Measured in your browserWe advise on speed. We practice it.Loaded just now · real numbers from this visit, not a lab score.
Page loaded
First byte
DOM ready
First paint
Largest paint
DNS lookup
TLS handshake
Transferred
Saved by compression
Requests

DDoS is one acronym covering three different problems, and defenses that solve one are decorative against the others. Reading an attack correctly, by which resource it exhausts, is the first operational skill, because it routes you to the layer that can answer.

Volumetric: drowning the pipes

The classic flood: traffic measured in terabits, often amplified through reflection (small spoofed queries to open resolvers and similar services returning large answers to the victim). The exhausted resource is raw network capacity, so the only real defense is capacity plus dispersion: anycast edges that dilute the flood across the planet, scrubbing that filters obvious junk upstream, and providers whose backbone is simply bigger than the attack. This is precisely what you rent a large edge for; no origin-side cleverness survives a saturated pipe.

State exhaustion: filling the tables

Protocol attacks (SYN floods and kin) target connection-tracking state in servers, firewalls and load balancers: modest bandwidth, devastating against stateful middleboxes. Defenses are protocol-level: SYN cookies, aggressive state timeouts, and terminating connections at the edge fleet whose per-node state is built for it, so origin infrastructure never sees the half-open storm. The tell in triage: interfaces healthy, connections tables full, throughput unremarkable.

The strategic trend worth budgeting for: application-layer attacks keep gaining share, because volumetric capacity became a commodity the big edges simply have, while origin compute remains every defender’s scarce resource, and automation costs keep falling for attackers too. That shifts the defense center of gravity from bandwidth toward classification quality (bot layers, behavioral signals, our fingerprinting article) and toward architectural attack-surface reduction: every endpoint made cacheable, every expensive operation put behind auth and limits, is standing DDoS mitigation that no attacker rents capacity against. The cheapest scrubbing is the request that never reaches anything expensive, which makes cache engineering, once again, a security discipline wearing a performance badge.

Application layer: legitimate-shaped siege

The expensive one: real HTTP requests targeting your costly endpoints, search, login, uncacheable APIs, at rates each individually plausible. The exhausted resource is origin compute, and the defense is this series’ whole toolkit aimed deliberately: cacheability pushed to its maximum (a cached response costs an attacker’s request but not your CPU), the bot-detection layers classifying automation, rate limits keyed sanely, and the WAF’s targeted rules. Mitigation-time SLAs in your security contract are mostly about this layer, because it requires classification, not just capacity.

In practice

Build the triage card: which resource is exhausted (bandwidth, state, compute), which dashboard proves it, which layer answers, who acts. Rehearse against each class annually, tabletop plus synthetic where feasible, and revisit the contract questions our security-pricing article listed with the taxonomy in hand: mitigation capacity is a volumetric answer, time-to-mitigate is an application-layer answer, and a vendor strong in one may be ordinary in the other.

DDoS readiness reviews here map your endpoints by exhaustion class and rehearse the triage card. The tabletop finds the gaps kindly.

Get the free assessmentMore analysis