> ## Documentation Index
> Fetch the complete documentation index at: https://docs.packets-decreaser.net/llms.txt
> Use this file to discover all available pages before exploring further.

# How Packets Decreaser Mitigates DDoS Attacks

> A full walkthrough of the multi-stage DDoS mitigation pipeline: pre-filtering, generic scrubbing, ZAPR, and expected time to mitigate.

When an attack targets your infrastructure, Packets Decreaser routes traffic through a layered mitigation pipeline that combines TCP/UDP authentication, hardware-accelerated packet scrubbing, and machine-learning-based zero-day detection. Each stage hands off only clean traffic to the next, ensuring your services stay reachable under even large-scale or complex attacks.

## Mitigation pipeline

<Steps>
  <Step title="Pre-filter">
    The Pre-filter is the first line of defense and is optimised for application-specific attack patterns. It enforces strict TCP and UDP authentication before any traffic reaches your infrastructure.

    **TCP authentication** — new TCP clients must complete the initial handshake twice: once with the DDoS Filters, which then transparently re-forward the established session. This eliminates spoofed SYN floods before they reach your server.

    **UDP scrubbing** — for supported games and applications, all UDP traffic flows permanently through the filters. Sessions established only a few seconds after the attack threshold is crossed may still be dropped during the brief detection window.

    <Note>
      The Pre-filter is not a generic solution. It is designed for application-specific attacks where strict protocol enforcement is practical.
    </Note>
  </Step>

  <Step title="Generic filter">
    Traffic that passes the Pre-filter is handed off to the generic mitigation layer, powered by a cluster of Intel Xeon and AMD EPYC systems equipped with Mellanox network cards. This layer handles a broad range of volumetric and protocol-level attacks.

    <AccordionGroup>
      <Accordion title="Protocol attack protection">
        * Invalid packets
        * Anomalous TCP flag combinations (no flag, SYN-FIN, SYN fragmented, LAND attack)
        * SYN-ACK amplification attack protection
        * Malicious IP options
        * Packet size validation (prevents Ping of Death)
        * TCP, UDP, SSL, and ICMP flood protection
        * Per-connection traffic control
      </Accordion>

      <Accordion title="Challenge-based authentication">
        * TCP SYN cookies and SYN authentication
        * ACK authentication
        * Spoof detection
        * DNS authentication
      </Accordion>
    </AccordionGroup>
  </Step>

  <Step title="ZAPR — Zero-day Automated Protection">
    ZAPR is the final and most adaptive stage of the pipeline. It uses machine learning to detect and block novel attack patterns that have no known signature.

    <AccordionGroup>
      <Accordion title="ZAPR capabilities">
        * Machine learning-powered attack pattern recognition
        * TCP progression tracking to identify abnormal session behaviour
        * Capability to prevent zero-day attacks with no pre-configuration
        * No manual intervention required — the system responds automatically
        * Fast, automated response typically within seconds of pattern detection
      </Accordion>
    </AccordionGroup>

    <Tip>
      Because ZAPR requires no pre-configuration, it protects against attack types that have never been seen before — without you needing to open a support ticket or write custom rules.
    </Tip>
  </Step>
</Steps>

## Additional mitigation techniques

For clients with specific requirements or under complex attacks, Packets Decreaser offers customisations beyond the standard pipeline.

<AccordionGroup>
  <Accordion title="IP blacklists">
    Deny access to known malicious IP addresses. These lists can be applied immediately without affecting legitimate traffic.
  </Accordion>
</AccordionGroup>

<Info>
  The above customisations are available on request. Contact support to discuss your specific requirements and confirm what is available for your plan.
</Info>

## Time to mitigate

Attacks are typically mitigated within **2–10 seconds** of detection. The table below shows expected mitigation windows by attack type.

| Attack type                   | Typical time to mitigate    |
| ----------------------------- | --------------------------- |
| Standard attacks              | 2–5 seconds                 |
| Large-scale attacks           | Up to 10 seconds            |
| Carpet bombing (subnet-level) | Typically within 10 seconds |

Two factors influence how quickly an attack is mitigated:

1. **Attack size** — larger attacks are often mitigated more quickly because the sudden spike in traffic makes the anomaly easier to detect.
2. **Attack complexity** — more sophisticated or multi-vector attacks may require additional time as ZAPR refines its pattern recognition.
