What is DDoS protection?
How it works, why you need it, what changed.
DDoS protection sits between your infrastructure and the internet, sorting real users from attack traffic before anything reaches your origin. Modern protection happens automatically, in milliseconds.
How DDoS protection works
Detect
Real-time traffic analysis flags anomalous patterns the moment an attack begins.
Filter
Malicious packets are dropped at our scrubbing centres; clean traffic passes through.
Deliver
Legitimate users reach your origin in under 100 ms - they never notice an attack happened.
Three classes of attack
Volumetric
UDP / ICMP floods, DNS amplification - pure bandwidth saturation. Mitigated by absorbing the flood at our 1+ Tbps edge.
Protocol
SYN floods, Ping of Death, fragmented packet attacks. Caught at the network layer before they exhaust state on your origin.
Application
HTTP floods, Slowloris, low-and-slow attacks targeting application logic. Behavioural analysis distinguishes humans from bots.
What TMW Shield delivers
Layer 3-7
Volumetric, protocol and application-layer mitigation in one stack.
Sub-second response
Detection and filtering before users notice anything.
Always-on
Routed through our scrubbing network 24/7 - not a fire-drill.
9 PoPs worldwide
Mitigate close to the source of the attack, anywhere on earth.
Why operators pick TMW Shield
Real-time mitigation, surgical filtering primitives, and engineers who answer the phone - at every PoP, on every continent we operate in.
Explore TMW Shield- 1+ Tbps mitigation capacity
- Layer 3-7 coverage
- Sub-second detection
- Automatic mitigation
- GEO and ASN filtering
- Edge firewall (stateful)
- Custom rules per service
- 24/7 engineer coverage
TMW Shield vs Cloudflare, Akamai & AWS Shield
How our DDoS protection compares to Cloudflare Magic Transit, Akamai Prolexic, and AWS Shield Advanced.
| Feature | TMW Shield | Cloudflare | Akamai | AWS Shield |
|---|---|---|---|---|
| Contract | Month-to-month | Enterprise contract (Magic Transit) | Enterprise contract (Prolexic) | $3,000/mo min (Shield Advanced) |
| Capacity | 1+ Tbps | Unmetered | 20+ Tbps (Prolexic) | Unmetered (Advanced only) |
| Layer coverage | L3-7 included | L3-7 (Magic Transit + WAF) | L3-4 Prolexic; L7 via App & API Protector | L3-4 Standard; L7 Advanced only |
| ISP / transit protection | Yes - BGP-based | Magic Transit only | Prolexic only | No |
| Activation time | < 1 hour | Hours – days | Days – weeks | Immediate (Standard); days (Advanced) |
| 24/7 human support | All tiers | Enterprise tier only | Enterprise tier only | Premium Support plan required |
DDoS protection - frequently asked questions
What is DDoS protection?
DDoS protection (Distributed Denial of Service protection) is a security service that detects and absorbs malicious traffic floods before they can overwhelm your servers or network. It works by routing your traffic through scrubbing infrastructure that drops attack packets while forwarding clean traffic to your origin - typically in under one second.
What does DDoS stand for?
DDoS stands for Distributed Denial of Service - an attack in which thousands of compromised devices simultaneously flood a target with traffic to exhaust its bandwidth or processing capacity, making it unavailable to legitimate users. Protection services absorb or filter this flood at the network edge before it reaches your infrastructure.
How does DDoS protection work?
Traffic is rerouted through scrubbing infrastructure via BGP or DNS. Real-time analysis detects anomalous patterns - sudden volume spikes, malformed packets, bot signatures, or application-layer abuse. Attack traffic is dropped; legitimate traffic is forwarded to your origin. Modern systems like TMW Shield complete this in under 100 milliseconds.
What is the difference between TMW Shield and Cloudflare DDoS protection?
Cloudflare offers DDoS protection through Magic Transit (BGP-based, requires an enterprise contract) and their CDN/WAF products. TMW Shield provides always-on Layer 3-7 DDoS mitigation through our own BGP-peered network, available month-to-month without enterprise commitments, and with 24/7 engineer access at every tier - including colocation and IP transit customers.
What is volumetric attack protection?
Volumetric attack protection defends against floods designed to saturate your upstream bandwidth - UDP floods, ICMP floods, DNS amplification, and NTP reflection attacks. TMW Shield's 1+ Tbps capacity absorbs these at the network edge before they can reach your data centre or cloud infrastructure.
How does AWS Shield compare to TMW Shield?
AWS Shield Standard is free but limited to basic Layer 3-4 protection for AWS resources only. AWS Shield Advanced costs a minimum of $3,000/month, adds Layer 7 protection and access to the AWS Shield Response Team, but only covers AWS-hosted infrastructure. TMW Shield provides comparable Layer 3-7 coverage for any infrastructure - colocation, dedicated, VPS, or transit - without ecosystem lock-in or minimum spend.
What is ISP-level DDoS protection?
ISP-level or network-level DDoS protection uses BGP route announcements to attract your traffic through the provider's scrubbing infrastructure before it enters your network. This blocks volumetric attacks upstream of your data centre - so your connectivity is never saturated. TMW Shield operates at this level for all colocation and IP transit customers.
Protection that never sleeps.
Activate TMW Shield in minutes. Engineers respond in under five - anywhere in the world.