A 7.3 Tbps flood is not an edge case anymore. As of 2025, attacks at multi-terabit scale and HTTP floods above 1M rps are showing up often enough that enterprise DDoS protection can no longer be designed as a single appliance, a fail-open scrubbing contract, or a CDN checkbox. What fails first is usually not bandwidth. It is state: SYN backlogs, conntrack tables, TLS handshakes, request queues, CPU schedulers, autoscaling control loops, and the humans trying to separate a flash crowd from a deliberate burn attack.
The naive enterprise pattern is still common: internet edge, firewall pair, ADC or ingress tier, then app. It looks redundant on paper and it survives normal bursts. Under real attack pressure, the flat design couples every expensive operation to every incoming packet or request. The attack does not need to saturate the line. It only needs to force the stack to allocate memory, open per-flow state, terminate TLS, or dispatch enough application work that latency collapses before packet loss becomes obvious.
That is why good enterprise DDoS mitigation is mostly about staged resource commitment. Cheap tests first. Stateful work later. Origin work last. If the design does not enforce that progression, the defender ends up doing more work per unit of attacker effort than the attacker does.
The IETF has been making this point for years in different forms. RFC 4732 frames denial of service as an architectural problem, not just a filtering problem. RFC 4987 is even more practical: for SYN floods, simply increasing backlog sizes is not a durable defense by itself because it only stretches the time to failure. That same lesson generalizes cleanly to modern enterprise DDoS protection architecture. Bigger queues help. Better admission control helps more.
By 2025 Q2, publicly reported attacks reached 7.3 Tbps and 4.8 Bpps, while 6 out of every 100 HTTP DDoS attacks in that dataset exceeded 1M rps. Even if most attacks remain small, the design target for enterprise DDoS protection has to include rare but business-ending bursts, because those are precisely the events that expose architectural coupling.
The more interesting metric is not peak Tbps. It is the ratio between packets or requests admitted to expensive layers and the amount discarded in cheap layers. In healthy designs, the discard ratio is overwhelmingly front-loaded: stateless filters, network ACLs, SYN defense, protocol sanity checks, bot and rate classifiers, cache eligibility checks, and challenge gates all fire before origin admission becomes significant.
The HTTP/2 Rapid Reset episode made this painfully clear. Google publicly described mitigation of an attack above 398 million requests per second. The important engineering lesson was not the record number. It was that stream churn and reset behavior let attackers force disproportionate work in implementations that looked safe when measured only by concurrent stream limits. If your layer 7 DDoS protection assumes the bottleneck is active request concurrency rather than request creation rate and cancellation rate, your mental model is already behind.
For enterprise applications, the symptom pattern is usually p95 and p99 latency stepping up long before edge bandwidth peaks. First come elevated TLS handshake time, request queue depth, and worker saturation. Then retries amplify load. Then autoscaling adds cold capacity too late or in the wrong tier. When teams say, "the network looked fine but the service died," that is almost always a state exhaustion story.
There is no universal threshold, but several operational rules of thumb hold up well:
The architecture that holds up best in enterprise environments is multi-layer, asymmetric, and explicit about where state is allowed to accumulate. Not every enterprise needs every layer, but the sequencing matters.
Use five control planes, each with a distinct job:
The key is that each plane should be able to fail usefully. If the protocol normalization layer is saturated, the network admission layer should still protect links and routers. If origin isolation is under pressure, the request economics plane should shed work before cache misses multiply into backend fan-out.
| Model | Best fit | Strength | Weakness |
|---|---|---|---|
| Always-on | Internet-facing apps, APIs, login flows, media, gaming, low-latency edge delivery | No diversion lag, consistent policy, easier observability, better for layer 7 DDoS protection | Requires disciplined baseline tuning and false-positive management |
| On-demand diversion | Large private address space, non-HTTP services, cost-sensitive legacy footprints | Can reduce steady-state operational surface | Detection and diversion lag, runbook complexity, often weaker against short-burst attacks |
| Hybrid | Enterprises with public apps plus private WAN or data center exposure | Always-on for app edge, on-demand for network domains where economics favor it | Policy drift between planes is a real risk |
For most enterprises with revenue-bearing public applications, always-on wins. Short-burst attacks, especially at layer 7, often complete before people decide whether to trigger diversion. The best DDoS mitigation architecture for hybrid cloud is usually not one global mode. It is a split: always-on at internet application ingress, selective diversion or upstream controls for lower-level network segments.
A practical enterprise DDoS protection architecture looks like this in flow order:
This is the easiest environment to overestimate. Autoscaling gives a false sense of elasticity because it reacts on the wrong timescale for burst attacks. If the attack can create load in under a minute and your useful capacity shows up in three to seven minutes, the scaling system is part of the failure path. Use small fixed warm pools, hard queue budgets, and aggressive cache collapse before trusting scale-out.
This is where many enterprise DDoS mitigation architecture failures hide. The cloud edge may be fine, but private MPLS, Direct Connect equivalents, VPN concentrators, or legacy firewalls become the narrow waist. Keep internet-originated traffic away from shared enterprise middleboxes whenever possible. If the app can be fronted separately from the corporate network edge, do it. The cleanest design is usually distinct routing, distinct policy, and distinct observability for public application ingress.
Multi-region is useful only if failure domains are really independent. If all regions depend on the same identity provider, same shared database bottleneck, or same control plane for policy rollout, the DDoS blast radius still centralizes. In practice, many active-active designs degrade into globally distributed front doors feeding a single logical origin choke point.
Good enterprise DDoS protection is built from boring controls that interact well. The hard part is composing them without creating self-inflicted latency or accidental lockout. Below is one realistic pattern for an NGINX or Envoy-style internet ingress tier sitting behind an upstream mitigation layer.
worker_processes auto;
events {
worker_connections 65535;
multi_accept on;
}
http {
keepalive_timeout 15s;
keepalive_requests 1000;
client_header_timeout 5s;
client_body_timeout 5s;
send_timeout 10s;
client_header_buffer_size 4k;
large_client_header_buffers 4 8k;
client_max_body_size 2m;
limit_req_zone $binary_remote_addr zone=per_ip_rps:20m rate=20r/s;
limit_req_zone $host zone=per_host_rps:20m rate=5000r/s;
limit_conn_zone $binary_remote_addr zone=per_ip_conn:20m;
map $request_method $is_mutating {
default 0;
POST 1;
PUT 1;
PATCH 1;
DELETE 1;
}
server {
listen 443 ssl http2 reuseport;
server_name api.example.com;
http2_max_concurrent_streams 64;
location / {
limit_req zone=per_ip_rps burst=40 nodelay;
limit_req zone=per_host_rps burst=10000 nodelay;
limit_conn per_ip_conn 40;
if ($is_mutating = 1) {
limit_req zone=per_ip_rps burst=10 nodelay;
}
proxy_next_upstream error timeout http_502 http_503 http_504;
proxy_connect_timeout 1s;
proxy_read_timeout 15s;
proxy_send_timeout 15s;
proxy_set_header Connection "";
proxy_http_version 1.1;
proxy_pass http://origin_pool;
}
}
}
This is not a magic config. It simply encodes two useful principles. First, the edge makes fast decisions with bounded state. Second, mutating traffic is treated as more expensive than cacheable or idempotent traffic. That is often where layer 7 DDoS protection becomes materially better than crude global rate limiting.
At the host and kernel layer, the basics still matter:
net.core.somaxconn = 65535
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_syncookies = 1
net.netfilter.nf_conntrack_max = 0
net.ipv4.tcp_synack_retries = 3
net.ipv4.tcp_fin_timeout = 15
The controversial line there is conntrack. For high-volume public ingress, many teams are better off avoiding generic stateful tracking entirely on the frontline path and pushing stateful logic behind specialized proxies or load balancers. Putting a large conntrack table in front of the services you are trying to protect is often just relocating the bottleneck.
The last metric is underused and worth keeping. If your architecture can tell you how much CPU time, memory, and backend work each accepted request consumed during the event, you can see whether the controls improved attacker economics or only moved pain around.
| Provider | Price at scale | Enterprise flexibility | Operational note |
|---|---|---|---|
| BlazingCDN | Starting at $4 per TB, down to $2 per TB at 2 PB+ commitment | Flexible configuration, fast scaling under demand spikes, 100% uptime | Useful when enterprises need cost control without giving up operational stability |
| Amazon CloudFront | Typically higher effective delivery cost at enterprise scale | Deep AWS integration | Good fit when teams already optimize around AWS-native tooling and commercial structure |
| Cloudflare | Commercials vary by product mix | Broad edge platform | Strong option when teams want a tightly integrated platform model |
| Fastly | Commercials vary by traffic profile | Strong programmability | Often attractive where request handling logic is highly customized |
For enterprises balancing resilience and delivery economics, this matters more than teams sometimes admit. If you are already restructuring traffic to reduce attacker ROI, you should also be reducing delivery cost for legitimate bursts and flash crowds. BlazingCDN fits well in that discussion because it delivers stability and fault tolerance comparable to Amazon CloudFront while remaining significantly more cost-effective for large corporate clients. Pricing starts at $100 per month for up to 25 TB and scales down to $0.002 per GB at 2 PB+, with migration in 1 hour and no other costs. If you are evaluating edge delivery options around this architecture, BlazingCDN's enterprise edge configuration is a reasonable place to compare operating assumptions.
This is the section vendors often skip. It is the part that matters most.
The earlier you drop traffic, the cheaper the defense and the harder the recovery from a bad decision. Aggressive network filters are excellent at reducing packet volume and terrible at understanding application intent. Aggressive layer 7 controls can spare origins while blocking mobile carrier NAT pools, enterprise proxies, or browser cohorts with odd TLS fingerprints. The only sustainable answer is segmented policy, not one giant threshold.
Browser challenges help on some web properties and are nearly useless on APIs, device traffic, and non-browser clients. Even on browser traffic, poorly timed challenges can amplify abandonment during legitimate surges. If your system responds to uncertainty by making every client do more work, be sure the verification tier itself has enough headroom and does not route back to the same exhausted origin dependencies.
Lowering stream concurrency, header limits, or idle timers can reduce abuse surface. It can also punish legitimate high-RTT clients and multiplexed workloads. Protocol hardening is not free. Measure connection churn, handshake rate, and tail latency before and after. In practice, many teams cut stream concurrency but forget to budget for the extra connection establishment load they just created.
Scaling helps absorb residual load. It does not fix broken request economics. Under a flood, autoscaling often increases cloud spend while preserving the same vulnerable admission path. Worse, scale events can add control-plane pressure, cache cold starts, and noisy-neighbor effects that help the attacker more than the defender.
If your mitigation depends on one control plane pushing changes globally, then a control-plane lag or failure can turn a localized incident into a global one. Keep a minimal static baseline that survives stale policy. Dynamic controls should improve the outcome, not be the only thing standing between service and outage.
If that last case sounds familiar, the first step is not a product purchase. It is architectural separation. Separate public ingress from shared enterprise infrastructure, then add the controls that make sense at each layer.
Run one controlled drill that measures where your architecture starts doing expensive work. Instrument accepted TCP connections, completed TLS handshakes, parsed HTTP requests, cache misses, origin admissions, and successful business transactions on the same timeline. Then ask a blunt question: at what point does each layer stop protecting the next one and start amplifying it?
If you already know your volumetric headroom but not your state exhaustion thresholds, that is the gap to close first. Test one API endpoint with stricter mutating-request budgets, one cacheable path with collapsed forwarding and stale serve enabled, and one ingress tier with conntrack removed from the frontline path. The goal is not to prove you can survive any imaginable flood. It is to make attacker effort scale faster than your cost, your latency, and your operational stress.