If you run any kind of online service, you have probably heard the terms "DDoS protection" and "DDoS mitigation" used interchangeably. But they actually refer to different things, and understanding the distinction is the first step toward building a defense that works.
This guide explains both concepts from the ground up. No prior networking knowledge required. By the end, you will understand exactly what DDoS protection involves, how mitigation works, and what tools and strategies are available to keep your infrastructure online.
What Is a DDoS Attack? (The Quick Version)
A Distributed Denial of Service (DDoS) attack is an attempt to overwhelm your server, network, or application with more traffic than it can handle. The "distributed" part means the traffic comes from many sources at once, often thousands or millions of compromised devices (called a botnet) sending traffic simultaneously.
The goal is simple: make your service unavailable to legitimate users. If your web server can handle 10,000 requests per second and an attacker sends 500,000 requests per second, your server stops responding to everyone, including real customers.
Protection vs. Mitigation: What Is the Difference?
DDoS protection is the broad term for everything you do to defend against attacks. It includes your detection tools, your mitigation systems, your architecture decisions, your incident response procedures, and your monitoring setup. Protection is the umbrella that covers your entire defense strategy.
DDoS mitigation is the specific act of stopping or reducing the impact of an active attack. When attack traffic is flowing and your mitigation system kicks in to filter bad packets while allowing good traffic through, that is mitigation. It is one component of your overall protection strategy.
Think of it like home security. Protection includes your locks, alarm system, security cameras, and motion lights. Mitigation is what happens when someone actually tries to break in: the alarm sounds, the cameras record, and the police are called.
The Three Types of DDoS Attacks
Before understanding protection, you need to know what you are protecting against. DDoS attacks fall into three categories:
Volumetric Attacks
These attacks flood your network with sheer volume. The attacker sends as much traffic as possible to consume your bandwidth. Common volumetric attacks include UDP floods, DNS amplification, NTP amplification, and memcached reflection. These are measured in gigabits or terabits per second.
Protocol Attacks
Protocol attacks exploit weaknesses in network protocols to consume server resources. SYN floods are the classic example: the attacker sends millions of TCP SYN packets without completing the three-way handshake, exhausting your server's connection table. These are measured in packets per second.
Application-Layer Attacks
Application-layer attacks target your web application directly with seemingly legitimate requests. An HTTP flood, for example, sends valid-looking HTTP GET or POST requests to resource-intensive endpoints. These attacks are harder to detect because each individual request looks normal. They are measured in requests per second.
How DDoS Protection Works
Effective DDoS protection operates across multiple layers. No single technique stops every type of attack, which is why defense-in-depth matters.
Layer 1: Detection
You cannot mitigate an attack you do not know about. Detection is the foundation of protection. Good detection answers three questions instantly: Is an attack happening? What type of attack is it? What resources are being targeted?
Detection speed matters enormously. If your detection system takes 60 seconds to identify an attack, your infrastructure absorbs 60 seconds of damage before any mitigation begins. Flowtriq achieves one-second detection by monitoring packets per second at the kernel level on each server. This per-second granularity means attacks are identified almost as soon as they start.
Layer 2: Classification
Once an attack is detected, you need to know what kind of attack it is. Different attack types require different mitigation techniques. A SYN flood needs different treatment than a DNS amplification attack or an HTTP flood.
Automatic classification saves critical time during an incident. Instead of your team manually analyzing packet captures to identify the attack vector, the system should tell you immediately. Flowtriq classifies attacks into eight categories automatically, giving your team and your automated mitigation systems the information they need to respond correctly.
Layer 3: Alerting
Your team needs to know about attacks through whatever channels they monitor. Email is too slow for critical incidents. Modern alerting supports:
- ChatOps: Slack, Discord, and Telegram messages for real-time team awareness
- Incident management: PagerDuty and OpsGenie for on-call rotation and escalation
- SMS: For critical alerts when team members are away from their desks
- Email: For detailed incident summaries and reports
- Webhooks: For custom integrations with your existing tools
- Monitoring platforms: Datadog integration for centralized observability
Flowtriq supports all of these channels. When an attack is detected, alerts fire simultaneously across every configured channel within one second.
Layer 4: Mitigation
Mitigation is the act of stopping or reducing the attack's impact. Several techniques exist, and the best approach depends on the attack type and volume:
Local firewall rules: For attacks your server can absorb at the network level, iptables or nftables rules drop malicious packets before they reach your application. This is the fastest mitigation method because it operates at the kernel level on your own server.
BGP FlowSpec: For attacks that threaten to saturate your network link, FlowSpec rules propagate to upstream routers and filter traffic before it reaches your network. This extends your mitigation boundary to your ISP's infrastructure.
Remote Triggered Black Hole (RTBH): A last-resort technique that drops all traffic to a targeted IP at the router level. You sacrifice one IP to protect the rest of your network.
Cloud scrubbing: For massive volumetric attacks, cloud scrubbing services like Cloudflare Magic Transit absorb the flood in their globally distributed network. Traffic is inspected, cleaned, and forwarded to your origin.
Layer 5: Forensics
After an attack, you need to understand what happened. PCAP captures provide packet-level evidence. Incident reports document the timeline, attack characteristics, and mitigation actions taken. This data feeds into your security posture improvement cycle.
Flowtriq captures PCAP data automatically during every incident and provides AI-powered analysis that highlights the most important patterns. No need to manually run tcpdump during the heat of an attack.
Common DDoS Protection Approaches
CDN-Based Protection
Content Delivery Networks like Cloudflare and Fastly offer DDoS protection by proxying your web traffic through their edge network. This works well for HTTP/HTTPS workloads. Traffic flows through the CDN, which filters malicious requests before forwarding clean traffic to your origin server.
CDN protection is easy to set up (just change your DNS records) and often available on free tiers. The limitation is that it only covers traffic that passes through the CDN. If your origin IP is exposed, attackers can bypass the CDN entirely.
Cloud Scrubbing
Cloud scrubbing services provide upstream protection by routing your traffic through their scrubbing infrastructure via BGP. They can absorb attacks of any size because their networks are specifically built for this purpose. Services like Akamai Prolexic and Cloudflare Magic Transit fall into this category.
Cloud scrubbing excels at volumetric absorption but costs significantly more than other approaches, typically $3,000-$10,000+ per month. It also introduces latency and provides limited visibility into what happens on your actual servers.
On-Premise Appliances
Hardware appliances from vendors like Radware and NETSCOUT sit inline at your network perimeter. They inspect traffic at line rate using specialized hardware and can mitigate attacks without sending your traffic to a third party.
Appliances offer very low latency but require significant capital investment ($50,000+) and can only handle attacks smaller than your upstream bandwidth.
Host-Level Detection and Mitigation
This is the approach Flowtriq takes. A lightweight agent on each server monitors traffic at the kernel level, detects attacks within one second, classifies them automatically, captures forensic evidence, and triggers mitigation actions. This provides the most granular visibility and fastest detection of any approach.
Host-level detection works for attacks of any type at any layer. The only limitation is that the server's network link must be able to handle the traffic volume for local mitigation to work. For attacks that exceed your bandwidth, Flowtriq can automatically escalate to BGP FlowSpec or cloud scrubbing.
What Makes Good DDoS Protection?
When evaluating DDoS protection solutions, focus on these characteristics:
- Detection speed: How fast does the system identify an attack? Every second of delay is a second of impact.
- Automatic classification: Does the system tell you what type of attack is happening, or do you have to figure it out yourself?
- Multi-channel alerting: Does it notify your team through the channels they actually use?
- Automated response: Can it apply mitigation without human intervention?
- Escalation capability: Can it escalate from local mitigation to upstream protection when needed?
- Forensic evidence: Does it capture data for post-incident analysis?
- Transparent pricing: Can you predict your monthly cost?
Dynamic Baselines vs. Static Thresholds
Many basic monitoring tools use static thresholds: "alert when PPS exceeds 50,000." This approach generates false positives during legitimate traffic spikes (like a product launch) and misses attacks on servers with normally low traffic.
Dynamic baselines solve this problem. The system learns what normal traffic looks like for each server and adjusts its detection thresholds automatically. A server that normally handles 1,000 PPS will trigger an alert at 5,000 PPS, while a server that normally handles 50,000 PPS will not. Flowtriq uses dynamic baselines on every monitored node, which dramatically reduces false positives while catching real attacks faster.
Why Most Organizations Need Multiple Layers
No single protection approach covers every scenario. CDN protection misses direct-to-IP attacks. Cloud scrubbing introduces latency and cost. Hardware appliances cannot handle attacks larger than your pipe. Host-level agents cannot stop bandwidth saturation at the network level.
The most resilient architectures combine at least two layers. A practical starting point for most organizations:
- Deploy host-level detection and mitigation on every server (Flowtriq)
- Use CDN protection for web-facing services (Cloudflare free/pro tier)
- Configure Flowtriq auto-mitigation to escalate to BGP FlowSpec when local mitigation is insufficient
- Add cloud scrubbing only if you face regular large-scale volumetric attacks
This approach gives you instant detection, automatic response, and upstream escalation, all without the five-figure monthly cost of enterprise scrubbing services.
DDoS Protection That Starts in 5 Minutes
Flowtriq deploys a lightweight agent on each node for 1-second detection, automatic classification, multi-channel alerts, PCAP forensics, and auto-mitigation with escalation. Plans start at $9.99/node/month with a free 7-day trial.
Start your free 7-day trial →