In our initial consultations, the question comes up early: how much mitigation capacity does the platform have? 5 Tbps? 10 Tbps? More? It makes sense — the headlines about record-breaking attacks suggest that raw capacity is the deciding factor.
We typically redirect the conversation. First to the statistics — because the reality looks different from the headlines. Then to the questions that actually matter: how much of that capacity is yours? What happens when another customer on the same platform gets hit? And what does it cost when it hits you?
The 99th Percentile
The data is clear. Based on publicly available statistics from major mitigation providers (Cloudflare, Q1–Q4 2025), the overwhelming majority of DDoS attacks fall well below the numbers that make the press.
| Attack Vector | 99th Percentile | Remaining 1% | Record |
|---|---|---|---|
| Volumetric / Amplification | < 10 Gbps | 10–100 Gbps | 31.4 Tbps |
| Protocol Exhaustion (SYN/ACK) | < 1 Mpps | 1–100 Mpps | 9 Bpps |
| L7 HTTP Floods | < 1M req/s | 1–100M req/s | 205M req/s |
Look at the middle column. 99 out of 100 volumetric attacks are under 10 Gbps. 99 out of 100 SYN floods are under 1 Mpps. The typical DDoS attack that hits your business has about as much in common with the record attack as a rain shower has with a hurricane.
That doesn't mean large attacks are irrelevant. It means your threat model should be based on the 99th percentile, maybe 99.9th percentile — not the record. And if 99% of attacks are this size, the question isn't whether your provider can handle them. It's whether your share of the platform is actually available when you need it.
The Headline Attacks
31.4 Tbps. It sounds impressive — and it's supposed to. Cloudflare, Akamai, and others regularly publish their record mitigations. It's good marketing and makes for great headlines.
What gets lost: these attacks almost exclusively target global infrastructure providers themselves or their largest customers. They're generated by state-sponsored actors or massive botnets. A mid-market company with an online shop, a customer portal, or a SaaS application is not the target of these attacks.
The attacks that hit mid-market businesses come from a different category: 2–5 Gbps UDP floods, SYN floods with a few hundred thousand packets per second, HTTP floods with a few hundred thousand to low millions of requests per second from cheap botnets. Not spectacular, but enough to take unprotected infrastructure offline for hours.
When a vendor tells you they protect against 100 Tbps attacks, ask the questions that aren't on the datasheet. What's my availability when another customer on the same platform gets hit with a large attack? Is the scrubbing capacity dedicated to me, or am I sharing it with hundreds of other tenants? And when something goes wrong — can I call an engineer who knows my setup, or am I ticket #47,291 in a queue that takes three weeks to escalate?
The answers, for most shared platforms, are predictable. You share everything. Your neighbor's 50 Gbps attack eats into your scrubbing capacity. And support is an offshore call center.
How to Size Your Protection
The table above provides the answer: size for the 99.9th percentile, not for the record.
In practical terms: your DDoS protection needs to reliably handle attacks up to 100 Gbps (volumetric), up to 100 Mpps (protocol), and up to 100M req/s (L7) — the middle column in the table above. That covers 99.9% of attacks you'll realistically face. But "reliably" is the key word — it means that capacity needs to be available to you, not theoretically available on a shared platform.
For the remaining fraction, you need a clear escalation path — not a marketing claim about unlimited capacity. Honest questions for your provider:
- Is my scrubbing capacity dedicated or shared with other tenants?
- What happens to my traffic when another customer on the platform gets hit?
- What happens when an attack exceeds local edge capacity?
- Can I call an engineer during an incident, or is support ticket-only?
- How fast does escalation from L1 to someone who can actually help?
- What does L7 protection cover — just rate limiting or actual bot detection?
Dedicated beats big. On paper, a 100 Tbps shared platform looks more impressive than a 500 Gbps dedicated setup. In practice, the dedicated setup may be more stable — because all of that capacity is yours. No noisy neighbors. No surprise degradation because another tenant's campaign attracted a botnet. A dedicated pipe that handles 99.9% of attacks you'll ever face, with the predictability that shared platforms can't offer.
Support matters more than datasheets. During an active attack, the difference between calling your provider directly and waiting in a ticket queue is measured in hours of downtime. If your DDoS mitigation provider treats support as a cost center, you'll find out at the worst possible moment. Ask for the escalation path before you sign — not during the incident.
ZERO-PROTECT: DDoS Protection for Mid-Market Businesses
10 mitigation layers from BGP Flowspec to WAF. Own network (AS215197), direct peering with DE-CIX Frankfurt and AMS-IX.