DDoS Mitigation
Full-stack DDoS defense, engineered without compromise
Always-on, unmetered protection powered by advanced heuristic filtering and state-of-the-art behavioral analysis across our global PoP footprint. Full-stack mitigation — from volumetric scrubbing to application-layer inspection — that continuously evolves to stay ahead of emerging threats.
Predictable Under Attack
Unmetered by design
DDoS protection at Wirescope is always-on and unmetered. Attack traffic is filtered inline at the edge and is never billed toward your commit or usage. Whether an attack is 5 Gbps or 500 Gbps, your cost does not change.
There are no surge fees, no per-attack charges, and no post-incident invoices. Your commit reflects clean traffic only — guaranteed.
This is not an add-on service or a fallback mode. Inline mitigation runs continuously across all PoPs, so traffic is filtered before it can inflate billing or saturate links.
What problems this solves
- Volumetric DDoS floods that saturate your upstream links
- Protocol-level attacks (SYN floods, UDP amplification, DNS reflection)
- Application-layer attacks (HTTP floods, slowloris, API abuse)
- Upstream providers nullrouting your IPs instead of mitigating
- Unpredictable DDoS mitigation bills and per-attack surcharges
Who this is for
- Hosting providers and bare-metal operators
- ISPs and carriers protecting subscriber prefixes
- Game studios and esports platforms
- CDN and edge compute operators
- Any network that cannot afford downtime during an attack
Why it’s different
- Inline at the PoP — not backhauled to a remote scrubbing center
- TBD per-packet decisions within the hardware filtering pipeline
- Stateless — works without return traffic visibility
- Unmetered — no per-attack charges, no surge pricing
- Transit included — not a mitigation-only overlay
Architecture
Two-tier mitigation at terabit scale
Our in-house scrubbing infrastructure handles TBD Tbps across every PoP — more than enough for the overwhelming majority of all DDoS attacks. For the rare worst-case scenarios — multi-terabit volumetric floods that exceed our local capacity — we propagate our proprietary FlowSpec rules to upstream CDN and hyperscale networks, activating over TBD Pbps of aggregate edge filtering before traffic even reaches our network.
How It Works
Five-stage mitigation pipeline
Every packet traverses our inline filtering pipeline before reaching your network. Malicious traffic is identified and dropped at the earliest possible stage, minimizing resource consumption and maximizing throughput for clean traffic.
Ingress & Classification
Traffic enters through our anycast edge and is immediately classified using flow telemetry, protocol fingerprinting, and behavioral signatures. Legitimate traffic is forwarded with zero added latency.
Inline processing at 400 Gbps per line card
Volumetric Scrubbing
Amplification floods (NTP, DNS, CLDAP, Memcached, SSDP, CHARGEN) are detected and dropped at the network edge before consuming backbone capacity. Scrubbing operates across every PoP simultaneously.
TBD Tbps aggregate in-house scrubbing capacity
Protocol-Level Filtering
TCP state tracking, SYN cookie validation, and protocol anomaly detection neutralize SYN floods, ACK floods, RST attacks, and malformed packet storms. Every packet is validated against RFC-compliant state machines.
TBD per-packet decision within the hardware filtering pipeline
Application-Layer Analysis
Deep packet inspection identifies L7 attacks: HTTP floods, slowloris, DNS query floods, and encrypted attack vectors. Behavioral models distinguish between legitimate traffic surges and coordinated attacks.
ML-driven anomaly detection with TBD false positive rate
Clean Traffic Delivery
Scrubbed traffic is forwarded via your preferred method — direct cross-connect, GRE tunnel, or BGP session — with full visibility into what was filtered, why, and how much. Zero impact on legitimate users.
Sub-millisecond forwarding latency
Network Engineering
Engineered for the absolute worst
We do everything in our power to keep your infrastructure online — and we never cut corners to do it. Our network is built from the ground up for sustained attack conditions. Attacks against other customers will never impact you, and yours will never impact them. Complete isolation, complete redundancy, at every layer.
Private Fiber Backbone
Our PoPs are interconnected via private fiber — not shared transit. Complete control over routing, latency, and capacity between every node in our network.
Complete Customer Isolation
An attack against one customer never impacts another. Traffic is isolated at the port level with dedicated scrubbing contexts. No noisy neighbors. Ever.
Individual Port Monitoring
Every physical and logical port is monitored independently. We detect anomalies at the interface level before they propagate, enabling surgical mitigation.
Automatic PoP Failover
If an entire PoP goes offline or a specific peering link degrades, traffic is automatically rerouted across our backbone in milliseconds. Protection never drops.
Protection Layers
Defense at every layer of the stack
All protection layers are included with every deployment. No tiered pricing. No upsells. Every customer gets the full mitigation stack from day one — from per-packet protocol analysis to adaptive heuristic filtering and application-specific defense.
Per-Packet Protection
Protocol Analysis
Every packet validated against RFC-compliant state machines
Access Control Lists
Granular traffic filtering at line rate
Trust Lists
Whitelist known-good traffic to minimize false positives
Event-Triggered Protection
L3/L4 Flood Mitigation
Volumetric and protocol-layer defense
L7 Flood Mitigation
Application-layer attack defense
Rate Limiting
Adaptive rate controls per flow and prefix
Heuristic Engine
Adaptive intelligence that learns in real time
Static rules catch known attacks. Our heuristic engine catches everything else. By continuously profiling traffic patterns, behavioral signatures, and protocol anomalies across our entire network, the engine can protect applications it has never seen before — learning and adapting in real time, not just reacting but anticipating.
Every packet receives a composite anomaly score. Decisions are made in under TBD within the hardware filtering pipeline. No warm-up time. No training period. Protection starts the moment traffic touches our network.
Behavioral Fingerprinting
Every flow is fingerprinted using packet timing, TTL distribution, TCP window sizes, and payload entropy. The engine builds a real-time behavioral model that distinguishes legitimate users from botnet nodes — even when attackers rotate IPs and payloads.
Cross-Network Learning
Attack patterns observed against one customer are used to protect all customers in real time. When we detect a new botnet signature, updated heuristic rules propagate across every PoP in under TBD — before the attack can spread.
Adaptive Threshold Tuning
Thresholds are not static. Our engine continuously profiles your normal traffic patterns and adjusts detection sensitivity per-prefix, per-protocol, and per-flow. Seasonal traffic spikes are learned, not flagged.
Protocol Anomaly Scoring
Each packet receives a composite anomaly score based on header compliance, behavioral deviation, and statistical outlier detection. Packets crossing the threshold are dropped or challenged — with decisions made in under TBD within the hardware filtering pipeline.
Application-Aware
Protocol-specific defense for every workload
Our mitigation engine understands the protocols your applications speak. Instead of treating all traffic as generic packet flows, we parse, validate, and filter at the application layer — with dedicated logic for each protocol.
Web & API
HTTP/SDNS
DNSGame Servers
UDP/TCPVoIP & SIP
SIP/RTPEmail & SMTP
SMTPCustom Protocols
ANYDon't see your protocol? Our engineering team can generate custom filtering rules tailored to your application, or you can write your own using our BPF-syntax rule engine and deploy them instantly via the dashboard or API.
Coverage
Every attack vector — known and unknown. Covered.
Our mitigation engine handles the full spectrum of DDoS attack techniques, from volumetric amplification to sophisticated application-layer exploits. And our heuristic engine catches the zero-days that signatures miss.
Network Layer
11 vectors covered
Transport Layer
5 vectors covered
Application Layer
8 vectors covered
These are just the vectors we can name. Our heuristic engine doesn't rely on signatures — it profiles traffic behavior and scores anomalies in real time, catching zero-day attack patterns the moment they deviate from normal. No signature update required.
Platform
Beautiful dashboard. Powerful API.
Set rules, tweak thresholds, and monitor everything from our intuitive dashboard — or automate it all via our REST API. Create custom mitigation profiles, adjust filtering in real time, and get granular visibility into every attack and every decision our platform makes.
Visual Rule Builder
Build mitigation rules visually with instant feedback. Drag, tweak, and deploy across all PoPs in one click.
Live Attack Timelines
Watch attacks unfold in real time with per-prefix breakdowns, protocol-level granularity, and decision-by-decision transparency.
Per-Prefix Analytics
Drill into any prefix to see traffic patterns, mitigation history, and performance metrics — all updated live.
Alerts & Webhooks
Instant notifications the moment an attack starts, escalates, or resolves. Plug into PagerDuty, Slack, or any webhook endpoint.
# Create a mitigation rule
curl -X POST https://api.wirescope.net/v1/rules \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"prefix": "203.0.113.0/24",
"action": "rate-limit",
"threshold": "10Gbps",
"protocol": "udp"
}'# Response
{ "id": "rule_8x7k2", "status": "active" }Capabilities
Built for networks that cannot go down
Every component of our mitigation platform is purpose-built for sustained attack conditions. Advanced heuristic filtering at wire speed, backed by a network engineered to absorb anything thrown at it.
Wire-Speed Packet Decisions
Every packet is evaluated in under TBD within the hardware filtering pipeline. Drop-or-pass decisions happen at wire speed with zero warm-up time.
Global PoP Scrubbing
Attack traffic is absorbed at the nearest PoP, not backhauled. Every PoP runs the full mitigation stack independently.
Always-On Detection
Inline monitoring analyzes every packet in real time. No sampling, no sFlow approximation. We see every byte that touches your prefixes.
Real-Time Analytics
Live dashboards show attack vectors, mitigation actions, clean vs. dirty traffic ratios, and per-prefix breakdowns. Exportable via API.
Adaptive Heuristic Engine
Our filtering engine can protect applications it has never seen before — learning traffic patterns in real time across our entire network. Protection evolves with your application, not just reacting but anticipating.
Ultra-Low False Positives*
A TBD false positive rate with managed filters. Our team tunes detection profiles to your traffic patterns — and if legitimate traffic is misclassified, we credit your account.
Encrypted Traffic Inspection
Behavioral analysis identifies L7 attacks within encrypted TLS sessions without requiring access to your private keys.
Unmetered Mitigation
Attack traffic is never billed. Your commit covers clean traffic only. A 500 Gbps attack costs you exactly $0 in overage.
Sub-Second BGP Convergence
Route changes propagate across our entire network in TBD. When we need to swing traffic, we do it before the attack impact is felt.
If anyone can defend you, it's us
The internet was not designed to handle massive, sustained traffic spikes directed at a single target. When volumetric attacks reach extreme scale, transit providers congest and upstream links saturate — it's a fundamental limitation of shared infrastructure. Attacks exceeding 1 Tbps represent a tiny fraction of events globally, but when they happen, you need a platform built for the worst case.
Wirescope handles up to TBD Tbps of in-house scrubbing across all our PoPs using the full depth of our heuristic engine, behavioral analysis, and per-packet filtering. That covers the overwhelming majority of attacks with surgical precision. But for the rare extreme-scale event, we escalate — propagating our own FlowSpec rules to upstream CDN and hyperscale networks that operate some of the largest backbones on the planet, purpose-built for sustained high-volume traffic at massive scale.
These distributed rules are necessarily more basic than what we run in-house — broad volumetric filters rather than our full heuristic stack — but they don't need to be perfect. They just need to reduce attack volume to levels our in-house infrastructure can handle. Even if upstream filtering has some leakage, our TBD Tbps in-house capacity absorbs the residual and applies the full depth of our filtering pipeline. The result: even an extreme multi-terabit flood is reduced upstream to a fraction, and our in-house scrubbing cleans up the rest with zero impact on your traffic.
Our aggregate edge filtering capacity with upstreams exceeds TBD Pbps. One contract, one dashboard, the best of everything. If we can't defend you, no one can.
Integration
Connect your way
Choose the onboarding method that fits your infrastructure. All methods deliver the same full mitigation stack with identical SLAs.
Transparent Proxy
Application-levelWe proxy traffic for your specific applications — websites, game servers, APIs, and more. Full L7 inspection and filtering with zero client-side changes. Ideal for application-aware protection.
Tunnel
Fastest setupThe fastest and simplest way to get protected. We support GRE, IPsec, IPIP, WireGuard, and more — we are flexible. Provisioned same-day and your delivery method can be changed at any time.
Cross-Connect / Fibre
Lowest latencyPhysical interconnect at any of our PoPs via mutual data center presence, dedicated fibre run, or carrier-neutral fabric services. Lowest latency, highest throughput.
On-Premise Appliance
On-premiseDeploy Wirescope hardware directly inside your network. Our appliances sit inline at your edge and filter traffic locally with the same engine that powers our cloud PoPs — ideal for organizations that require data sovereignty or prefer to keep traffic on-site.
Get Started
As simple or as custom as you need
Start with a battle-tested preset and go live in minutes, or work with our team to build a fully custom mitigation profile. Every option includes the same always-on protection, the same SLA, and the same 24/7 support.
Wirescope works alongside your existing stack—and other providers. Use us for everything, or just the pieces you need.
SLA
Backed by real commitments
Every metric is contractually guaranteed and backed by service credits. We publish these numbers because we hit them — month after month, attack after attack.
| Metric | Commitment | Detail |
|---|---|---|
| Network Uptime | TBD | Measured per calendar month across all PoPs |
| Time to Mitigate | TBD | For volumetric attacks. L7 mitigated within TBD |
| False Positive Rate | TBD | With managed filters tuned to your traffic profile |
| Packet Loss (Clean) | TBD | No legitimate packet loss during active mitigation |
| BGP Convergence | TBD | Full route propagation across global network |
| NOC Response | TBD | 24/7 response to customer-initiated escalations |
Under attack right now?
Our NOC team is available 24/7 for emergency DDoS mitigation. GRE tunnel onboarding in hours, not days.
FAQ
Common questions
Related Services
Related Use Cases
Ready to stop DDoS attacks?
Talk to our team about your network, your threat model, and the right deployment for your infrastructure. We will have you protected in days, not weeks.
Protection that’s kind of magic.