and covers L3/L4 attacks, while Shield Advanced at $3,000/month adds cost protection, DRT access, and health-based detection. For most cloud-native teams, the winning combination is cloud provider built-in protection (free) plus Cloudflare (free) for web applications, with optional agent-based detection from Flowtriq ($9.99/node/month) for server-side visibility.

Quick comparison

These three services represent different approaches to DDoS protection: cloud provider built-in (DigitalOcean, AWS Shield Standard), cloud provider premium (AWS Shield Advanced), and standalone proxy (Cloudflare). Understanding what each covers is the key to building the right stack.

Feature DigitalOcean
Built-in
Cloudflare
Free / Pro / Biz
AWS Shield
Standard / Advanced
Price Free (included) Free / $20 / $200 Free / $3,000/mo
L3/L4 protection Yes, automatic HTTP/S only (free-Biz) Yes, automatic
L7 protection No Yes, all tiers Advanced + WAF
Non-HTTP protocols Yes (L3/L4 only) Enterprise only Yes (all tiers)
Works with any provider DigitalOcean only Yes (DNS proxy) AWS only
Scrubbing capacity Undisclosed 500+ Tbps AWS edge network
Detection SLA No published SLA Seconds (inline) Seconds / SLA (Advanced)
Attack analytics Minimal Basic (free), detailed (Pro+) Basic (Std), detailed (Adv)
Cost protection No Unmetered (no overage) Advanced only
WAF No Pro+ (managed rules) Advanced (AWS WAF included)
DDoS response team No Enterprise only Advanced only (DRT)
Setup effort None (automatic) DNS change (~5 min) None (Std) / Config (Adv)
Best for DO workloads, basic L3/L4 Web apps, any provider AWS workloads, enterprise

DigitalOcean DDoS Protection

DigitalOcean Built-in DDoS Protection

Always-on Layer 3/4 DDoS protection included with every DigitalOcean resource. No additional cost, no configuration required. Available across all data centers globally.

Built-in Protection
Free

Automatic L3/L4 DDoS mitigation for all Droplets, Kubernetes, Managed Databases, Load Balancers, and Reserved IPs.

Strengths

  • Completely free and included with every DigitalOcean resource
  • Zero configuration required: protection starts when you provision a resource
  • Covers UDP floods, ICMP floods, TCP floods, SYN floods, DNS reflection
  • In-network mitigation means no traffic rerouting to third parties
  • Available across all DigitalOcean data centers worldwide

Limitations

  • No Layer 7 (application-layer) DDoS protection
  • No published scrubbing capacity or mitigation SLA
  • Minimal attack analytics or forensics
  • No WAF, no rate limiting, no custom mitigation rules
  • Only protects DigitalOcean-hosted resources
  • No DDoS cost protection guarantees

What DigitalOcean protection actually covers

DigitalOcean's built-in DDoS protection operates at the network infrastructure layer. When a volumetric attack targets one of your Droplet IPs, DigitalOcean's network equipment detects the anomaly and filters malicious traffic before it reaches your virtual machine. This happens automatically, with no action required on your part.

The protection is effective against common volumetric attacks: UDP floods, SYN floods, ICMP amplification, DNS reflection, and similar Layer 3/4 vectors that make up the majority of DDoS attacks by volume. For a small to medium web application on DigitalOcean, this built-in protection handles the most common threat scenarios.

Where it falls short is visibility and application-layer coverage. DigitalOcean does not provide attack logs, mitigation reports, or real-time metrics during an incident. You may not even know an attack is happening unless your monitoring catches indirect symptoms like latency spikes. There is also no application-layer protection: HTTP floods, slowloris attacks, and other L7 vectors that target your web server directly are not covered.

Cloudflare DDoS Protection

Cloudflare DDoS Protection

Infrastructure-agnostic CDN and reverse proxy with 500+ Tbps edge capacity. Unmetered DDoS protection on all tiers. Works with any hosting provider via DNS change.

Free
$0/mo

Unmetered HTTP/S DDoS protection. Basic WAF rules. Limited analytics.

Pro
$20/mo

Managed WAF rulesets, enhanced analytics, faster rule propagation.

Business
$200/mo

Custom WAF rules, attack logs, 99.99% SLA.

Enterprise
Custom

Magic Transit, Spectrum, dedicated support, advanced analytics.

Strengths

  • Free tier with genuine unmetered HTTP/S DDoS protection
  • 500+ Tbps edge capacity across 330+ cities
  • Works with any hosting provider: DigitalOcean, AWS, bare metal, anything
  • Application-layer protection: rate limiting, JS challenges, managed WAF
  • No overage fees or per-attack charges on any tier
  • Setup takes minutes: change nameservers, done

Limitations

  • Free through Business tiers only protect HTTP/HTTPS (ports 80/443)
  • Non-HTTP protocols require Enterprise pricing (Spectrum, Magic Transit)
  • No server-side visibility: Cloudflare sees edge traffic, not your server
  • If your origin IP leaks, attacks can bypass Cloudflare entirely
  • Limited forensics on free tier

Why Cloudflare complements cloud provider protection

Cloudflare and cloud provider built-in protection are not competing alternatives. They protect different layers. DigitalOcean and AWS Shield Standard protect the network infrastructure layer (L3/L4). Cloudflare protects the application layer (L7) for HTTP/HTTPS traffic. Used together, they form a more complete defense than either provides alone.

A practical example: your DigitalOcean Droplet hosts a web application. A SYN flood targets your Droplet IP. DigitalOcean's built-in protection mitigates it at the network layer. Meanwhile, an HTTP flood sends 100,000 legitimate-looking requests per second to your application. DigitalOcean's protection does nothing because it is not an L3/L4 attack. Cloudflare's reverse proxy detects the HTTP flood and filters it before requests reach your Droplet.

The critical configuration step: when using Cloudflare, restrict your origin server's firewall to only accept traffic from Cloudflare's published IP ranges. This prevents attackers from bypassing Cloudflare by sending traffic directly to your origin IP. Cloudflare publishes these ranges at cloudflare.com/ips.

AWS Shield

AWS Shield

Native AWS DDoS protection in two tiers. Shield Standard is free and automatic for all AWS accounts. Shield Advanced ($3,000/month) adds DRT access, cost protection, and health-based detection.

Standard
Free

Automatic L3/L4 protection for all AWS resources. Protects CloudFront, Route 53, ELB, EC2.

Advanced
$3,000/mo

12-month commitment. DRT access, DDoS cost protection, health-based detection, AWS WAF included, near-real-time attack metrics.

Strengths

  • Standard tier is free and always-on for every AWS account
  • Advanced: DDoS cost protection credits scaling costs caused by attacks
  • Health-based detection monitors application metrics, not just traffic volume
  • DRT (DDoS Response Team) access for hands-on incident assistance
  • AWS WAF included at no extra cost with Advanced
  • One Advanced subscription covers all accounts in an AWS Organization

Limitations

  • Only protects AWS-hosted resources
  • $3,000/month minimum for Advanced (12-month commitment)
  • Standard tier provides limited visibility and no mitigation SLA
  • No protection for EC2 instances without Elastic IPs on Standard
  • Advanced data transfer fees can add to the base cost

Shield Standard vs Shield Advanced: when to upgrade

AWS Shield Standard is surprisingly capable for a free service. It automatically protects CloudFront distributions, Route 53 hosted zones, Elastic Load Balancers, and EC2 instances from the most common L3/L4 DDoS vectors. For many applications, this is sufficient.

Shield Advanced is worth the $3,000/month investment when:

  • Downtime has direct financial cost. Shield Advanced includes DDoS cost protection, which means AWS credits you for auto-scaling costs triggered by a DDoS attack. Without it, a large attack could cause your EC2 auto-scaling group or CloudFront distribution to rack up significant charges.
  • You need guaranteed response. The DRT (DDoS Response Team) provides hands-on assistance during active attacks, including custom mitigation rule creation and traffic analysis.
  • You need attack visibility. Shield Advanced provides near-real-time metrics, attack diagnostics, and detailed post-attack reporting. Shield Standard provides almost no visibility into attacks.
  • You run latency-sensitive applications. Health-based detection monitors your application's actual health metrics (like ALB 5xx rates or Route 53 health checks) to detect attacks that degrade performance without necessarily spiking traffic volumes.

Head-to-head: key differences

Coverage model

The fundamental difference between these three services is what they cover and where they work:

  • DigitalOcean: Covers L3/L4 for DigitalOcean resources only. If you migrate a Droplet to AWS, you lose this protection entirely.
  • Cloudflare: Covers L7 for HTTP/HTTPS on any infrastructure. Your backend can be on DigitalOcean, AWS, a basement server, or all three. Cloudflare does not care.
  • AWS Shield: Covers L3/L4 (Standard) or L3/L4/L7 (Advanced + WAF) for AWS resources only. Like DigitalOcean, protection is tied to the infrastructure provider.

This means DigitalOcean and AWS Shield Standard are "free because you are already paying for hosting." They are benefits of the platform, not standalone products. Cloudflare is a standalone service that adds value regardless of where your servers run.

Cost analysis for typical stacks

Let's compare the actual monthly cost for three common scenarios:

Scenario DigitalOcean stack AWS stack Multi-cloud stack
Infrastructure 3 Droplets ($72/mo) 3 EC2 + ALB (~$150/mo) Mixed DO + AWS ($200/mo)
Built-in L3/L4 Free (DO built-in) Free (Shield Standard) Free (both providers)
L7 protection $0 (Cloudflare Free) $0 (Cloudflare Free) $0 (Cloudflare Free)
Server-side detection $29.97 (Flowtriq) $29.97 (Flowtriq) $29.97 (Flowtriq)
Total DDoS cost $0 - $29.97/mo $0 - $29.97/mo $0 - $29.97/mo
Premium option Cloudflare Pro: $20/mo Shield Advanced: $3,000/mo Cloudflare Pro: $20/mo

For cloud-native teams running web applications, the economics are clear: cloud provider built-in protection plus Cloudflare Free provides a solid baseline at zero additional cost. The question is whether you need the additional capabilities that paid tiers provide.

Visibility gap

All three services share a common blind spot: none of them tell you what is happening on your server during an attack. DigitalOcean provides almost no attack telemetry. Cloudflare shows you edge traffic patterns. AWS Shield Standard provides minimal visibility (Advanced is significantly better).

None of them answer questions like:

  • What is the per-second packet rate hitting my server right now?
  • Which protocols and ports are being targeted?
  • What does the attack traffic look like at the packet level?
  • Is my server's CPU, memory, or connection table saturated?
  • How much attack traffic is getting through the edge protection?

Agent-based detection fills the server-side visibility gap that all cloud DDoS services share. Flowtriq runs directly on your Droplet, EC2 instance, or any Linux server. It provides per-second per-protocol traffic metrics, automatic PCAP capture during attacks, and can trigger BGP FlowSpec or RTBH mitigation upstream. At $9.99/node/month, it complements cloud provider protection rather than replacing it.

Recommended stacks

Budget startup

DO + Cloudflare Free

DigitalOcean built-in L3/L4 plus Cloudflare free L7. Complete basic coverage at zero DDoS cost. Upgrade Cloudflare to Pro ($20/mo) when you need WAF rules.

DDoS cost: $0/mo
Growing SaaS

Cloud provider + Cloudflare Pro + Flowtriq

Cloud provider handles L3/L4, Cloudflare Pro for WAF and analytics, Flowtriq for server-side detection and PCAP forensics.

DDoS cost: ~$30/node/mo
AWS enterprise

Shield Advanced + Cloudflare

Shield Advanced for DRT access, cost protection, and health-based detection. Cloudflare for CDN and L7 protection. Flowtriq for per-node visibility.

$3,000+/mo (Shield Adv)
Game servers / UDP

Cloud provider + Flowtriq

Cloud provider built-in covers L3/L4 floods. Flowtriq detects application-specific attacks, provides per-protocol visibility, and triggers automated FlowSpec/RTBH response.

$9.99/node/mo

Bottom line

DigitalOcean built-in protection is a solid baseline that handles the most common L3/L4 attacks at no cost. Its limitation is the complete absence of L7 protection and attack visibility. Use it as a foundation, not a complete solution.

Cloudflare is the best standalone DDoS protection service for web applications at any price point. The free tier is genuinely useful. It works with any hosting provider, which means your DDoS protection persists even if you migrate between cloud providers. The limitation is non-HTTP protocols on lower tiers.

AWS Shield Standard is similar to DigitalOcean built-in protection in scope and capability. Shield Advanced is in a different category entirely, providing enterprise-grade protection with financial guarantees and dedicated incident response for organizations that can justify $3,000/month.

For most cloud-native teams, the best starting point is cloud provider built-in protection (free) plus Cloudflare (free or Pro). Add Flowtriq at $9.99/node/month when you need server-side detection, per-protocol visibility, PCAP forensics, or automated mitigation triggers that none of these three services provide.

Free Tool

Try our DDoS Attack Simulator - model how your cloud provider's protection would handle a realistic attack scenario and see where the gaps are.

Ready to protect your infrastructure? Start your 14-day free trial - deploy real-time DDoS detection in 60 seconds. No credit card required.

Frequently asked questions

Does DigitalOcean include DDoS protection for free?
Yes. DigitalOcean provides always-on Layer 3/Layer 4 DDoS protection at no additional cost for all Droplets, Kubernetes clusters, Managed Databases, Load Balancers, and Reserved IPs. This protection covers volumetric attacks like UDP floods, ICMP floods, TCP floods, and SYN floods. It is available across all DigitalOcean data centers globally and requires no configuration. However, it does not include Layer 7 (application-layer) protection, and there are no published SLAs for mitigation time or scrubbing capacity.
How does Cloudflare free DDoS protection compare to DigitalOcean built-in protection?
They protect different layers. DigitalOcean covers Layer 3/4 attacks targeting your Droplet IP addresses directly, including UDP, TCP, and ICMP floods. Cloudflare free covers HTTP/HTTPS (Layer 7) DDoS attacks for traffic routed through its proxy. The ideal setup for a DigitalOcean-hosted web app is to use both: DigitalOcean handles network-layer floods, Cloudflare handles application-layer HTTP attacks, and your origin IP stays hidden behind Cloudflare.
Is AWS Shield Standard enough for most applications?
For many applications, yes. AWS Shield Standard is free and automatically protects all AWS resources against common Layer 3/4 DDoS attacks. It covers CloudFront, Route 53, ELB, and EC2 instances. However, it provides limited visibility into attacks, no cost protection guarantees, and no access to the AWS DDoS Response Team (DRT). Organizations running high-value production workloads or applications where downtime has significant financial impact should evaluate Shield Advanced ($3,000/month) for the additional protections and guarantees.
Which is cheapest for a small startup running a web app?
For a small startup, the cheapest effective stack is DigitalOcean (built-in L3/L4 protection at no cost) plus Cloudflare Free (unmetered HTTP/S DDoS protection). Total DDoS protection cost: $0. Add Flowtriq at $9.99/node/month if you want server-side detection, per-protocol visibility, and PCAP forensics. Total: under $10/month for comprehensive coverage.
Can I use Cloudflare with DigitalOcean or AWS?
Absolutely. Cloudflare operates as a DNS proxy in front of your origin server regardless of where it is hosted. You can point Cloudflare at a DigitalOcean Droplet, an AWS EC2 instance, or any other server. The cloud provider built-in protection (DigitalOcean or AWS Shield Standard) still operates on the infrastructure layer, while Cloudflare handles application-layer protection at its edge network.
What DDoS protection does AWS Shield Advanced add over Standard?
AWS Shield Advanced ($3,000/month with a 12-month commitment) adds several capabilities over the free Standard tier: access to the AWS DDoS Response Team (DRT) for hands-on incident assistance, DDoS cost protection that credits you for scaling costs caused by attacks, health-based detection that monitors your application metrics (not just traffic volume), near-real-time attack metrics and diagnostics, AWS WAF included at no extra cost, and protection for EC2 instances with Elastic IPs in addition to CloudFront, ALB, and Route 53.
Do I need separate DDoS protection if I use a cloud provider?
Cloud provider built-in protection covers basic network-layer attacks but has gaps. DigitalOcean and AWS Shield Standard do not protect against application-layer (Layer 7) attacks, provide limited attack visibility, and offer no guaranteed mitigation SLAs. For web applications, adding Cloudflare provides application-layer coverage. For server-side visibility and non-HTTP protocols, agent-based detection tools like Flowtriq provide per-second metrics, PCAP forensics, and automated mitigation that cloud provider protections do not include.
Back to Blog

Related articles