In recent months, headlines have drawn attention to record-breaking DDoS attacks, often measured in terabits per second (Tbps) and accompanied by declarations of network capacity in the hundreds of Tbps. These figures, while impressive, can create a misleading narrative about what truly matters in DDoS protection.
The real-world nature of modern DDoS attacks requires a more nuanced understanding. Raw capacity alone does not determine whether an organization can withstand an attack. Instead, distributed defense, time-to-mitigation, scrubbing quality, and resilience against complex and packet-intensive floods all play critical roles.
A recent example underscores this point.
Case Study: A Back-to-Back DDoS Barrage
A major U.S.-based technology company was recently targeted by two of the largest recorded network layer DDoS attacks in a single day, showcasing the growing intensity of volumetric assaults.
- First attack: Peaked at 1.2 Tbps and 563 million PPS. Lasted nine minutes but pushed mitigation strategies to their limits.
- Second attack: Just hours later, a more aggressive strike peaked at nearly 1.5 Tbps and sustained over 1 billion PPS over 20 minutes.
Both attacks were volumetric, targeting Layers 3 and 4 of the OSI model. The extreme PPS rate suggests attackers aimed not just to saturate bandwidth, but to overwhelm routing and switching hardware—systems that are often more vulnerable to packet floods than to raw throughput.
Analysis showed the attack was primarily UDP-driven, with the attackers leveraging high-volume floods that can overwhelm servers by consuming bandwidth and processing resources. In the second wave, the adversaries introduced a TCP component, suggesting a deliberate escalation in complexity and resource targeting. The attack relied on amplification techniques, such as exploiting misconfigured services to magnify traffic volume, combined with the use of a globally distributed botnet comprising compromised devices across multiple regions. This combination not only increased the scale of the assault but also made mitigation more challenging by blending multiple vectors and dispersing the traffic sources worldwide.
Mitigation was successful because traffic was blocked by roughly 30 of Imperva’s globally distributed PoPs. By intercepting malicious packets near their origin—whether in Jakarta, Mumbai, or Johannesburg—the mitigation network prevented them from ever reaching core transit pipes or customer environments in Europe and the U.S.
This highlights a central truth: scale alone doesn’t win; quality and accuracy do.
Below, we outline several key considerations that challenge the framing of “biggest attack, biggest network” as the gold standard in protection.
1. DDoS Attacks Are Highly Distributed by Nature
Modern DDoS campaigns leverage globally dispersed botnets comprising hundreds of thousands (or millions) of compromised devices. The traffic rarely originates from the same region as legitimate users. As a result, most attack traffic is geographically disjointed from the target’s normal patterns. This means it’s far more effective to stop malicious traffic close to its source than to allow it to aggregate into massive volumes near the destination.
Imperva’s Threat Intelligence tracks IP reputation, allowing DDoS attacks by common botnets to be quickly mitigated.
2. Distributed Mitigation Is Key to Effective Defense
Stopping an attack in transit is no longer enough. A well-distributed mitigation network ensures:
- Proximity to attack sources: cutting off packets before they traverse global backbones.
- Early malicious traffic identification: detecting floods in seconds, not minutes.
- Isolation and discard of bad traffic: without disrupting legitimate users.
This demonstrates that all of our globally distributed PoPs, each acting as a scrubbing center, worked together to neutralize billions of malicious packets. This distributed model eliminates the need for a small number of large, dedicated scrubbing centers, which could struggle to absorb large-scale attacks and require rerouting traffic. Because every PoP is capable of scrubbing, most attacks can be mitigated locally without shifting traffic to a more remote PoP—avoiding service disruption, preventing broken sessions, and minimizing latency for customer applications.
3. Even Small PoPs Can Play a Major Role
Contrary to popular belief, a point of presence (PoP) doesn’t need massive capacity to be effective. If a PoP in Johannesburg only sees 100 Gbps of a UDP flood and drops it immediately, that prevents strain on global infrastructure. The ability to filter malicious packets locally is far more valuable than boasting about multi-Tbps absorption at a distant data center.
In fact, it’s even more nuanced than that. Even if the scrubbing capacity in Johannesburg is smaller than the volume of the incoming attack, it still serves its purpose as long as the dropped traffic is malicious. In this case, the uplink may become congested, which may conceal the full magnitude of the attack, but the overflow being discarded is still attack traffic, not legitimate user traffic.
This highlights why the absolute size of a PoP doesn’t actually matter as much as its ability to effectively divert attack traffic away from the intended target. The true challenge lies in ensuring that attack traffic in Johannesburg is cleanly separated from legitimate customer traffic using the same PoP. Techniques such as quarantine uplinks, advanced sinkholing, or surgical remote triggered blackholing (RTBH) can achieve this separation without risking other tenants clean/non-attack traffic routed through the same PoP.
4. In Mixed Traffic Scenarios, Scrubbing Quality and Time-to-Mitigation Matter Most
The 1.1 billion PPS attack highlights why time-to-mitigation and scrubbing intelligence are critical. High PPS floods target routers and switches, while multi-vector attacks—like SYN floods, reflection/amplification combinations, or HTTP floods—blend malicious and legitimate traffic.
In these cases, mitigation requires more than bandwidth:
- Line-rate traffic inspection
- Detection of subtle attack patterns in seconds
- Real-time response to shifting vectors
- Preservation of legitimate user traffic
- Detecting traffic anomalies based on dynamic adaptive base line profiling leveraging AI / ML capabilities
Application-layer (Layer 7) attacks further elevate the need for behavioral analysis and adaptive defense, as attackers increasingly focus on HTTP floods, API abuse, and DNS query floods designed to slip past capacity-based defenses. Recent cases like QUICLEAK, where threat actors smuggle malformed packets to exhaust memory, and MadeYouReset, a variant of HTTP/2 RapidReset that tricks the server into resetting its own streams, highlight the importance of more than just capacity-based defenses.
5. Tbps-Scale Attacks Are Rare, Most Threats Are More Targeted and Complex
While multi-terabit attacks make headlines, they remain rare. Around 0.1% of attacks exceed multiple Tbps or 1 billion PPS. The majority of real-world threats are smaller but more complex, including:
- Burst-style floods and carpet bombing attacks
- State exhaustion attempts (e.g., TCP SYN floods)
- Application-layer floods targeting APIs or DNS
- Short, sharp strikes designed to overwhelm defenses before they fully activate
While headline-grabbing attacks exist, most organizations are far more likely to face smaller, but more persistent, multi-vector campaigns. Imperva’s 3 second mitigation quickly mitigates burst attacks or sharp strikes, helping to keep your business running even with complex attacks.
Conclusion: Choose Real-World Readiness Over Hype Metrics
When evaluating a DDoS provider, don’t be swayed by numbers like “X Tbps mitigated” or “hundreds of Tbps of capacity.” Instead, ask:
- How distributed is the mitigation network?
- How quickly can malicious traffic be stopped near its source?
- What scrubbing intelligence and behavioral analytics are in place?
- How effective is the platform against application-layer attacks?
- What is the average time-to-mitigation across different attack types?
The back-to-back U.S. case shows that even record-setting floods can be stopped, not by raw scale alone, but through globally distributed, adaptive, real-time defenses.
Capacity matters, but architecture, visibility, and speed matter more. True resilience comes from smart, distributed defense built for the attacks organizations are most likely to face.
The post Rethinking DDoS Defense: Why Scale Isn’t the Only Metric That Matters appeared first on Blog.
