Advanced methods of protection against DDoS attacks in companies

Why traditional DDoS protection is no longer enough

A dozen or so years ago, DDoS protection came down to simple mechanisms: blocking traffic from a single IP address, applying basic firewall rules, or limiting the number of connections (rate limiting). For the attacks of that time – usually carried out from single computers or small botnets – such an approach was in many cases sufficient.

In 2025, however, the situation looks completely different. Attacks are:

• much larger in volume – record-breaking campaigns reach terabits per second (e.g. a 2.54 Tb/s attack recorded by Google in 2021, Cloudflare 201 million RPS in 2023),
• more sophisticated – multi-vector attacks dominate, combining packet flooding, amplification, and application attacks,
• harder to detect – attack traffic often looks like legitimate HTTP/HTTPS requests, making it difficult to distinguish from real users,
• automated – botnets based on IoT devices and vulnerable network equipment (e.g. MikroTik, Memcached) allow attackers to launch campaigns in minutes.

That is why traditional solutions – such as just a firewall or simple ACLs – are not able to stop modern DDoS. Effective protection requires a multi-layered architecture and integration with advanced analytical tools.

How to build a multi-layered defense architecture

Effective protection against DDoS attacks requires a “defense in depth” architecture – several complementary layers of security. A single solution, such as a firewall or IPS, does not provide sufficient protection in the case of attacks carried out simultaneously at the network infrastructure level, the application level, and using amplification techniques.

Key protection layers

1. Monitoring and traffic analysis

• Creating a baseline of normal traffic in the organization.
• Detecting deviations in real time (NetFlow, IPFIX, sFlow).
• Automatic alerts and integration with SIEM/NDR systems.

2. Filtering and access control

• ACLs and firewall rules limiting known attack sources.
• Rate limiting to reduce the number of requests from a single source.
• Flowspec/blackholing at the operator level to block traffic before it reaches the victim’s network.

3. Service distribution

• CDN – storing content in multiple locations, which shortens response time and distributes traffic.
• Anycast – the same IP address announced globally, directing the user to the nearest server.

4. Advanced mitigation mechanisms

• Scrubbing centers – taking over traffic, filtering it, and returning it “clean.”
• Mechanisms of automatic detection and response (e.g. dynamic route switching).

5. Response plan and SOC integration

• Clear division of roles between SOC, NOC, and IT teams.
• Internal and external communication procedures.
• Regular tests and simulation exercises.

The greatest effectiveness is ensured by combining local and cloud solutions. Local systems detect and filter traffic at the entry point, while in the case of very large-volume attacks, external scrubbing centers take over.

Rapid incident response – what to do step by step

When a DDoS attack occurs, the most important factors are speed of action and a clear division of responsibilities. Organizations that have prepared a response plan in advance are able to minimize service downtime and reduce financial and reputational losses.

The first stage is detection and confirmation of the incident. Before starting the response procedure, you need to make sure that the problems do not result from an infrastructure failure or a sudden increase in the popularity of the service. Analysis of logs, NetFlow data, or alerts from SIEM/NDR allows you to quickly distinguish a technical failure from a volumetric or application-layer attack.

Once the incident is confirmed, it is necessary to identify the attack vector – whether we are dealing with flooding, amplification, or an application attack at layer 7. This knowledge determines the choice of subsequent actions.

At this stage, the basic defense mechanisms are activated – traffic filtering using ACLs, limiting the number of requests (rate limiting), and, in agreement with the telecommunications operator, implementing FlowSpec or blackholing. These are temporary measures that buy administrators time to implement more advanced methods.

In parallel with technical actions, you should contact the service provider (ISP/hosting). The operator can implement mechanisms unavailable from the client’s infrastructure, such as redirecting traffic to a scrubbing center.

An important step is also to report the incident to the appropriate institutions. In the European Union, operators of essential services are obliged to report serious incidents in accordance with the NIS2 directive. In the United States, you should notify CISA (Cybersecurity and Infrastructure Security Agency) or, in the case of major attacks, federal authorities such as the FBI.

Communication cannot be overlooked – both internal (management, SOC/NOC, business units) and external (customers, media). A clear and consistent message reduces reputational risk and minimizes informational chaos.

The final stage is post-incident analysis and documentation. Collecting logs, traffic samples, and monitoring reports not only supports the investigation but also improves response procedures in the future.

Summary – step-by-step playbook

• Detection and confirmation of the incident
• Identification of attack vectors
• Activation of basic protections
• Contact with ISP / activation of scrubbing
• Reporting the incident to CERT and law enforcement
• Internal and external communication
• Escalation to external providers
• Analysis and documentation

How to monitor the network so as not to miss an attack?

Effective protection against DDoS starts with early detection. An attack whose symptoms are noticed only by users (e.g. website or application unavailability) may have already caused serious damage. That is why it is crucial to implement tools that allow monitoring traffic in real time and detecting anomalies before they paralyze the infrastructure.

Tools and monitoring methods

NetFlow / IPFIX / sFlow

Network flow data enables analysis of sources, directions, and traffic volume. Thanks to them, you can catch a sudden increase in the number of packets or unusual protocols used during an attack.

Traffic baseline

The system compares current traffic with the historical “normal” level in the organization. When the differences are significant (e.g. a sudden jump from 1 Gb/s to 20 Gb/s in a few minutes), an alert is generated.

SIEM systems (Security Information and Event Management)

They collect logs from multiple sources (firewalls, servers, applications) and correlate events. This way they detect patterns of distributed attacks that are hard to spot when analyzing single systems.

NDR (Network Detection & Response)

They analyze traffic in search of unusual patterns, using behavioral analysis mechanisms and often machine learning. They make it possible to distinguish a DDoS attack from a natural increase in service popularity.

Alerting and automated response

Monitoring systems should not only detect anomalies but also automatically notify administrators and, if necessary, trigger mechanisms that limit traffic (e.g. dynamic firewall rules).

The greatest value comes from combining network flow monitoring with advanced real-time analytics. This enables rapid anomaly detection and reduces response time to a minimum.

Cloud services vs on-premises solutions – what to choose?

There is no single answer to the question of whether it is better to protect against DDoS using cloud services or local systems. Each approach has its strengths and weaknesses. In practice, companies increasingly choose hybrid protection models, combining local detection mechanisms with cloud scrubbing centers.

Comparison of solutions

Description and conclusions

• The cloud works best for organizations exposed to very large volumetric attacks that local infrastructure would not be able to handle. Thanks to global scrubbing centers, providers such as Cloudflare or Akamai can filter terabits of traffic in real time.
• On-premises solutions provide greater control, especially in organizations with specific regulatory requirements or where data flows cannot leave the infrastructure (e.g. the public sector, some financial institutions).
• The hybrid model is increasingly popular – local systems serve as the first line of defense, and in the case of massive attacks, traffic is redirected to the cloud.

Case study examples

Case study 1: e-commerce sector (cloud)
An international online store implemented DDoS protection in a cloud model (Cloudflare). Thanks to this, during Black Friday, it managed to neutralize an HTTP flood attack of over 100 million requests per second without noticeable sales interruptions. The store’s local infrastructure would not have been able to handle such a traffic volume.

Case study 2: financial institution (on-prem + hybrid)
A European bank implemented a DDoS appliance integrated with a SIEM system. Local solutions allow meeting regulatory requirements for data protection and provide full control over security policies. At the same time, the bank has an agreement with a telecom operator, which, in the case of a massive attack, takes over traffic in a scrubbing center.

Key performance indicators of DDoS protection

Implementing protective tools is only the first step. To know whether the system actually fulfills its role, the organization must measure the effectiveness of its defense. The key indicators show not only the response time of IT teams but also the real impact of the incident on the business and users.

The most important element is time – from the moment the attack begins to the moment it is fully neutralized. In practice, it is measured in three stages. The first is MTTD (Mean Time to Detect), i.e. the average time needed to detect an incident. The second is MTTR (Mean Time to Respond), indicating how quickly the team can implement defensive measures. The last is the time to full mitigation, which shows how long it takes to restore services to full functionality. High values at any of these stages mean greater business losses.

The second key area is defense effectiveness. Organizations analyze what percentage of attacks was neutralized without noticeable consequences for users, as well as how many false alarms were generated by detection systems. Too many so-called false positives lead to a situation where real customers are blocked – which can be just as costly as the attack itself.

Service availability is no less important. The uptime indicator, measured in percentages, shows how long systems operated without disruption. In industries such as banking or SaaS, the standard is 99.99% – every minute of downtime translates into lost revenue and reduced trust.

Finally, DDoS protection must also be assessed from a financial perspective. Organizations increasingly calculate the cost of downtime (lost transactions, IT staff hours, external support) and compare it with the cost of maintaining security measures. This comparison makes it possible to show management that investment in protection tools is not an expense but a way to minimize losses.

Key metrics at a glance

MTTD (Mean Time to Detect – average detection time)

• Determines how much time passes from the start of the attack until it is detected.
• Short MTTD = greater chances of effective defense.
• High MTTD means that users notice the effects of the attack faster than the monitoring system.

MTTR (Mean Time to Respond – average response time)

• Time from attack detection to implementation of effective defensive actions.
• The best SOC/NOC teams measure MTTR in minutes.
• High values indicate a lack of procedures or ineffective automation.

TTM (Time to Mitigate – time to full mitigation)

• How long it takes to fully restore services to full availability.
• A key business indicator – it determines downtime duration.

% of neutralized attacks

• Share of attacks successfully repelled without noticeable impact on services.
• Often reported in SLA by protection service providers.

Service availability (Service Uptime)

• Measured as a percentage of availability on a monthly/yearly basis.
• In critical industries (banking, SaaS) the standard is 99.99%.
• Every minute of downtime = tangible financial and reputational losses.

Number of false alarms (False Positives)

• DDoS attacks can be difficult to distinguish from legitimate traffic (e.g. sudden increase during a marketing campaign).
• Too many false positives lead to unnecessary customer blocking and business damage.

Cost of attack and cost of defense

• Estimating financial losses (lost transactions, downtime costs, IT staff hours).
• Comparison with the cost of maintaining protection systems – helps justify ROI of security investments.

How to interpret the indicators?

• Low MTTD and MTTR → the organization can react quickly, but if uptime drops below SLA, protection still needs strengthening.
• High % of neutralization and low false positive rate → proof that protection solutions are not only effective but also precise.
• Monitoring costs → helps convince management that investment in protection is cheaper than potential losses.

How does this look in practice?

An example may be a SaaS company that recorded three major attacks in a quarter. The average detection time was 2 minutes, and the average response time – 7 minutes. As a result, annual uptime remained at 99.995%, which meant only several minutes of service unavailability. Thanks to monitoring the metrics, the company was able to demonstrate to clients that it met SLA requirements and ensured continuity of operations even in the face of intensive DDoS campaigns.

Summary

DDoS protection is no longer limited to simple traffic filtering. Effectiveness requires combining many elements: from monitoring and flow analysis, through service distribution and the use of scrubbing centers, to a prepared response plan and systematic testing. Only such an approach makes it possible to reduce the risk of prolonged downtime and business losses.

Companies that consciously monitor protection effectiveness indicators – such as detection and response time, service availability, or the number of false alarms – gain a competitive advantage. They can not only neutralize attacks faster but also demonstrate to clients and regulators that their infrastructure meets the highest security standards.

It is worth remembering that DDoS is a dynamic and constantly evolving threat. Therefore, the best strategy remains a proactive approach – investing in multi-layered solutions and building a security culture where incident response is not improvisation but a repeatable process.

Do you want to better understand what DDoS attacks are, what forms they take, and why they pose such a serious threat? Check out the main article: What is a DDoS attack and how to defend against it in 2025