Distributed Denial of Service attacks have evolved from a nuisance into one of the most serious operational threats facing online businesses. In 2025 alone, the largest recorded DDoS attack peaked at over 5.6 Tbps, a volume that would overwhelm the entire network capacity of most hosting providers. The question is no longer whether your infrastructure will be targeted, but when, and whether your hosting provider has the capacity to absorb the attack without taking your services offline.
MassiveGRID provides 12 Tbps of DDoS mitigation capacity across its network. But what does that number actually mean in practice? How does traffic scrubbing work at that scale? And how does the system distinguish between a legitimate traffic spike and a malicious flood? This article breaks down the mechanics of modern DDoS protection so you can understand exactly what stands between your server and an attack.
The Three Categories of DDoS Attacks
DDoS attacks are classified into three layers based on which part of the network stack they target. Each category requires different detection and mitigation techniques, and a comprehensive protection system must handle all three simultaneously.
Layer 3/4: Volumetric Attacks
Volumetric attacks aim to saturate the target's network bandwidth by flooding it with massive amounts of traffic. These are the "brute force" attacks that generate the headline-grabbing Tbps numbers. Common volumetric attack vectors include:
- UDP floods: The attacker sends enormous volumes of UDP packets to random ports on the target, forcing the server to process each packet and respond with ICMP "destination unreachable" messages. The sheer volume of traffic consumes all available bandwidth.
- DNS amplification: The attacker sends small DNS queries to open resolvers with the source IP spoofed to the victim's address. Each 60-byte query generates a 4,000-byte response directed at the victim, creating a 70:1 amplification ratio.
- NTP amplification: Similar to DNS amplification but exploiting the
monlistcommand in misconfigured NTP servers, achieving amplification ratios up to 556:1. - SSDP reflection: Exploiting Universal Plug and Play (UPnP) devices to amplify and reflect traffic toward the target.
Volumetric attacks are measured in bits per second (bps) and packets per second (pps). A 1 Tbps volumetric attack generates approximately 150 million packets per second, which exceeds the processing capacity of most commercial network equipment.
Layer 4: Protocol Attacks
Protocol attacks exploit weaknesses in Layer 3 and Layer 4 protocols to exhaust the resources of network infrastructure components such as firewalls, load balancers, and the target server itself. Unlike volumetric attacks, protocol attacks do not necessarily require massive bandwidth. Instead, they consume connection state tables and processing resources:
- SYN floods: The attacker sends a high rate of TCP SYN packets (connection initiation requests) without completing the three-way handshake. Each half-open connection consumes memory in the server's connection table until the table is exhausted and no new legitimate connections can be established.
- ACK floods: The attacker sends spoofed TCP ACK packets that the target must process and reject, consuming CPU resources.
- Fragmented packet attacks: Sending intentionally malformed or overlapping IP fragments that overwhelm the target's reassembly buffer.
Protocol attacks are measured in packets per second (pps) and concurrent connections. A SYN flood of just 10 million pps can overwhelm a server with a default connection table of 65,536 entries in seconds.
Layer 7: Application-Layer Attacks
Application-layer attacks are the most sophisticated and difficult to detect because they mimic legitimate user behavior. Instead of flooding the network with raw traffic, these attacks target specific application endpoints with requests that appear normal individually but collectively overwhelm the application:
- HTTP floods: Thousands of bots simultaneously request resource-intensive pages (search queries, dynamic content generation, large file downloads) at rates that exhaust web server processes, database connections, or CPU.
- Slowloris: The attacker opens many connections to the web server and sends HTTP headers very slowly, keeping each connection open as long as possible. This ties up all available connection slots without generating significant bandwidth.
- API abuse: Targeting specific API endpoints with requests that trigger expensive database queries or computations, amplifying the impact of each request on the server's resources.
Application-layer attacks are measured in requests per second (rps). Because each request is small and appears legitimate, these attacks can bring down a server with as little as 50,000 rps, a volume that generates minimal network-level traffic.
How Traffic Scrubbing Works at Scale
The core technology behind DDoS mitigation is the scrubbing center, a network facility specifically designed to receive, analyze, and filter massive volumes of traffic in real time. Here is how the process works from the moment an attack begins to the point where clean traffic reaches your server.
Step 1: Detection
Mitigation begins with detection. Modern DDoS protection systems continuously monitor network traffic patterns using a combination of flow sampling (NetFlow/sFlow), deep packet inspection (DPI), and machine learning models trained on historical traffic baselines. When traffic to a protected IP address exceeds predefined thresholds or exhibits patterns consistent with known attack signatures, the system triggers mitigation automatically.
Detection latency is critical. The difference between detecting an attack in 3 seconds versus 30 seconds determines whether your service experiences a brief hiccup or a sustained outage. Enterprise-grade scrubbing systems achieve detection in under 10 seconds for volumetric attacks and under 30 seconds for more subtle application-layer attacks.
Step 2: Traffic Diversion
Once an attack is detected, all traffic destined for the target IP is redirected to the nearest scrubbing center using BGP (Border Gateway Protocol) route announcements. The scrubbing center advertises a more specific route for the target's IP prefix, causing upstream routers to send all traffic for that address through the scrubbing infrastructure instead of directly to the origin server.
In an always-on configuration, like the one MassiveGRID employs, traffic is routed through the scrubbing infrastructure at all times, not just during attacks. This eliminates the diversion delay entirely and ensures that attack traffic never reaches the origin network.
Step 3: Traffic Analysis and Filtering
Inside the scrubbing center, traffic passes through multiple filtering stages:
- Rate limiting and blackholing: Known-bad source IPs and IP ranges associated with botnets are immediately dropped. Rate limits are applied to traffic from suspicious ASNs (Autonomous System Numbers).
- Protocol validation: Each packet is inspected for protocol compliance. Malformed packets, impossible flag combinations, and packets that violate RFC specifications are discarded.
- Stateful inspection: For TCP traffic, the scrubbing system maintains a lightweight connection state table to verify that incoming packets belong to legitimate, established connections. SYN floods are mitigated using SYN cookies or SYN proxy techniques that validate the three-way handshake before forwarding traffic to the origin.
- Behavioral analysis: Machine learning models analyze traffic patterns in real time, identifying anomalies such as unusual geographic distributions, suspicious request patterns, or traffic volumes that deviate from established baselines.
- Challenge mechanisms: For HTTP traffic, the system may present JavaScript challenges or CAPTCHA-like verification to separate automated bot traffic from human users.
Step 4: Clean Traffic Forwarding
Traffic that passes all filtering stages is forwarded to the origin server through a clean, dedicated tunnel (typically GRE or VXLAN). The origin server sees only legitimate requests, with source IPs preserved so that application-level logging and geo-targeting continue to function normally.
What 12 Tbps Capacity Actually Means
When MassiveGRID states that its DDoS protection provides 12 Tbps of mitigation capacity, that number represents the total aggregate throughput that the scrubbing infrastructure can absorb and process simultaneously across all protected customers and all attack vectors. Here is how to put that number in context:
| Metric | Value |
|---|---|
| Total scrubbing capacity | 12 Tbps |
| Largest recorded DDoS attack (2025) | ~5.6 Tbps |
| Average enterprise DDoS attack size | 10-50 Gbps |
| Typical small-business targeted attack | 1-10 Gbps |
| MassiveGRID headroom at peak attack | 6.4+ Tbps remaining |
The critical insight is that mitigation capacity must significantly exceed the largest expected attack. If a provider's total scrubbing capacity is 2 Tbps and they face a 2 Tbps attack, there is zero headroom for legitimate traffic or simultaneous attacks on other customers. At 12 Tbps, MassiveGRID can absorb even the largest recorded attacks while maintaining full service for all other protected customers.
Filtering Without Impacting Legitimate Users
The greatest challenge in DDoS mitigation is not absorbing traffic volume. It is accurately distinguishing between attack traffic and legitimate user requests without introducing latency or blocking real customers. Here is how modern scrubbing systems minimize false positives:
- Allowlisting known-good sources: Traffic from verified search engine crawlers, payment processors, API partners, and monitoring services is automatically allowlisted and bypasses aggressive filtering rules.
- Graduated response: The filtering intensity scales with the severity of the attack. During light attacks, only the most obviously malicious traffic is dropped. As attack intensity increases, filtering rules tighten progressively, always balancing protection against the risk of blocking legitimate users.
- Geographic intelligence: If an application's traffic normally originates 95% from Europe and an attack sources primarily from a botnet in Southeast Asia, the system can apply stricter filtering to the anomalous geography without affecting the primary user base.
- Session persistence: Users who have already established legitimate sessions (validated through cookies, TLS session IDs, or behavioral fingerprinting) continue to receive uninterrupted service even during active mitigation.
Why DDoS Protection Matters for Every VPS Customer
Many VPS customers assume that DDoS protection is only relevant for large enterprises or high-profile targets. This is a dangerous misconception. Automated attack tools are widely available, and "DDoS-for-hire" services allow anyone to launch a multi-gigabit attack for as little as $20. Small businesses, personal projects, and niche applications are targeted regularly, often by competitors, disgruntled users, or automated scanners probing for vulnerable infrastructure.
Without built-in DDoS protection, a 10 Gbps attack against your VPS will saturate the server's network interface and potentially trigger null-routing by the hosting provider, taking your server offline entirely. With providers like MassiveGRID that include 12 Tbps DDoS protection at no additional cost, that same attack is absorbed by the scrubbing infrastructure before it ever reaches your server's network port.
Conclusion
DDoS protection at the 12 Tbps scale is not a single technology but a layered system combining network architecture, traffic analysis, machine learning, and massive bandwidth capacity. The system must detect attacks in seconds, divert traffic through scrubbing infrastructure, apply multi-stage filtering that accurately separates malicious from legitimate traffic, and forward clean requests to the origin server with minimal added latency.
When evaluating hosting providers, look beyond the headline mitigation number and ask about detection time, filtering accuracy, always-on versus on-demand activation, and whether protection is included or charged separately. MassiveGRID includes 12 Tbps DDoS protection with every VPS plan, ensuring that your infrastructure is protected from day one without additional cost or configuration. Explore the security overview to learn more about the full security stack protecting your workloads.