Mitigation pipeline
Pre-filter
The Pre-filter is the first line of defense and is optimised for application-specific attack patterns. It enforces strict TCP and UDP authentication before any traffic reaches your infrastructure.TCP authentication — new TCP clients must complete the initial handshake twice: once with the DDoS Filters, which then transparently re-forward the established session. This eliminates spoofed SYN floods before they reach your server.UDP scrubbing — for supported games and applications, all UDP traffic flows permanently through the filters. Sessions established only a few seconds after the attack threshold is crossed may still be dropped during the brief detection window.
The Pre-filter is not a generic solution. It is designed for application-specific attacks where strict protocol enforcement is practical.
Generic filter
Traffic that passes the Pre-filter is handed off to the generic mitigation layer, powered by a cluster of Intel Xeon and AMD EPYC systems equipped with Mellanox network cards. This layer handles a broad range of volumetric and protocol-level attacks.
Protocol attack protection
Protocol attack protection
- Invalid packets
- Anomalous TCP flag combinations (no flag, SYN-FIN, SYN fragmented, LAND attack)
- SYN-ACK amplification attack protection
- Malicious IP options
- Packet size validation (prevents Ping of Death)
- TCP, UDP, SSL, and ICMP flood protection
- Per-connection traffic control
Challenge-based authentication
Challenge-based authentication
- TCP SYN cookies and SYN authentication
- ACK authentication
- Spoof detection
- DNS authentication
ZAPR — Zero-day Automated Protection
ZAPR is the final and most adaptive stage of the pipeline. It uses machine learning to detect and block novel attack patterns that have no known signature.
ZAPR capabilities
ZAPR capabilities
- Machine learning-powered attack pattern recognition
- TCP progression tracking to identify abnormal session behaviour
- Capability to prevent zero-day attacks with no pre-configuration
- No manual intervention required — the system responds automatically
- Fast, automated response typically within seconds of pattern detection
Additional mitigation techniques
For clients with specific requirements or under complex attacks, Packets Decreaser offers customisations beyond the standard pipeline.IP blacklists
IP blacklists
Deny access to known malicious IP addresses. These lists can be applied immediately without affecting legitimate traffic.
The above customisations are available on request. Contact support to discuss your specific requirements and confirm what is available for your plan.
Time to mitigate
Attacks are typically mitigated within 2–10 seconds of detection. The table below shows expected mitigation windows by attack type.| Attack type | Typical time to mitigate |
|---|---|
| Standard attacks | 2–5 seconds |
| Large-scale attacks | Up to 10 seconds |
| Carpet bombing (subnet-level) | Typically within 10 seconds |
- Attack size — larger attacks are often mitigated more quickly because the sudden spike in traffic makes the anomaly easier to detect.
- Attack complexity — more sophisticated or multi-vector attacks may require additional time as ZAPR refines its pattern recognition.