Back to Blog

Summary: Always-on DDoS protection provides instant mitigation with zero activation delay but may add latency and costs more at baseline. On-demand protection has lower baseline cost and latency but requires 2 to 10 minutes to activate during an attack. The right choice depends on your risk tolerance, attack frequency, latency sensitivity, and budget. Many production environments use a layered approach: always-on detection and proxy protection for immediate response, with on-demand cloud scrubbing for volumetric attacks that exceed local capacity.

How always-on protection works

In an always-on model, your traffic continuously flows through a mitigation system, whether or not an attack is underway. When an attack occurs, the system is already inspecting traffic and can begin filtering immediately. There is no activation delay.

Always-on protection comes in two primary forms:

Cloud proxy (always-on routing)

Services like Cloudflare, Akamai Prolexic Routed, and Cloudflare Magic Transit route all traffic through their infrastructure at all times. Your DNS records point to the provider's IP addresses (or for Magic Transit, BGP advertisements direct traffic through the provider's network). Every packet passes through their scrubbing infrastructure, clean or malicious.

This approach provides the strongest guarantee of instant mitigation because the mitigation path is identical to the normal traffic path. There is no "switching" to a protected mode. The protection is the path.

The trade-off is latency. Traffic that would normally travel directly from user to server now takes a detour through the provider's edge network. For Cloudflare, with 330+ points of presence globally, this detour is typically 1 to 5 ms for users near a PoP. For providers with fewer PoPs, the additional latency can be more significant, especially for users in regions without nearby scrubbing centers.

Agent-based detection (always-on monitoring)

Agent-based tools like Flowtriq run directly on your servers and monitor traffic in real time. They do not reroute traffic. Instead, they analyze packets at the server level and trigger mitigation actions (BGP FlowSpec, RTBH, scrubbing activation, alerts) when attacks are detected.

This approach adds zero network latency because traffic is not rerouted. Detection is always on and operates at sub-second granularity. The mitigation action (FlowSpec rule propagation, RTBH announcement, or scrubbing activation) takes additional time, but detection itself is instant.

The trade-off is that the server still receives attack traffic until upstream mitigation activates. For attacks that exceed your server's capacity, there is a brief window between detection and upstream mitigation taking effect. For attacks within your server's capacity, the agent can detect and respond without any service impact.

How on-demand protection works

In an on-demand model, traffic normally travels its standard path without passing through any mitigation infrastructure. When an attack is detected, traffic is diverted to a scrubbing center, filtered, and clean traffic is returned to your infrastructure. After the attack subsides, traffic returns to its normal path.

The activation sequence

On-demand activation follows a predictable sequence, each step adding time:

  1. Detection (30 seconds to 2 minutes): Something identifies the attack. This could be a monitoring system, a flow collector, your NOC team noticing alerts, or your server becoming unresponsive.
  2. Decision (0 seconds to 15 minutes): Someone or something decides to activate scrubbing. Automated systems can make this decision instantly. Manual processes require a human to evaluate the situation and approve activation.
  3. BGP announcement (1 to 3 minutes): The scrubbing provider advertises your IP prefixes via BGP, causing upstream routers to redirect traffic through the scrubbing infrastructure. BGP convergence time varies by ISP and peering configuration.
  4. Scrubbing active (ongoing): Traffic flows through the scrubbing center. Malicious traffic is dropped. Clean traffic is forwarded to your infrastructure via GRE tunnel, direct peering, or other return path.

Total activation time in practice: 2 to 10 minutes from attack start to mitigation active. Akamai Prolexic On-Demand publishes an SLA of approximately 5 minutes. Other providers range from 3 to 15 minutes depending on detection method and BGP propagation paths.

The activation gap

The 2 to 10 minute window between attack start and mitigation activation is the critical weakness of on-demand protection. During this window, your infrastructure absorbs the full attack unfiltered. For a 100 Gbps volumetric attack, even 3 minutes of unfiltered traffic can saturate upstream links, fill connection tables, and cause cascading failures.

The severity of this gap depends on your infrastructure's resilience. If your upstream capacity is 10 Gbps and the attack is 50 Gbps, a 3-minute activation gap means 3 minutes of complete unavailability. If your upstream is 100 Gbps and the attack is 20 Gbps, your infrastructure may absorb the attack (with degraded performance) until scrubbing activates.

Side-by-side comparison

Factor Always-on (cloud proxy) Always-on (agent-based) On-demand (BGP diversion)
Mitigation speed Instant (inline) Sub-second detection, seconds to trigger upstream 2-10 minutes
Normal-state latency +1-5 ms (proxy hop) Zero (no rerouting) Zero (normal path)
Under-attack latency Same as normal Depends on upstream action +5-30 ms (scrubbing hop)
Activation gap None Seconds (upstream action) 2-10 minutes unfiltered
Baseline cost Higher (ongoing routing) $9.99/node/month Lower base fee
Per-attack cost Typically none None Often per-GB or per-event
Server-side visibility No (edge only) Yes (per-second metrics, PCAP) No (scrubbing center only)
Protocol coverage Varies by provider/tier All protocols All protocols (IP level)
BGP/ASN required No (proxy) / Yes (Magic Transit) No (but can trigger FlowSpec) Yes (BGP diversion)
Best for Web apps, high-attack targets Any server, ISPs, hosting Large networks, cost-sensitive

When to choose always-on

Always-on protection makes the most sense when the cost of the activation gap exceeds the cost of continuous protection:

  • High-value targets under frequent attack. If you are attacked multiple times per month, the cumulative impact of 2 to 10 minute activation gaps adds up. Gaming platforms, financial services, and SaaS applications with SLA obligations often cannot afford any activation delay.
  • Latency-sensitive applications where seconds matter. Payment processing, real-time trading, and live gaming require sub-second response. A 5-minute mitigation gap could mean millions in failed transactions.
  • Small teams without 24/7 NOC coverage. If no one is watching at 3 AM to approve on-demand activation, always-on automated protection is the safer choice.
  • Limited upstream capacity. If your upstream links are 1 to 10 Gbps, even a moderate attack during an activation gap can cause complete saturation. Always-on protection prevents traffic from ever reaching your constrained links.

When to choose on-demand

On-demand protection is the right choice when the trade-offs align with your operational reality:

  • Infrequent attacks. If you experience DDoS attacks once or twice a year, paying for always-on scrubbing 365 days a year is difficult to justify. On-demand base fees are typically 40 to 60% lower than always-on for equivalent scrubbing capacity.
  • Latency-critical applications that cannot tolerate any proxy hop. High-frequency trading systems, real-time multiplayer game backends, and VoIP infrastructure sometimes cannot accept even 1 to 2 ms of additional latency from an always-on proxy. On-demand protection adds latency only during attacks, when some degradation is already expected.
  • Large network operators with existing BGP infrastructure. ISPs and large enterprises that already manage BGP sessions, own ASNs, and have established peering relationships can implement on-demand diversion with their existing tooling. The operational overhead is lower when BGP is already part of your daily workflow.
  • Budget constraints with sufficient upstream capacity. If you have enough upstream bandwidth to survive the activation gap for typical attacks targeting your infrastructure, on-demand provides meaningful cost savings.

The layered approach: using both

Many production environments combine always-on and on-demand protection. This is not redundancy for its own sake. Each layer handles different attack sizes and types:

Layer 1: Always-on detection (agent-based)

An agent-based tool like Flowtriq runs on every server, monitoring traffic in real time at sub-second granularity. It detects attacks instantly, provides per-protocol visibility, captures PCAPs for forensics, and triggers automated responses. This layer catches everything, from small application-layer attacks to large volumetric floods, and provides the visibility that cloud services lack.

Cost: $9.99/node/month. Latency impact: zero.

Layer 2: Always-on proxy (cloud edge)

A cloud proxy like Cloudflare sits in front of HTTP/HTTPS services, absorbing application-layer attacks at the edge. This layer handles HTTP floods, slowloris, credential stuffing, and other L7 vectors without any traffic reaching your origin server.

Cost: Free to $200/month. Latency impact: 1 to 5 ms.

Layer 3: On-demand scrubbing (BGP diversion)

A cloud scrubbing provider like OVH VAC, Path.net, or Voxility activates only for volumetric attacks that exceed your upstream capacity. The always-on agent detects the attack and can automatically trigger BGP diversion to the scrubbing provider. The scrubbing infrastructure filters the flood and returns clean traffic.

Cost: Base fee plus per-event charges. Latency impact: only during active attacks.

How the layers interact

In this architecture, the always-on agent (Layer 1) serves as the detection brain. It sees every packet, detects every attack type, and orchestrates the response. For small attacks, it may handle mitigation via FlowSpec or RTBH without activating cloud scrubbing. For application-layer attacks, Cloudflare (Layer 2) absorbs them at the edge. For massive volumetric attacks, the agent triggers BGP diversion to the scrubbing provider (Layer 3).

The result: instant detection for all attacks, zero-latency mitigation for most attacks, and large-scale scrubbing capacity available on-demand when needed.

Cost comparison

Approach Monthly cost (10 servers) Per-attack cost Annual estimate (4 attacks/yr)
Always-on proxy only $0-200 (Cloudflare) $0 $0-2,400
Always-on agent + proxy $99.90 (Flowtriq) + $0-200 $0 $1,199-3,600
On-demand scrubbing only $500-2,000 base $200-2,000/event $6,800-32,000
Always-on enterprise $5,000-10,000+ $0 $60,000-120,000
Layered (agent + proxy + on-demand) $100-300 base $200-500/event $2,000-5,600

The layered approach typically provides the best cost-to-coverage ratio for mid-market organizations. You pay a low base cost for always-on detection and proxy protection, and only incur scrubbing costs during the rare volumetric attacks that require dedicated capacity.

Decision framework

Choose always-on if

Zero activation delay required

Financial services, gaming, SaaS with strict SLAs, frequent attack targets, small teams without 24/7 NOC. The cost of downtime exceeds the cost of continuous protection.

Cloudflare + Flowtriq: from $9.99/mo
Choose on-demand if

2-10 min activation gap is acceptable

Infrequent attacks, large upstream capacity, established BGP infrastructure, budget-constrained. Base fee savings outweigh activation gap risk.

Base fee typically $500-2,000/mo
Choose layered if

Best coverage-to-cost ratio

Production environments that need instant detection, fast mitigation for most attacks, and elastic scrubbing for volumetric events. Most common enterprise architecture.

Agent + proxy + on-demand scrubbing

Practical recommendation

For most organizations reading this article, the answer is not purely always-on or purely on-demand. It is a layered stack where each component handles what it does best:

  1. Start with Cloudflare Free or Pro for always-on HTTP/HTTPS edge protection at $0 to $20/month.
  2. Add Flowtriq at $9.99/node/month for always-on server-side detection across all protocols, PCAP forensics, and automated FlowSpec/RTBH triggers.
  3. Add on-demand cloud scrubbing when your attack profile includes volumetric floods that exceed your upstream capacity and require dedicated scrubbing infrastructure.

This layered approach provides instant detection for all attack types, immediate mitigation for most attacks, and scalable scrubbing for the largest volumetric events. Total base cost for a 10-server deployment: under $120/month.

Free Tool

Try our DDoS Downtime Cost Calculator - calculate the true cost of the mitigation delay window in on-demand vs. always-on protection for your specific infrastructure.

Ready to protect your infrastructure? Start your 14-day free trial - deploy real-time DDoS detection in 60 seconds. No credit card required.

Frequently asked questions

What is always-on DDoS protection?
Always-on DDoS protection means traffic is continuously routed through a mitigation system, whether or not an attack is underway. Cloud-based examples include Cloudflare (DNS proxy always active), Akamai Prolexic Routed, and cloud provider built-in protection. Agent-based examples include Flowtriq, which monitors traffic on your server in real time and can trigger mitigation within sub-second timeframes. The key benefit is zero activation delay: mitigation begins the instant an attack is detected because traffic is already being inspected.
What is on-demand DDoS protection?
On-demand DDoS protection keeps traffic on its normal path until an attack is detected, at which point traffic is rerouted (typically via BGP) to a scrubbing center for filtering. Examples include Akamai Prolexic On-Demand, some cloud scrubbing providers, and any BGP-based diversion setup. The key benefit is lower baseline latency and cost. The trade-off is a 2 to 10 minute activation window during which attack traffic reaches your infrastructure unfiltered.
Which is better: always-on or on-demand DDoS protection?
Neither is universally better. Always-on is preferred when attack frequency is high, when sub-second response is required, when latency from the mitigation path is acceptable, or when the target is high-value (financial services, gaming, critical infrastructure). On-demand is preferred when attacks are infrequent, when the additional latency of an always-on proxy is unacceptable, when budget is constrained, or when the BGP diversion window of 2 to 5 minutes is tolerable.
Does always-on DDoS protection add latency?
It depends on the implementation. Cloud proxy services like Cloudflare add a small amount of latency (typically 1 to 5 ms for users near a PoP, potentially more for distant users) because traffic routes through their edge network. Agent-based detection like Flowtriq adds zero network latency because it runs directly on your server and monitors traffic locally without rerouting it. The latency question is primarily relevant for cloud scrubbing services, not for all always-on approaches.
How fast does on-demand DDoS protection activate?
On-demand activation typically takes 2 to 10 minutes, depending on the provider and configuration. BGP route propagation itself takes 1 to 3 minutes across most ISPs. Add detection time (30 seconds to 2 minutes) and any manual approval steps. Akamai Prolexic On-Demand has a published SLA of approximately 5 minutes for mitigation activation. During this window, your infrastructure absorbs the full attack unfiltered.
Can I combine always-on and on-demand DDoS protection?
Yes, and this is a common enterprise architecture. A typical layered approach: Cloudflare always-on for HTTP/S application-layer protection, Flowtriq always-on agents for server-side detection and automated FlowSpec/RTBH triggers, and a cloud scrubbing provider on-demand for large volumetric attacks that exceed upstream capacity. The always-on layers handle most attacks instantly, and on-demand scrubbing activates only for the rare volumetric events that require dedicated scrubbing infrastructure.
What does always-on DDoS protection cost compared to on-demand?
Always-on cloud proxy protection ranges from free (Cloudflare Free tier) to thousands per month (Magic Transit, Akamai Prolexic Routed). Always-on agent-based detection like Flowtriq costs $9.99/node/month. On-demand cloud scrubbing typically costs a lower monthly base fee plus per-attack or per-GB fees when activated. The total cost depends heavily on attack frequency: if you are attacked weekly, always-on is usually cheaper. If you are attacked once a year, on-demand may save money on base fees but carries the risk of the activation delay.
Back to Blog

Related articles