A single large attack can take an entire online business offline: the bandwidth fills, real customers cannot get in, and revenue stops while it lasts. Games, e-commerce, hosting providers and government portals are hit hardest, and the methods now arrive mixed — volumetric floods, protocol/state exhaustion and application-layer CC in the same wave. This solution combines near-source scrubbing, a local detection-and-scrubbing appliance, application-layer CC defense and coordinated response with your carrier for the traffic that is simply too big to stop on-site. Unlike our Enterprise Edge Security page — a general-purpose gateway firewall doing NAT, IPS and everyday flood limiting — this page is purpose-built for DDoS: high-rate scrubbing, CC protection and the carrier or cloud linkage you need when the flood is larger than your line.
Four realities that make availability attacks different from every other threat:
Everyday and mid-size attacks are cleaned on-site; anything larger than your pipe is diverted upstream — the two work as one system:
Architecture drawn by AtlasCommTech following carrier-grade network design practice. Diagram labels are kept in English for engineering clarity.
Why us: our founder spent 13 years inside the Huawei partner ecosystem delivering carrier networks, where the edge is attacked every single day. We design your edge with that assumption, not with optimism.
The solution is sized to your requirements and budget first — the same architecture can be delivered on several vendors' product lines. We help you choose by supply availability in your destination country, budget and your team's operating habits.
Six capabilities that keep your service reachable through a mixed attack — and are honest about the ceiling:
The mitigation logic is the same; what scales is the protected bandwidth, the scrubbing capacity and how deep the carrier or cloud tie-in goes:
| Scale tier | Typical site | What the design includes |
|---|---|---|
| Single business egress | One site · one or two public services | An inline detection-and-scrubbing appliance sized to your egress, with application-layer CC protection for the published service and a pre-arranged carrier escalation path for anything above your pipe. |
| Multi-service data center | Many public services · higher-value target | Dedicated scrubbing capacity in front of the data center, per-service policy and reporting, deeper application-layer protection, and an active carrier or cloud diversion arrangement so a super-pipe flood is handled upstream automatically. |
| Carrier / hosting-provider scale | You protect other people's services | High-capacity near-source scrubbing centers, per-tenant detection and policy, automated diversion across your network, and the reporting a service provider needs to offer DDoS protection as a product to its own customers. |
DDoS protection is built from these categories — brand and exact capacity are chosen with you, after your bandwidth, published services and realistic peak are known:
| Role | What it does |
|---|---|
| Detection & scrubbing appliance | The core of the design: baselines traffic, detects anomalies, diverts and cleans, and re-injects the legitimate part — sized to the bandwidth and peak it must hold. |
| Application-layer CC defense | Focused on HTTP/HTTPS request floods: rate limits, challenges and behavior analysis that let real browsers through and hold back bots imitating them. |
| Edge router / diversion point | Steers suspect traffic into the scrubbing path and re-injects the clean flow, and carries the signaling that asks the carrier to divert upstream when needed. |
| Carrier / cloud scrubbing service | Not a box you own but a contracted upstream capacity — the only thing that can stop a flood larger than your line. We help you arrange and test it, not just assume it. |
| Management & reporting platform | Shows attacks as they happen, records what was mitigated and how, and produces the reports you show management, insurers or, at provider scale, your own customers. |
| Perimeter firewall (your side) | Not the DDoS box, but assumed present: it handles NAT, IPS and everyday policy. DDoS scrubbing sits in front so the firewall's session table is never the thing that fails first. |
Send us your uplink bandwidth, the public services you run and a realistic worst-case peak — and the capacity and model list follows. Requirements first keeps the design honest.
An engineer replies with a mitigation design, an honest read on whether your pipe is big enough, an upstream escalation plan and the equipment-category list. Requirements first — the model list follows.