Home / Solutions / Industrial Networking & Datacom / DDoS Protection & Mitigation
DOMAIN 02 · INDUSTRIAL NETWORKING

DDoS Protection & Mitigation: Local Scrubbing, Application-Layer CC Defense and Carrier Linkage for Attacks Bigger Than Your Pipe

A single large attack can take an entire online business offline: the bandwidth fills, real customers cannot get in, and revenue stops while it lasts. Games, e-commerce, hosting providers and government portals are hit hardest, and the methods now arrive mixed — volumetric floods, protocol/state exhaustion and application-layer CC in the same wave. This solution combines near-source scrubbing, a local detection-and-scrubbing appliance, application-layer CC defense and coordinated response with your carrier for the traffic that is simply too big to stop on-site. Unlike our Enterprise Edge Security page — a general-purpose gateway firewall doing NAT, IPS and everyday flood limiting — this page is purpose-built for DDoS: high-rate scrubbing, CC protection and the carrier or cloud linkage you need when the flood is larger than your line.

Why a DDoS Attack Hurts So Much

Four realities that make availability attacks different from every other threat:

One attack, the whole business downYou do not need to be breached to lose everything. When the service simply cannot be reached, every customer, order and transaction stops for as long as the flood lasts.
The bandwidth fills before you reactWhen the pipe is saturated, legitimate users cannot even connect. Manual response is too slow — by the time a human notices, the line has already been full for minutes.
Games, e-commerce, hosting, portalsAny business that lives on being reachable is a target. Game platforms, online stores, hosting providers and government portals see the most, and often the biggest, attacks.
Volumetric and CC, mixed togetherAttacks no longer come one type at a time. A volumetric flood to saturate the pipe often runs alongside application-layer CC that mimics real users — each needs a different defense.

Architecture: Clean Near the Source, Scrub Locally, Escalate to the Carrier

Everyday and mid-size attacks are cleaned on-site; anything larger than your pipe is diverted upstream — the two work as one system:

THE INTERNET · ATTACK MIX Volumetric floods UDP / reflection / amplification Protocol / state exhaustion SYN flood · half-open sessions Application-layer CC HTTP/HTTPS request floods Pulse & carpet-bombing bursts across many IPs at once botnets fire from thousands of hosts — mixed types, at once games · e-commerce · hosting · government portals hit hardest CARRIER / CLOUD SCRUBBING (near-source) huge volumetric floods diverted and cleaned upstream — before they reach your pipe needed when the attack is bigger than your line LOCAL DETECTION + SCRUBBING · baseline traffic, spot anomalies fast · divert suspect traffic, clean it, re-inject · drop floods & state-exhaustion at line rate · application-layer CC defense (challenge/rate) legit users pass · attack traffic dropped signals the carrier when it exceeds the pipe clean traffic YOUR ONLINE BUSINESS · STAYS UP web / API / game / payment servers real customers reach the service normally, even while an attack is in progress THE HARD LIMIT a flood larger than your uplink cannot be cleaned on-site — it must be stopped upstream, at the carrier or in the cloud. We measure your pipe first.

Architecture drawn by AtlasCommTech following carrier-grade network design practice. Diagram labels are kept in English for engineering clarity.

Why us: our founder spent 13 years inside the Huawei partner ecosystem delivering carrier networks, where the edge is attacked every single day. We design your edge with that assumption, not with optimism.

Equipment Options

The solution is sized to your requirements and budget first — the same architecture can be delivered on several vendors' product lines. We help you choose by supply availability in your destination country, budget and your team's operating habits.

Huawei — enterprise campus, WAN and security linesMature ecosystem with a global service network.
ZTE & Wantone — comparable datacom linesPrice-performance direction; supply runs smoother in some markets.
H3C — campus and data-center linesWidely deployed campus and data-center portfolio.
Atlas industrial switches — industrial-scenario access layerOur own industrial line — compatible with any brand's core layer.

What the Design Delivers

Six capabilities that keep your service reachable through a mixed attack — and are honest about the ceiling:

Local detection at line rateThe appliance learns your normal traffic and spots an anomaly in seconds, not minutes — so mitigation starts before a human is even paged.
Divert, scrub and re-injectSuspect traffic is pulled aside, cleaned, and the good part put back — legitimate users keep flowing while attack packets are dropped.
Volumetric & state-exhaustion defenseFloods (UDP, reflection, amplification) and protocol attacks like SYN floods are dropped at high rate before they exhaust servers or firewall session tables.
Application-layer CC protectionHTTP/HTTPS request floods that look like real users are met with rate control and challenge techniques that separate a genuine browser from a bot.
Carrier & cloud escalationWhen the flood is bigger than your uplink, the local device signals upstream and traffic is scrubbed near-source at the carrier or in the cloud — the only place a super-pipe attack can be stopped.
Peak-capacity protection, sized honestlyDDoS defense is bought by the peak you can absorb, not by average traffic. We size it against realistic attack scenarios for your industry and tell you plainly what each tier can and cannot hold.

Three Sizes, One Design Logic

The mitigation logic is the same; what scales is the protected bandwidth, the scrubbing capacity and how deep the carrier or cloud tie-in goes:

Numbers we design around:
Protected bandwidth — one service link vs a multi-service data center
Local scrubbing capacity — sized to your peak, not your average
Upstream option — carrier scrubbing contract or cloud diversion
Scale tierTypical siteWhat the design includes
Single business egressOne site · one or two public servicesAn inline detection-and-scrubbing appliance sized to your egress, with application-layer CC protection for the published service and a pre-arranged carrier escalation path for anything above your pipe.
Multi-service data centerMany public services · higher-value targetDedicated scrubbing capacity in front of the data center, per-service policy and reporting, deeper application-layer protection, and an active carrier or cloud diversion arrangement so a super-pipe flood is handled upstream automatically.
Carrier / hosting-provider scaleYou protect other people's servicesHigh-capacity near-source scrubbing centers, per-tenant detection and policy, automated diversion across your network, and the reporting a service provider needs to offer DDoS protection as a product to its own customers.

Equipment Roles (Categories, Not Models)

DDoS protection is built from these categories — brand and exact capacity are chosen with you, after your bandwidth, published services and realistic peak are known:

RoleWhat it does
Detection & scrubbing applianceThe core of the design: baselines traffic, detects anomalies, diverts and cleans, and re-injects the legitimate part — sized to the bandwidth and peak it must hold.
Application-layer CC defenseFocused on HTTP/HTTPS request floods: rate limits, challenges and behavior analysis that let real browsers through and hold back bots imitating them.
Edge router / diversion pointSteers suspect traffic into the scrubbing path and re-injects the clean flow, and carries the signaling that asks the carrier to divert upstream when needed.
Carrier / cloud scrubbing serviceNot a box you own but a contracted upstream capacity — the only thing that can stop a flood larger than your line. We help you arrange and test it, not just assume it.
Management & reporting platformShows attacks as they happen, records what was mitigated and how, and produces the reports you show management, insurers or, at provider scale, your own customers.
Perimeter firewall (your side)Not the DDoS box, but assumed present: it handles NAT, IPS and everyday policy. DDoS scrubbing sits in front so the firewall's session table is never the thing that fails first.

Send us your uplink bandwidth, the public services you run and a realistic worst-case peak — and the capacity and model list follows. Requirements first keeps the design honest.

Design Notes & Honest Limits

Read this before you commit:
  • An attack larger than your uplink cannot be cleaned by a local appliance — full stop. Once the flood fills the line coming into your building, no box behind that line can help, because the damage is already done upstream. It must be stopped at the carrier or in a cloud scrubbing service. Before anything else, we measure whether your pipe is big enough and design the upstream path accordingly.
  • DDoS protection is bought by peak protection capacity, not by average use. Most of the time it sits idle, and that feels like paying for nothing — until the day an attack hits, when it is the difference between staying online and losing every customer for hours. We size it to a realistic worst case for your industry, so you are neither under-protected nor paying for capacity you will never see.
  • Local scrubbing and carrier/cloud escalation are one system, not either/or. The on-site device handles everyday and mid-size attacks instantly and keeps latency low; the upstream contract catches the rare monster. A design with only one half has a predictable gap — we build both and test the handover between them.
  • No mitigation is perfect against a sophisticated CC attack. Application-layer floods that closely imitate real users can force a trade-off between blocking bots and inconveniencing genuine visitors with challenges. We tune for your traffic and tell you honestly where that line sits — a page that never bothers a real user cannot also stop every clever bot.
  • A firewall's flood limiting is not DDoS protection. General gateway firewalls have basic flood controls, but their session tables are themselves a target and fill up under a real attack. Dedicated scrubbing sits in front precisely so the firewall does not become the bottleneck — if someone sells you a firewall as full DDoS defense, ask them about your uplink first.

FAQ

How is this different from your Enterprise Edge Security page?
Enterprise Edge Security is a general-purpose gateway: firewall zoning, NAT, IPS and everyday flood limiting for a normal office edge. This page is purpose-built for DDoS — high-rate volumetric scrubbing, application-layer CC defense and, crucially, carrier or cloud linkage for attacks that are larger than your internet pipe, which no gateway firewall can handle alone. If you want to secure a normal office boundary, start with Enterprise Edge Security; if being knocked offline is your specific fear, start here.
Can you stop an attack bigger than my internet connection?
Not with a box on your premises — nobody can, and anyone who claims otherwise is misleading you. Once a flood is bigger than your uplink, the line is already full before your equipment sees it. That size of attack must be handled upstream, at the carrier or in a cloud scrubbing service. What we do is measure your pipe honestly, defend everything up to that limit on-site, and arrange and test the upstream escalation for anything above it.
What is a CC attack and why is it harder to stop?
A CC attack is an application-layer flood: instead of raw bandwidth, it sends a storm of seemingly normal HTTP/HTTPS requests — searches, logins, page loads — that each look like a real user but together exhaust the server or database. It is harder than a volumetric flood because the packets are technically valid, so mitigation must judge behavior, not just volume. We use rate control, challenges and behavior analysis, tuned so genuine visitors pass while the bot storm is held back.
We have never been attacked — do we really need this?
That depends on what an hour of downtime costs you. DDoS protection is insurance: idle most of the time, decisive on the day it is needed. If your revenue, reputation or public service depends on being reachable — a game, a store, a portal — one outage can cost more than years of protection. If you are a low-profile internal system, the honest answer may be that a carrier escalation agreement plus your firewall's flood controls is enough. We will tell you which case you are in rather than sell you the biggest box.
How quickly does mitigation kick in during an attack?
The local device detects and begins scrubbing within seconds of the traffic pattern changing, because it is watching continuously and does not wait for a human. For attacks within your pipe, users may barely notice. For a super-pipe flood, the upstream diversion takes a little longer to engage — signaling the carrier, redirecting routes — which is exactly why that path is arranged and tested in advance, not improvised mid-attack. We design and rehearse both so the handover is fast when it matters.

Send us your uplink bandwidth, public services and worst-case peak

An engineer replies with a mitigation design, an honest read on whether your pipe is big enough, an upstream escalation plan and the equipment-category list. Requirements first — the model list follows.

WhatsApp an engineer →

Related Solutions