In our initial consultations, the question comes up early: how much mitigation capacity does the platform have? 5 Tbps? 10 Tbps? More? It makes sense — the headlines about record-breaking attacks suggest that raw capacity is the deciding factor.
We typically redirect the conversation. First to the statistics — because the reality looks different from the headlines. Then to the questions that actually matter: how much of that capacity is yours? What happens when another customer on the same platform gets hit? And what does it cost when it hits you?
The 99th Percentile
The data is clear. Based on publicly available statistics from major mitigation providers (Cloudflare, Q1–Q4 2025), the overwhelming majority of DDoS attacks fall well below the numbers that make the press.
| Attack Vector | 99th Percentile | Remaining 1% | Record |
|---|---|---|---|
| Volumetric / Amplification | < 10 Gbps | 10–100 Gbps | 31.4 Tbps |
| Protocol Exhaustion (SYN/ACK) | < 1 Mpps | 1–100 Mpps | 9 Bpps |
| L7 HTTP Floods | < 1M req/s | 1–100M req/s | 205M req/s |
Look at the middle column. The bulk of attacks land there — L7 floods under 1M req/s account for roughly 95 of 100, and most volumetric attacks come in under 10 Gbps. The typical DDoS attack that hits your business has about as much in common with the record attack as a rain shower has with a hurricane.
That doesn't mean large attacks are irrelevant. It means your threat model should be based on the 95th-99th percentile — not the record. And if the bulk of attacks land in this range, the question isn't whether your provider can handle them. It's whether your share of the platform is actually available when you need it.
The Headline Attacks
31.4 Tbps. It sounds impressive — and it's supposed to. Cloudflare, Akamai, and others regularly publish their record mitigations. It's good marketing and makes for great headlines.
What gets lost: these attacks almost exclusively target global infrastructure providers themselves or their largest customers. They're generated by state-sponsored actors or massive botnets. A mid-market company with an online shop, a customer portal, or a SaaS application is not the target of these attacks.
The attacks that hit mid-market businesses come from a different category: 2–5 Gbps UDP floods, SYN floods with a few hundred thousand packets per second, HTTP floods with a few hundred thousand to low millions of requests per second from cheap botnets. Not spectacular, but enough to take unprotected infrastructure offline for hours.
When a vendor tells you they protect against 100 Tbps attacks, ask the questions that aren't on the datasheet. What's my availability when another customer on the same platform gets hit with a large attack? Is the scrubbing capacity dedicated to me, or am I sharing it with hundreds of other tenants? And when something goes wrong — can I call an engineer who knows my setup, or am I ticket #47,291 in a queue that takes three weeks to escalate?
The answers, for most shared platforms, are predictable. You share everything. Your neighbor's 50 Gbps attack eats into your scrubbing capacity. And support is an offshore call center.
How to Size Your Protection
The table above provides the answer: size for the 99.9th percentile, not for the record.
In practical terms: your DDoS protection needs to reliably handle attacks up to 100 Gbps (volumetric), up to 100 Mpps (protocol), and up to 100M req/s (L7) — the middle column in the table above. That covers 99.9% of attacks you'll realistically face. But "reliably" is the key word — it means that capacity needs to be available to you, not theoretically available on a shared platform.
For the remaining fraction, you need a clear escalation path — not a marketing claim about unlimited capacity. Honest questions for your provider:
- Is my scrubbing capacity dedicated or shared with other tenants?
- What happens to my traffic when another customer on the platform gets hit?
- What happens when an attack exceeds local edge capacity?
- Can I call an engineer during an incident, or is support ticket-only?
- How fast does escalation from L1 to someone who can actually help?
- What does L7 protection cover — just rate limiting or actual bot detection?
Or fold all of those into one: what is your DRS score? The DDoS Resiliency Score is a vendor-neutral open standard that quantifies the attack class a defender can withstand — not the aggregate they have installed. We self-assess at DRS 6.
Dedicated beats big. On paper, a 100 Tbps shared platform looks more impressive than a 500 Gbps dedicated setup. In practice, the dedicated setup may be more stable — because all of that capacity is yours. No noisy neighbors. No surprise degradation because another tenant's campaign attracted a botnet. A dedicated pipe that handles 99.9% of attacks you'll ever face, with the predictability that shared platforms can't offer.
Support matters more than datasheets. During an active attack, the difference between calling your provider directly and waiting in a ticket queue is measured in hours of downtime. If your DDoS mitigation provider treats support as a cost center, you'll find out at the worst possible moment. Ask for the escalation path before you sign — not during the incident.
ZERO-PROTECT: DDoS Protection for Mid-Market Businesses
10 mitigation layers from BGP Flowspec to WAF. Own network (AS215197), direct peering with DE-CIX Frankfurt and AMS-IX.