How Anti-DDoS works: from raw attack traffic to clean delivery

The real problem: saturation, state and bad filtering

A DDoS attack becomes dangerous when it exhausts a scarce resource before legitimate users can be served. That resource may be transit capacity, packets per second on a port, firewall state, TCP backlog, CPU on a proxy, or an application endpoint that performs expensive work. Looking only at Gbps is therefore misleading: a modest high-PPS flood can break equipment faster than a larger but simpler stream.

The second problem is collateral damage. Blocking all UDP, all traffic from one country or every source that opens many connections may stop part of an attack, but it can also break real players, API clients, VoIP sessions or BGP customers. A good Anti-DDoS design therefore filters as early as possible while preserving the exact protocol behaviour the service needs.

Why this matters for revenue and reputation

DDoS downtime is visible immediately. A game server empties, a hosting customer opens urgent tickets, a business VPN becomes unreachable and a provider’s reputation suffers long before a formal SLA claim appears. For a small or fast-growing company, one major incident can cost more than the monthly protection budget because users remember unreliability.

It also matters commercially. Buyers of dedicated servers, protected transit or gaming proxy services do not only buy capacity. They buy confidence that their service can remain reachable during an attack and that the provider understands the difference between generic filtering and clean traffic delivery.

Possible protection models

Local firewalling is useful for small noise, but it is too late when the access link or upstream port is saturated. A classical cloud scrubbing centre can absorb large traffic, but the handoff must be designed carefully: GRE, IPIP, VXLAN, BGP announcement, cross-connect or router VM all have different operational consequences.

For a server owner without BGP, a protected dedicated server or reverse proxy is often simpler. For an operator or hoster, protected IP transit is usually more flexible because prefixes can be announced, clean traffic can be returned and the customer can keep its own routing or firewall logic behind the protection layer.

Peeryx resource Peeryx peeryx.com

Protected IP transit Protect prefixes and deliver clean traffic with BGP, tunnel or cross-connect.

Open offer

Peeryx resource Peeryx peeryx.com

Protected dedicated server Use protected compute when the customer wants a simpler operational model.

Open offer

Peeryx resource Peeryx peeryx.com

Gaming reverse proxy Hide origins and apply specialised handling for gaming or exposed services.

Open offer

Protected traffic path for How Anti-DDoS works

Peeryx starts by separating the volumetric problem from the application problem. Large floods are reduced before they reach customer infrastructure, while protocol-specific and gaming-aware controls are applied only when they are useful. This avoids the common mistake of turning every incident into a blind blocklist that hurts legitimate users.

The delivery model is chosen according to the customer’s control level. A network operator can use protected IP transit with BGP or tunnels, a hosting provider can combine clean traffic handoff with its own edge, and a gaming service can use a proxy model when the origin must stay hidden.

Concrete example: from attack to clean traffic

Imagine a European game hosting provider selling dedicated servers and FiveM instances. During an attack, raw traffic targets both UDP ports and TCP services. Peeryx can absorb the flood upstream, filter obvious junk before the customer link, and deliver clean traffic to the provider through the agreed model.

If the customer has BGP, prefixes can be announced through protected transit. If it does not, the service can be protected through a tunnel, a protected server or a reverse proxy. The goal is the same: the origin infrastructure sees usable traffic instead of the full attack.

Frequent mistakes

Many teams buy protection only after the first outage, when DNS, routing and customer communication are already under pressure. Others rely on a single host firewall, although the attack will saturate the port before that firewall can help.

Another common mistake is to compare only advertised Tbps. Capacity matters, but clean traffic return, latency, operational response and protocol understanding matter just as much. A protection that keeps the link alive but breaks the application is not a real solution.

• Buying after the first outage
• Comparing only advertised capacity
• Forgetting clean traffic return

Why choose Peeryx

This part of “How Anti-DDoS works” clarifies what really changes the decision: false positive risk, filtering point, false-positive tolerance and delivery model.

This approach is especially useful for European hosters, game platforms and infrastructure teams that need low latency, control over routing and a clear upgrade path as traffic grows.

FAQ