DDoS Protection
Stay online. Automatically.
DDoS attacks have become one of the most common and disruptive threats facing online businesses. AgileSP's DDoS Protection service keeps your infrastructure online, automatically, before the impact reaches your customers.
The threat
What is a DDoS attack?
A DDoS attack floods your network, servers, or applications with malicious traffic at a scale designed to exhaust available bandwidth or processing capacity. The result: your services become slow or entirely unreachable for legitimate users.
Attacks range from volumetric floods, measured in hundreds of gigabits per second, to sophisticated application-layer attacks targeting specific services. The challenge for most businesses is that a significant DDoS attack overwhelms local defences before they can respond. The solution must operate upstream, at the network level, before attack traffic reaches your infrastructure.
How it works
Upstream protection. Automatic mitigation.
AgileSP's DDoS Protection service operates at the network level, upstream of your infrastructure. When an attack is detected, malicious traffic is rerouted to AgileSP's scrubbing infrastructure, where it is identified, filtered, and discarded. Clean, legitimate traffic is returned to your network, and your services remain online throughout the process. The entire detection-to-mitigation cycle is designed to be fast and automatic, minimising the window during which your services are exposed to attack traffic.
Three layers of mitigation
The right tool for every attack.
Arbor TMS Scrubbing
Traffic diversion to our carrier-grade scrubbing infrastructure strips volumetric, protocol, and application-layer attack traffic while passing legitimate flows through. This is the most effective option for complex or high-volume attacks.
BGP Blackhole (RTBH)
For situations where a single IP or small prefix is under an unmitigatable volumetric attack, RTBH allows you — or our NOC — to trigger a null-route via BGP community. Traffic to that destination is dropped at AgileSP's network edge and across participating upstreams. Blunt, but fast and effective.
Flowspec (RFC 5575)
BGP Flowspec pushes fine-grained drop rules — by destination port, source prefix, TCP flags, DSCP, or packet length — directly to AgileSP's routers. This enables surgical mitigation: dropping NTP amplification packets or TCP SYN floods targeting a specific port while continuing to pass all other traffic.
Always-on detection
Protection that does not wait.
AgileSP's DDoS Protection is not a reactive service that requires manual intervention to activate. Traffic baselines are continuously monitored, and anomaly detection algorithms identify attack signatures in real time. When a threshold is crossed, mitigation begins automatically — your team is notified, but the protection is already working.
This always-on approach is critical because DDoS attacks are designed to move faster than human response times. By the time a NOC team identifies and escalates an incident manually, volumetric attacks have already caused significant damage.
Features
DDoS Protection features.
Always-on monitoring
Continuous traffic analysis and anomaly detection with no manual activation required.
Automatic mitigation
Attack traffic is rerouted and scrubbed without disrupting legitimate users.
Multi-vector protection
Defends against volumetric floods, protocol attacks, and application-layer attacks simultaneously.
Arbor TMS scrubbing
Carrier-grade mitigation platform deployed within AgileSP's network.
BGP blackhole (RTBH)
Trigger a null-route for a specific /32 or /128 via BGP community.
Flowspec mitigation
Surgical traffic filtering by protocol, port, TCP flags, or packet size.
Clean traffic return
Only verified legitimate traffic is passed to your servers and services.
Attack reporting
Post-event reports detailing attack vectors, volumes, and mitigation actions taken.
24/7 NOC support
AgileSP's engineering team monitors mitigation events and is available around the clock.
Capacity
Global scrubbing capacity.
The effectiveness of a DDoS protection service is directly linked to the capacity of the network behind it. AgileSP's DDoS Protection is backed by a network with European anchor points in London (Equinix LD8) and Amsterdam, providing substantial upstream capacity to absorb volumetric attacks before they reach the African network.
For South African businesses, a local DDoS scrubbing capability matters. AgileSP's protection operates within our own network infrastructure, meaning that African-origin attack traffic is identified and mitigated at the African network level, reducing unnecessary international traffic and keeping scrubbing latency low for your legitimate users.
Who needs DDoS protection?
Protection for every business.
ISPs and hosting providers
Protect your customers and your own infrastructure from volumetric and application attacks.
E-commerce businesses
Stay online during peak trading periods, when DDoS attacks are often timed to maximise commercial impact.
Financial services
Protect transaction systems, payment gateways, and customer-facing banking platforms.
Gaming and entertainment
Maintain low-latency, high-availability services for competitive gaming and streaming platforms.
Government and critical infrastructure
Protect public-facing services and mission-critical systems.
SaaS providers
Ensure contractual SLA uptime commitments to your customers are maintained under attack conditions.
Integration
Integrated with AgileSP services.
For existing AgileSP IP Transit, DIA, or colocation customers, DDoS Protection can be added as an integrated layer on top of your existing service. The close integration with AgileSP's routing infrastructure means that mitigation is faster and more effective than a standalone, third-party scrubbing solution — with a single point of contact for both your connectivity and your protection.
FAQ
Frequently asked questions.
- How does network-level DDoS protection work?
- Rather than placing a scrubbing appliance in your own data centre, AgileSP's DDoS protection operates inside our network — upstream of you. When an attack is detected against your IP space, your inbound traffic is rerouted through our Arbor TMS scrubbing infrastructure. Attack traffic is stripped out; clean traffic continues to your network.
- Do I need to change my hardware or configuration?
- No hardware changes are required on your end. DDoS protection is activated on your AgileSP service — typically via a BGP community or a scrubbing policy applied to your prefix. Our NOC will walk you through any configuration steps at activation time.
- What is BGP blackholing (RTBH)?
- Remote Triggered Black Hole (RTBH) is a technique where you advertise a specific /32 (or /128 for IPv6) with a blackhole BGP community. AgileSP — and participating upstream carriers — install a null-route for that destination, dropping all traffic to it at the network edge before it can congest your link.
- What is Flowspec?
- BGP Flowspec (RFC 5575) extends BGP to carry traffic filter rules — essentially pushing access-list entries to routers via BGP. This allows us to drop specific attack traffic without a full scrubbing diversion and without affecting other traffic to the same destination.
- How fast does mitigation kick in?
- Detection and automatic mitigation typically engage within minutes of an attack exceeding detection thresholds. For RTBH and Flowspec, once a community or rule is triggered, propagation across AgileSP's network is near-instantaneous via BGP.