DDoS protection that is already in the path when you need it

Edge network capacity (upstream transit + IX ports) absorbs 5.6 Tbps using BGP FlowSpec filtering. Traffic passing edge filtering reaches our primary mitigation cluster with 4 Tbps of stateful inspection capacity. Both layers operate simultaneously: volumetric attacks scrub at the edge while sophisticated protocol attacks terminate at the mitigation cluster.

Individual IPs nullroute when attacks exceed 2.5 Tbps or 1 Gpps (billion packets per second), or when upstream link saturation threatens infrastructure stability. Nullrouting isolates a single IP at the network edge to protect other customers. Most attacks terminate well below these thresholds.

Yes. Every dedicated server, VPS, and colocation service includes the full three-layer mitigation stack at no additional cost. No premium tiers, no per-attack fees, no bandwidth surcharges. Protection is always-on by default.

Layer 1 (edge filtering): Instant. BGP FlowSpec rules drop known attack signatures at line rate. Layer 2 (stateful inspection): 50-200 milliseconds for new attack pattern detection and blocking. Layer 3 (application profiles): Always-on for configured profiles with zero detection delay.

Volumetric attacks: UDP floods, DNS/NTP/SSDP/memcached amplification, ICMP floods, spoofed traffic. Protocol attacks: SYN floods, ACK floods, RST floods, TCP state exhaustion, fragmented packet attacks. Focus is Layer 3/4 mitigation.

No. Our mitigation focuses on Layer 3/4 attacks (volumetric and protocol-level). We do not inspect HTTP/HTTPS content and cannot mitigate application-layer attacks like HTTP floods, slowloris, or RUDY. For Layer 7 protection, deploy a WAF or CDN like Cloudflare in front of your origin.

Currently, DDoS protection covers only traffic destined to IPs hosted on our network. We do not offer GRE tunnel-based protection for external infrastructure. Contact sales to discuss colocation or dedicated server options for bringing your infrastructure onto our network.

Yes. Shield provides self-service configuration for: IP/CIDR whitelists and blacklists, per-source rate limits (PPS and BPS), port and protocol filters, geographic blocks, and application profile selection. Rule changes propagate across the mitigation infrastructure within seconds.

Application profiles whitelist traffic patterns for specific workload types. A gaming profile recognizes valid game server protocols and prioritizes that traffic. VoIP profiles whitelist SIP/RTP patterns. Profiles operate at the protocol level to identify legitimate traffic and reduce false positives.

Stateful TCP inspection with SYN proxy validates connections before forwarding to your server. Behavioral analysis establishes traffic baselines and flags statistical anomalies. Application profiles whitelist known traffic patterns. Self-service IP/CIDR whitelists let you exclude known-good sources like CDNs and monitoring systems.