Why architecture matters here
The economics only work with the right architecture. An attacker rents a 100Gbps booter for tens of dollars an hour; if your answer is autoscaling, you are paying cloud egress and instance rates to absorb it — the attack succeeds financially even when it fails technically (economic denial of service). If your answer is a single scrubbing appliance, its specs are your ceiling. Only a shared, massively over-provisioned edge — hundreds of PoPs whose aggregate capacity is sized against the largest observed attacks, amortized across thousands of customers — inverts the asymmetry. Architecture decides whether an attack costs you a shrug or a quarter's margin.
Time-to-mitigation is architectural too. A flood saturates your upstream link in seconds; if mitigation requires a human to notice, phone a provider, and re-announce BGP routes, you eat 20-60 minutes of outage — which is why always-on protection (traffic permanently flowing through the protection layer) has displaced on-demand diversion for anything user-facing. On-demand still has a place for raw network ranges, but the choice between them is a business decision about acceptable minutes of outage, made long before the attack.
And the quiet architectural truth: most successful DDoS attacks against protected properties don't beat the protection — they route around it, hitting an origin IP leaked in DNS history, an SSL certificate transparency log, a verbose error page, or an unprotected API subdomain. Origin exposure converts a Tbps-grade defense into decoration. The architecture is only as strong as its guarantee that the origin accepts traffic from nowhere else.
The architecture: every piece explained
Anycast edge. The same IP prefix is announced via BGP from hundreds of PoPs; each packet routes to the topologically nearest one. A botnet's traffic — geographically scattered by nature — is automatically partitioned across the entire edge, so a 2Tbps global flood arrives as a few Gbps per PoP: survivable, filterable. Anycast also removes the aiming point; there is no single datacenter to concentrate on. Stateless packet filters at the edge drop the unambiguous garbage first (spoofed sources, known reflector ports, protocol violations) at line rate, often in XDP/eBPF or hardware.
Telemetry and detection. Routers and edge nodes export sampled flow data (NetFlow/sFlow/IPFIX) into a detection pipeline that maintains per-destination baselines — packets and bits per second, protocol mix, source-country distribution, SYN:ACK ratios — over daily and weekly seasonality. Detection fires on deviation (a 50x jump in UDP/123 toward one prefix is NTP amplification; no ML required), with ML models layered on for subtle L7 anomalies like distributed cache-busting. Detection latency targets are seconds, because mitigation capacity means nothing if it engages after the link is dark.
Mitigation layers. Volumetric: dropped at the edge by ACLs and rate shapers, the flood never leaves the PoP that received it. Protocol: SYN floods answered with SYN cookies (no server state until the handshake proves a real client), UDP fragment floods and reflection answered by protocol-aware filters; the edge terminates TCP/TLS itself, so only established, sane connections proceed inward. Application layer: WAF rules, per-client and per-route rate limits, bot scoring on TLS/HTTP fingerprints, and graduated challenges — invisible proof-of-work or JavaScript checks first, interactive challenges as a last resort.
Scrubbing centers and origin shielding. For non-HTTP infrastructure (game servers, VoIP, raw TCP), BGP diversion pulls a whole prefix through scrubbing centers during an attack — clean traffic returns via GRE tunnels or private interconnect. Managed services package the stack: AWS Shield Advanced (with CloudFront/ALB as the absorbing edge), GCP Cloud Armor, Cloudflare Magic Transit for network-layer prefixes. Finally, origin shielding: the origin allow-lists only the protection layer's published ranges (or, better, is reachable only by private connectivity), its IPs appear in no DNS record, and every subdomain — including the forgotten staging API — sits behind the same front door.
End-to-end flow
Baseline, Tuesday 14:00: your API serves 80k requests/s through an anycast CDN; flow baselines are green. At 14:07 a booter fires an NTP amplification flood — 400Gbps of UDP/123 aimed at your prefix. Anycast disperses it: the heaviest single PoP sees 9Gbps. Edge filters were already dropping UDP/123 toward web prefixes (no legitimate reason for it), so the flood dies at ingress across 200 PoPs. Detection confirms within ~15 seconds from flow anomalies and logs an attack event; your dashboard shows a spike labeled 'mitigated — volumetric'; your origin's network graphs never move.
14:20, the attacker pivots to L4: a SYN flood, 40M packets/s from spoofed sources. Edge TCP termination absorbs it — SYN cookies mean each spoofed SYN costs the edge a stateless computation and the attacker a wasted packet; no connection state exists until a real client completes the handshake. Legitimate users, whose handshakes complete normally, notice nothing. 14:31, pivot again: an HTTP flood from a residential-proxy botnet — 600k requests/s of GET /search?q=<random>, each string unique, engineered to bypass cache. This is the real fight. Per-IP limits underperform (thousands of IPs, low rate each), but the requests share a TLS fingerprint mismatched with their claimed browser; bot scoring flags the cluster, an invisible JavaScript challenge deploys on /search, and the botnet — unable to execute it — collapses to a trickle. P95 latency for real users blips 40ms during the ramp.
14:55, the attacker probes for the origin directly: hammering an IP found in a year-old certificate transparency log. The packets die against a security group that admits only the CDN's address ranges — the origin was re-IP'd when shielding was implemented precisely because old addresses leak. 15:10, attack economics exhausted, traffic returns to baseline. Post-incident: one config change (tighter rate limit on /search), zero user-facing downtime, and a replay of the flow captures added to the game-day library.