DDoS Protection
Always-on DDoS mitigation for networks, hosting providers, game platforms and enterprises. Native BGP, GRE/IPIP, remote protection, L7 proxying and direct NOC escalation.
Mitigation architecture
Detection, filtering, scrubbing, and visibility in one path.
TMW Shield is positioned as an operator workflow, not a black-box appliance. Traffic is detected, classified, filtered, scrubbed, and forwarded over the handoff that matches the customer network.
Detect
Per-prefix baselines, flow telemetry, packet counters, SYN/ACK ratios, DNS/NTP signatures, and L7 request behavior.
Classify
Traffic is split into volumetric, protocol, reflection, application, and game-protocol vectors before a filter is selected.
Filter
Edge ACLs, stateless drops, SYN validation, reflector signature blocks, service filters, and WAF/proxy controls remove attack traffic.
Scrub
Clean packets are forwarded over native transit, cross-connect, GRE, IPIP, or BGP-routed protected transit handoff.
Automate
Mitigation state, BGP announcements, customer community controls, alerts, and dashboards are updated without waiting for manual tickets.
Capacity definitions
Numbers are defined by what they measure.
Total edge capacity
1+ Tbps
Aggregate ingress and filtering capacity available across the mitigation edge.
Clean capacity
100G+
Capacity reserved for customer traffic after filtering, measured as clean egress to handoff.
Peak absorb capacity
1+ Tbps
Short-duration attack traffic absorption before upstream coordination or selective blackholing.
Detection target
< 100 ms
Telemetry to mitigation rule activation for known L3/L4 vectors.
Attack dashboard
Case-style incident view shown to customers.
Peak
742 Gbps
Packets
88 Mpps
Vectors
UDP, SYN, DNS
Supported attack types
UDP floods
High-pps stateless floods, random source ports, and payload pattern attacks.
TCP SYN/ACK floods
Spoofed handshakes, ACK storms, connection table pressure, and retransmit abuse.
DNS/NTP amplification
Reflection traffic from DNS, NTP, SSDP, CLDAP, memcached, and similar amplifiers.
HTTP floods
High-RPS GET/POST, login abuse, cache bypass, expensive endpoints, and bot sessions.
Game attacks
Minecraft, Source, FiveM, Rust, TeamSpeak, and custom UDP game protocol floods.
Onboarding and escalation
Native BGP
Customer establishes BGP session to AS215828 and announces eligible prefixes with IRR/RPKI validation.
GRE/IPIP remote protection
TMW announces the protected prefix and forwards clean traffic to an out-of-band tunnel endpoint.
BGP emergency onboarding
LOA, ROA/IRR checks, max-prefix limits, and temporary policy are completed before announcement.
Proxy/WAF onboarding
DNS or reverse-proxy onboarding for L7 HTTP protection, cache, and managed challenge modes.
NOC acknowledgement
15 min
24/7 emergency requests receive engineer acknowledgement within 15 minutes.
Critical mitigation response
5 min
Active attacks on protected services are escalated directly to the on-call engineer.
Standard change window
Same day
BGP session, prefix, tunnel, and filter changes are normally completed same business day.
Availability SLA
up to 99.9%
Commercial SLA depends on product, handoff type, and contracted redundancy.
Incident examples
Game network UDP flood
Attack
38 Mpps mixed UDP flood against matchmaking and voice ports
Action
Per-port packet signatures and source-distribution policers were activated automatically, then tuned by the NOC.
Result
Legitimate player traffic stayed on the protected path with no origin firewall state exhaustion.
Hosting provider carpet bombing
Attack
Low-volume floods spread across hundreds of customer /32s inside a shared /24
Action
Prefix-wide correlation grouped the attack into one mitigation event instead of chasing each host.
Result
Clean traffic was forwarded normally while attacked destinations were rate-limited and, where requested, blackholed.
Emergency remote protection
Attack
DNS amplification against infrastructure hosted outside the TMW network
Action
Temporary BGP announcement, ROA/IRR validation, GRE handoff, and clean-only route policy were completed under emergency process.
Result
Traffic moved behind TMW Shield without changing the customer origin network.
Under attack or planning protected transit?
Send ASN, prefixes, origin location, tunnel endpoint, critical ports, and bandwidth target. The NOC can move faster with those fields ready.
Real-time traffic filtering
Every packet is inspected at the edge. Attack traffic is dropped before it reaches your infrastructure.
Specific filters for specific attack vectors.
UDP floods, SYN/ACK floods, DNS/NTP amplification, HTTP floods and game-protocol attacks are handled with distinct controls instead of one generic rate limit.
Layer 3-7 Coverage
Network, transport and application-layer filtering for customer prefixes, hosted services and proxied HTTP workloads.
Automatic Detection
Flow telemetry, packet counters and request behavior trigger mitigation before the origin becomes the bottleneck.
Scrubbing Edge
Traffic is ingested at TMW edge locations, filtered close to ingress and forwarded clean over native or tunnel handoff.
Always-On Protection
Protected routes stay on the mitigation path; no DNS cutover or manual activation is required during an incident.
GEO Filter
Block or allow only traffic by country or region with surgical precision - drop anything outside your reach.
ASN Filter
Allow, challenge or drop traffic by source ASN when an attack is concentrated in specific networks.
Firewall at the Edge
Stateful packet inspection runs at the network edge, before traffic ever touches your origin.
Automated Service Filters
Profiles for HTTP, gaming, voice, mail, VPN and DNS services are tuned per protocol and can be adjusted by the NOC.
Every vector at L3 / L4 - mitigated.
Volumetric, protocol and reflection attacks come in dozens of flavors. TMW Shield handles them at line rate, before they reach your origin.
UDP & ICMP Floods
High-pps stateless floods are dropped at the edge based on rate, source distribution and protocol fingerprint.
TCP SYN / ACK Floods
SYN cookies, connection-state validation and per-source policers neutralize spoofed handshake floods without breaking real clients.
Reflection & Amplification
DNS, NTP, memcached, SSDP and CLDAP amplification traffic is identified by reflector signatures and dropped wholesale.
Fragmentation Attacks
Malformed and overlapping IP fragments are reassembled, validated and discarded - no kernel state on your origin gets exhausted.
Carpet Bombing
Low-volume floods spread across hundreds of /32s in your prefix are correlated and mitigated as one event.
Multi-Vector Attacks
Mixed L3 / L4 / L7 attacks are split into vectors and handled in parallel. No single component becomes the choke point.
State-Table Exhaustion
Connection-flood and TLS-renegotiation abuse is blocked before it can fill the conntrack tables on your firewalls or load balancers.
Game-Protocol Floods
Source Engine, Quake, Minecraft ping and other gaming protocols are protected with payload-aware filters tuned per-title.
Four steps from packet to decision.
Every packet entering our network passes through the same deterministic pipeline - measured in microseconds, not seconds.
Anycast ingest at the closest PoP
BGP-anycasted prefixes pull traffic into the nearest scrubbing center. No DNS redirection, no GRE detour - just the shortest path.
Stateful inspection at line rate
Every packet is parsed, classified and scored. Per-source, per-protocol and per-prefix telemetry feeds the next stage in real time.
Vector-specific mitigation
Filters fire automatically the moment an attack signature is recognized. Volumetric, protocol and reflection vectors run in parallel.
Clean traffic to your origin
What remains is your real traffic - delivered over our backbone with the same routing performance as a clean day.
Built for traffic that can't go down.
Anywhere a few minutes of downtime is unacceptable, TMW Shield is in the path. Every customer gets the same mitigation - small or large.
Gaming & Game Hosting
Login servers, game servers and matchmaking under constant attack. Filters tuned per-title, latency low enough that pros don't notice.
ISPs & Hosting Providers
Protect entire prefixes for your downstream customers. BGP-routed mitigation with no per-IP licensing or surprise overage fees.
E-commerce & SaaS
Keep checkout, sign-up and APIs online during launches, sales and ransom-note campaigns - without sacrificing latency.
FinTech & Trading
Sub-millisecond mitigation on the path that matters. Order entry stays predictable even under sustained extortion attacks.
Voice, SIP & Streaming
Real-time UDP stays in real time. SIP, RTP and broadcast paths are protected with payload-aware filters that don't add jitter.
Critical Infrastructure
DNS, mail, government and healthcare endpoints. Always-on protection, BGP-routed, no opt-out windows.
Mitigation built by operators, not vendors.
We run the network we sell. Every packet passes hardware we own, software we wrote, on capacity we paid for - the price stays honest because of it.
We Own the Network
Our own AS, our own scrubbing centers, our own transit. No reselling someone else's mitigation, no support tickets bouncing between providers.
Transparent Pricing
You pay for clean traffic - never for the attack. No per-prefix fees, no per-rule licensing, no 'enterprise' gating, no surprise overage when you get hit.
Engineers, Not a Queue
An on-call engineer answers in under five minutes - 24/7. The same person who picks up the phone can push a filter live.
Custom Filters On Demand
If our default filters don't fit your protocol, we'll build you one. No professional-services SOW, no six-week timeline.
Full Traffic Visibility
Per-prefix dashboards, attack timelines, top sources and post-mitigation reports - the same view our NOC sees, in your portal.
No Lock-In
Bring your own ASN and IP space. Run TMW Shield in front, behind, or alongside other protection - we don't hide your routes.
Optimized filters for your applications
Specialized filters for gaming servers, web applications, VPN services, and more.
Need a specific filter? Contact us for custom solutions.
Numbers with definitions.
Capacity is separated into total edge capacity, clean forwarding capacity and peak absorption so buyers know what is being measured.
Aggregate ingress and filtering capacity across the TMW mitigation edge.
Known L3/L4 vectors can trigger automated filter activation in under 100 ms.
Frankfurt, Amsterdam, North Kansas City and Singapore are publicly listed facility metros.
Stateless flood, stateful protocol and application-layer filters.
Commercial SLA depends on product, handoff and contracted redundancy.
Failover and re-announce times under regional incident scenarios.
Emergency requests are routed to engineers who can change filters and routes.
BGP session up, prefixes announced, traffic mitigated - same business day.
Try TMW Shield free for 30 days
Get full Layer 3–7 DDoS protection for your infrastructure at no cost. No contracts, no egress fees, and an engineer on call throughout your trial.
- No credit card required
- Full mitigation capacity
- Dedicated setup engineer
- Cancel anytime
Protection that lives on a real network.
Bring your ASN, your prefixes, your tunnel endpoint or your origin service. TMW Shield can be delivered as protected transit, remote protection, proxy protection or protected hosting.