> ## Documentation Index
> Fetch the complete documentation index at: https://ngrok.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# DDoS Protection

> Learn about ngrok's automatic DDoS protection features that protect your endpoints from distributed denial of service attacks.

ngrok automatically protects your applications with out-of-the-box protection
from distributed denial of service (DDoS) attacks.

## DDoS firewall

The ngrok cloud service automatically protects all Endpoints from attacks with
its proprietary DDoS Firewall.
The DDoS Firewall scans traffic flows into your endpoints for malicious actors, patterns, and threats in real-time.
When an attack is detected, the firewall proactively blocks incoming connections from the attackers IPs.

## Additional measures

In addition to ngrok's out-of-the-box DDoS Firewall, also consider taking
the following measures to help protect your endpoints from attacks:

1. Prevent attacks by enforcing authentication with Traffic Policy actions.
   Traffic Policy is enforced in the ngrok cloud service so that only
   legitimate traffic is sent to the upstream service in your network. ngrok's
   cloud service absorbs all of the unauthenticated traffic. You can use the
   following Traffic Policy actions to block unauthenticated traffic:
   * [Basic Auth](/traffic-policy/actions/basic-auth)
   * [OAuth](/traffic-policy/actions/oauth)
   * [IP Restriction](/traffic-policy/actions/restrict-ips/)
   * [Webhook Verification](/traffic-policy/actions/verify-webhook/)
   * [JWT](/traffic-policy/actions/jwt-validation/)
   * [Mutual TLS](/traffic-policy/actions/terminate-tls/)
   * [OpenID Connect](/traffic-policy/actions/oidc/)

2. Use the Traffic Policy [Circuit Breaker
   action](/traffic-policy/actions/circuit-breaker/) on your [Agent
   Endpoints](/gateway/agent-endpoints). This module protects your
   upstream applications when they become overloaded by blocking traffic to them
   in ngrok's cloud service until they can recover.
