Summary: Always-on DDoS protection provides instant mitigation with zero activation delay but may add latency and costs more at baseline. On-demand protection has lower baseline cost and latency but requires 2 to 10 minutes to activate during an attack. The right choice depends on your risk tolerance, attack frequency, latency sensitivity, and budget. Many production environments use a layered approach: always-on detection and proxy protection for immediate response, with on-demand cloud scrubbing for volumetric attacks that exceed local capacity.
How always-on protection works
In an always-on model, your traffic continuously flows through a mitigation system, whether or not an attack is underway. When an attack occurs, the system is already inspecting traffic and can begin filtering immediately. There is no activation delay.
Always-on protection comes in two primary forms:
Cloud proxy (always-on routing)
Services like Cloudflare, Akamai Prolexic Routed, and Cloudflare Magic Transit route all traffic through their infrastructure at all times. Your DNS records point to the provider's IP addresses (or for Magic Transit, BGP advertisements direct traffic through the provider's network). Every packet passes through their scrubbing infrastructure, clean or malicious.
This approach provides the strongest guarantee of instant mitigation because the mitigation path is identical to the normal traffic path. There is no "switching" to a protected mode. The protection is the path.
The trade-off is latency. Traffic that would normally travel directly from user to server now takes a detour through the provider's edge network. For Cloudflare, with 330+ points of presence globally, this detour is typically 1 to 5 ms for users near a PoP. For providers with fewer PoPs, the additional latency can be more significant, especially for users in regions without nearby scrubbing centers.
Agent-based detection (always-on monitoring)
Agent-based tools like Flowtriq run directly on your servers and monitor traffic in real time. They do not reroute traffic. Instead, they analyze packets at the server level and trigger mitigation actions (BGP FlowSpec, RTBH, scrubbing activation, alerts) when attacks are detected.
This approach adds zero network latency because traffic is not rerouted. Detection is always on and operates at sub-second granularity. The mitigation action (FlowSpec rule propagation, RTBH announcement, or scrubbing activation) takes additional time, but detection itself is instant.
The trade-off is that the server still receives attack traffic until upstream mitigation activates. For attacks that exceed your server's capacity, there is a brief window between detection and upstream mitigation taking effect. For attacks within your server's capacity, the agent can detect and respond without any service impact.
How on-demand protection works
In an on-demand model, traffic normally travels its standard path without passing through any mitigation infrastructure. When an attack is detected, traffic is diverted to a scrubbing center, filtered, and clean traffic is returned to your infrastructure. After the attack subsides, traffic returns to its normal path.
The activation sequence
On-demand activation follows a predictable sequence, each step adding time:
- Detection (30 seconds to 2 minutes): Something identifies the attack. This could be a monitoring system, a flow collector, your NOC team noticing alerts, or your server becoming unresponsive.
- Decision (0 seconds to 15 minutes): Someone or something decides to activate scrubbing. Automated systems can make this decision instantly. Manual processes require a human to evaluate the situation and approve activation.
- BGP announcement (1 to 3 minutes): The scrubbing provider advertises your IP prefixes via BGP, causing upstream routers to redirect traffic through the scrubbing infrastructure. BGP convergence time varies by ISP and peering configuration.
- Scrubbing active (ongoing): Traffic flows through the scrubbing center. Malicious traffic is dropped. Clean traffic is forwarded to your infrastructure via GRE tunnel, direct peering, or other return path.
Total activation time in practice: 2 to 10 minutes from attack start to mitigation active. Akamai Prolexic On-Demand publishes an SLA of approximately 5 minutes. Other providers range from 3 to 15 minutes depending on detection method and BGP propagation paths.
The activation gap
The 2 to 10 minute window between attack start and mitigation activation is the critical weakness of on-demand protection. During this window, your infrastructure absorbs the full attack unfiltered. For a 100 Gbps volumetric attack, even 3 minutes of unfiltered traffic can saturate upstream links, fill connection tables, and cause cascading failures.
The severity of this gap depends on your infrastructure's resilience. If your upstream capacity is 10 Gbps and the attack is 50 Gbps, a 3-minute activation gap means 3 minutes of complete unavailability. If your upstream is 100 Gbps and the attack is 20 Gbps, your infrastructure may absorb the attack (with degraded performance) until scrubbing activates.
Side-by-side comparison
| Factor | Always-on (cloud proxy) | Always-on (agent-based) | On-demand (BGP diversion) |
|---|---|---|---|
| Mitigation speed | Instant (inline) | Sub-second detection, seconds to trigger upstream | 2-10 minutes |
| Normal-state latency | +1-5 ms (proxy hop) | Zero (no rerouting) | Zero (normal path) |
| Under-attack latency | Same as normal | Depends on upstream action | +5-30 ms (scrubbing hop) |
| Activation gap | None | Seconds (upstream action) | 2-10 minutes unfiltered |
| Baseline cost | Higher (ongoing routing) | $9.99/node/month | Lower base fee |
| Per-attack cost | Typically none | None | Often per-GB or per-event |
| Server-side visibility | No (edge only) | Yes (per-second metrics, PCAP) | No (scrubbing center only) |
| Protocol coverage | Varies by provider/tier | All protocols | All protocols (IP level) |
| BGP/ASN required | No (proxy) / Yes (Magic Transit) | No (but can trigger FlowSpec) | Yes (BGP diversion) |
| Best for | Web apps, high-attack targets | Any server, ISPs, hosting | Large networks, cost-sensitive |
When to choose always-on
Always-on protection makes the most sense when the cost of the activation gap exceeds the cost of continuous protection:
- High-value targets under frequent attack. If you are attacked multiple times per month, the cumulative impact of 2 to 10 minute activation gaps adds up. Gaming platforms, financial services, and SaaS applications with SLA obligations often cannot afford any activation delay.
- Latency-sensitive applications where seconds matter. Payment processing, real-time trading, and live gaming require sub-second response. A 5-minute mitigation gap could mean millions in failed transactions.
- Small teams without 24/7 NOC coverage. If no one is watching at 3 AM to approve on-demand activation, always-on automated protection is the safer choice.
- Limited upstream capacity. If your upstream links are 1 to 10 Gbps, even a moderate attack during an activation gap can cause complete saturation. Always-on protection prevents traffic from ever reaching your constrained links.
When to choose on-demand
On-demand protection is the right choice when the trade-offs align with your operational reality:
- Infrequent attacks. If you experience DDoS attacks once or twice a year, paying for always-on scrubbing 365 days a year is difficult to justify. On-demand base fees are typically 40 to 60% lower than always-on for equivalent scrubbing capacity.
- Latency-critical applications that cannot tolerate any proxy hop. High-frequency trading systems, real-time multiplayer game backends, and VoIP infrastructure sometimes cannot accept even 1 to 2 ms of additional latency from an always-on proxy. On-demand protection adds latency only during attacks, when some degradation is already expected.
- Large network operators with existing BGP infrastructure. ISPs and large enterprises that already manage BGP sessions, own ASNs, and have established peering relationships can implement on-demand diversion with their existing tooling. The operational overhead is lower when BGP is already part of your daily workflow.
- Budget constraints with sufficient upstream capacity. If you have enough upstream bandwidth to survive the activation gap for typical attacks targeting your infrastructure, on-demand provides meaningful cost savings.
The layered approach: using both
Many production environments combine always-on and on-demand protection. This is not redundancy for its own sake. Each layer handles different attack sizes and types:
Layer 1: Always-on detection (agent-based)
An agent-based tool like Flowtriq runs on every server, monitoring traffic in real time at sub-second granularity. It detects attacks instantly, provides per-protocol visibility, captures PCAPs for forensics, and triggers automated responses. This layer catches everything, from small application-layer attacks to large volumetric floods, and provides the visibility that cloud services lack.
Cost: $9.99/node/month. Latency impact: zero.
Layer 2: Always-on proxy (cloud edge)
A cloud proxy like Cloudflare sits in front of HTTP/HTTPS services, absorbing application-layer attacks at the edge. This layer handles HTTP floods, slowloris, credential stuffing, and other L7 vectors without any traffic reaching your origin server.
Cost: Free to $200/month. Latency impact: 1 to 5 ms.
Layer 3: On-demand scrubbing (BGP diversion)
A cloud scrubbing provider like OVH VAC, Path.net, or Voxility activates only for volumetric attacks that exceed your upstream capacity. The always-on agent detects the attack and can automatically trigger BGP diversion to the scrubbing provider. The scrubbing infrastructure filters the flood and returns clean traffic.
Cost: Base fee plus per-event charges. Latency impact: only during active attacks.
How the layers interact
In this architecture, the always-on agent (Layer 1) serves as the detection brain. It sees every packet, detects every attack type, and orchestrates the response. For small attacks, it may handle mitigation via FlowSpec or RTBH without activating cloud scrubbing. For application-layer attacks, Cloudflare (Layer 2) absorbs them at the edge. For massive volumetric attacks, the agent triggers BGP diversion to the scrubbing provider (Layer 3).
The result: instant detection for all attacks, zero-latency mitigation for most attacks, and large-scale scrubbing capacity available on-demand when needed.
Cost comparison
| Approach | Monthly cost (10 servers) | Per-attack cost | Annual estimate (4 attacks/yr) |
|---|---|---|---|
| Always-on proxy only | $0-200 (Cloudflare) | $0 | $0-2,400 |
| Always-on agent + proxy | $99.90 (Flowtriq) + $0-200 | $0 | $1,199-3,600 |
| On-demand scrubbing only | $500-2,000 base | $200-2,000/event | $6,800-32,000 |
| Always-on enterprise | $5,000-10,000+ | $0 | $60,000-120,000 |
| Layered (agent + proxy + on-demand) | $100-300 base | $200-500/event | $2,000-5,600 |
The layered approach typically provides the best cost-to-coverage ratio for mid-market organizations. You pay a low base cost for always-on detection and proxy protection, and only incur scrubbing costs during the rare volumetric attacks that require dedicated capacity.
Decision framework
Zero activation delay required
Financial services, gaming, SaaS with strict SLAs, frequent attack targets, small teams without 24/7 NOC. The cost of downtime exceeds the cost of continuous protection.
2-10 min activation gap is acceptable
Infrequent attacks, large upstream capacity, established BGP infrastructure, budget-constrained. Base fee savings outweigh activation gap risk.
Best coverage-to-cost ratio
Production environments that need instant detection, fast mitigation for most attacks, and elastic scrubbing for volumetric events. Most common enterprise architecture.
Practical recommendation
For most organizations reading this article, the answer is not purely always-on or purely on-demand. It is a layered stack where each component handles what it does best:
- Start with Cloudflare Free or Pro for always-on HTTP/HTTPS edge protection at $0 to $20/month.
- Add Flowtriq at $9.99/node/month for always-on server-side detection across all protocols, PCAP forensics, and automated FlowSpec/RTBH triggers.
- Add on-demand cloud scrubbing when your attack profile includes volumetric floods that exceed your upstream capacity and require dedicated scrubbing infrastructure.
This layered approach provides instant detection for all attack types, immediate mitigation for most attacks, and scalable scrubbing for the largest volumetric events. Total base cost for a 10-server deployment: under $120/month.
Free Tool
Try our DDoS Downtime Cost Calculator - calculate the true cost of the mitigation delay window in on-demand vs. always-on protection for your specific infrastructure.
Ready to protect your infrastructure? Start your 14-day free trial - deploy real-time DDoS detection in 60 seconds. No credit card required.