Skip to main content
When an attack targets your infrastructure, Packets Decreaser routes traffic through a layered mitigation pipeline that combines TCP/UDP authentication, hardware-accelerated packet scrubbing, and machine-learning-based zero-day detection. Each stage hands off only clean traffic to the next, ensuring your services stay reachable under even large-scale or complex attacks.

Mitigation pipeline

1

Pre-filter

The Pre-filter is the first line of defense and is optimised for application-specific attack patterns. It enforces strict TCP and UDP authentication before any traffic reaches your infrastructure.TCP authentication — new TCP clients must complete the initial handshake twice: once with the DDoS Filters, which then transparently re-forward the established session. This eliminates spoofed SYN floods before they reach your server.UDP scrubbing — for supported games and applications, all UDP traffic flows permanently through the filters. Sessions established only a few seconds after the attack threshold is crossed may still be dropped during the brief detection window.
The Pre-filter is not a generic solution. It is designed for application-specific attacks where strict protocol enforcement is practical.
2

Generic filter

Traffic that passes the Pre-filter is handed off to the generic mitigation layer, powered by a cluster of Intel Xeon and AMD EPYC systems equipped with Mellanox network cards. This layer handles a broad range of volumetric and protocol-level attacks.
  • Invalid packets
  • Anomalous TCP flag combinations (no flag, SYN-FIN, SYN fragmented, LAND attack)
  • SYN-ACK amplification attack protection
  • Malicious IP options
  • Packet size validation (prevents Ping of Death)
  • TCP, UDP, SSL, and ICMP flood protection
  • Per-connection traffic control
  • TCP SYN cookies and SYN authentication
  • ACK authentication
  • Spoof detection
  • DNS authentication
3

ZAPR — Zero-day Automated Protection

ZAPR is the final and most adaptive stage of the pipeline. It uses machine learning to detect and block novel attack patterns that have no known signature.
  • Machine learning-powered attack pattern recognition
  • TCP progression tracking to identify abnormal session behaviour
  • Capability to prevent zero-day attacks with no pre-configuration
  • No manual intervention required — the system responds automatically
  • Fast, automated response typically within seconds of pattern detection
Because ZAPR requires no pre-configuration, it protects against attack types that have never been seen before — without you needing to open a support ticket or write custom rules.

Additional mitigation techniques

For clients with specific requirements or under complex attacks, Packets Decreaser offers customisations beyond the standard pipeline.
Deny access to known malicious IP addresses. These lists can be applied immediately without affecting legitimate traffic.
The above customisations are available on request. Contact support to discuss your specific requirements and confirm what is available for your plan.

Time to mitigate

Attacks are typically mitigated within 2–10 seconds of detection. The table below shows expected mitigation windows by attack type.
Attack typeTypical time to mitigate
Standard attacks2–5 seconds
Large-scale attacksUp to 10 seconds
Carpet bombing (subnet-level)Typically within 10 seconds
Two factors influence how quickly an attack is mitigated:
  1. Attack size — larger attacks are often mitigated more quickly because the sudden spike in traffic makes the anomaly easier to detect.
  2. Attack complexity — more sophisticated or multi-vector attacks may require additional time as ZAPR refines its pattern recognition.