What it is
Multi-layered protection for online services against volumetric and application-layer DDoS attacks. Not one “magic product” — the right mix of cloud filtering, ISP-level network rules, and tight application-side tuning.
What’s included
- Cloud protection for web services: Cloudflare for sites and APIs. For non-standard loads — Magic Transit for whole subnets.
- BGP filtering: working with ISPs on anycast proxies and blackholing attacker networks.
- On-prem rules: rate-limiting on nginx/HAProxy, fail2ban, fine-grained rules for known patterns (Slowloris, HTTP flood).
- WAF and bot management: application-layer protection, separating bots from real users.
- Incident response: rapid traffic analysis, rule tuning, service restoration. Response SLA written into the contract.
- Stress testing: controlled load testing of the defence before a real attacker tests it for you.
When you need this
- Competitors have appeared who’d benefit from taking your service down.
- The site or service is business-critical — downtime costs real money.
- A DDoS incident already happened, and it’s clear current protection isn’t enough.
- You’re launching a public service expecting real load — better to build the defence before traffic.
Approach
Defence is chosen by service profile. A simple corporate site is fine with Cloudflare Free plus a well-configured nginx. For high-traffic e-commerce or payment infrastructure — Cloudflare Business / Enterprise plus BGP plus redundant sites.