🛡️ DDoS Mitigation
Our DDoS mitigation service is engineered to safeguard your applications and infrastructure against a wide array of distributed denial-of-service attacks. It ensures your services remain online, stable, and responsive — even under intense traffic surges or targeted attacks.
Our mitigation stack leverages multiple sophisticated layers that operate in unison to filter threats, from basic Layer 3 and Layer 4 volumetric attacks to highly targeted Layer 7 attacks designed to exhaust application or server resources.
Anycast-based Network
Our global network is based on an anycast architecture, meaning all of our scrubbing nodes are accessible via a single, unified IP address.
This design enables traffic to be intelligently routed to the geographically closest node, minimizing latency and maximizing availability. In the event of an attack, malicious traffic is automatically distributed across all Points of Presence (PoPs) worldwide.
By harnessing the combined capacity of our entire global infrastructure, we are able to mitigate terabit-scale attacks effortlessly and seamlessly, with no interruption to service.
Volumetric Mitigation
Generic Protection
Our upstream provider, Datacamp, implements a basic DDoS mitigation layer that defends against high-volume, generic Layer 3 and Layer 4 protection. This system is activated only during large-scale attacks, helping to filter out some malicious traffic before it reaches our scrubbing nodes, including:
- UDP amplification floods
- Packet fragmentation floods
- ICMP Echo floods
- IGMP floods
- IP spoofing
- Attacks matching known malicious signatures
Edge Access Control Lists
In addition to upstream protection, we deploy custom-built ACLs at our provider's edge. These precision-tuned rules provide an extra line of defense by blocking well-known attack vectors closer to the source.
These rules alone are capable of automatically filtering attacks of up to 130 Tbit/s.
Propietary XDP Mitigation
Our proprietary mitigation stack is powered by eBPF XDP and backed by highly redundant PoPs with high-bandwidth ports (n x 100G/40G). This enables us to process and drop malicious traffic before it ever reaches the kernel, delivering line-rate protection with zero added latency and zero TTM.
We mitigate DDoS vectors across TCP, UDP, GRE, IPIP, ESP, AH and ICMP protocols, with a total owned global capacity exceeding 2.4+ Tbit/s.
We are able to mitigate, but are not limited to, the following attack vectors:
- Complex TCP floods (including SYN-ACK, ACK, FIN and RST floods)
- Complex UDP floods (including DNS, NTP, SSDP, and other amplification attacks)
- Reflection floods
- Fragments floods (including TCP, UDP, and ICMP fragments)
- ICMP floods (including ICMP Echo, ICMP Timestamp, and other types)
- TCP connection exhaustion (including slowloris and other resource exhaustion attacks)
In addition to stateful inspection, including header and flag validation, checksum verification, and protocol conformance checks along more validations, we also offer symmetric filtering along with application-aware filters for popular services. These enhance security by blocking non-protocol-conforming traffic, dramatically reducing the attack surface.
Layer 7 Protection
Our mitigation stack includes advanced Layer 7 protection that inspects application traffic in real-time, allowing us to filter out malicious requests while preserving legitimate traffic.
