Don’t put the gate at the canister. Put it at the edge. Cloudflare Workers are free tier up to 100K requests/day. Your ICP canister sees only coherent, pre-validated traffic. Bots burn Cloudflare’s CPU, not your cycles.
A 3-layer architecture means bots never reach the canister. VIGILIA ( Innerweb Model) and UMBRA (Sovereign model) reject at Cloudflare edge (free Cloudflare absorbs the compute). Only signals that pass edge + browser shields reach the canister, where a coherence check costs effectively zero cycles.
edge doctrine: DDoS IS a cascade attack — treat it as one. |
|---|
// A bot flood against ICP canisters is mathematically equivalent to a |
// power-grid cascade: one overloaded node triggers the next. VIGILIA |
// (AIS-006) and UMBRA (AIS-022) act as IRONVEIL circuit breakers at the |
// Cloudflare edge — cutting the cascade before it reaches the substrate. |
Threat types: injection, exfiltration, manipulation, deception, denial, escalation, persistence, lateral_movement. Regex pattern matching on every request body. DDoS/flood patterns hit the denial classifier and are rejected at edge with a JSON severity: ‘criticum’ response. Zero cycles consumed.