Multi-layer DDoS protection across ten mitigation stages — BGP Flowspec, JA4 fingerprinting, PoW challenges, WAF, self-service portal — on AS215197.
No foreign jurisdiction. No shared tenancy. No single point of failure.
Zero Services GmbH was listed in 2026 as a BSI-qualified DDoS mitigation service provider under §3 BSIG — tested and qualified to defend operators of critical infrastructure (KRITIS) by Germany's national cyber security authority. Read the full story →
Own Network & Datacenters
Metrics Monitored
Years Infrastructure Experience
Datacenters Worldwide
Every request passes through a sequential chain. Volumetric attacks are dropped at the network edge. What reaches your origin is clean.
BGP Flowspec rules drop UDP floods, SYN floods, and amplification attacks at the network edge within seconds.
Detects bot frameworks by TLS handshake signature — independent of IP rotation.
Customer-defined rules matching on geo, IP, ASN, JA4 fingerprint, or URL path.
TCP-level flood protection with zero CPU overhead. Slow-HTTP defense catches Slowloris and Slow POST.
Per-IP, per-path, per-fingerprint request rate control. Cluster-synchronized across all edge nodes.
Granular rate limiting by TLS fingerprint and URL path for targeted bot mitigation.
Argon2-based puzzles. Browsers solve them in milliseconds. Bot farms burn CPU.
Per-service cache reduces origin load during attacks and improves TTFB.
Coraza WAF with OWASP CRS. Per-service containers. Tunable paranoia levels.
Clean traffic only.
Configure, monitor, and respond — without tickets or waiting.
Match on geo, ASN, IP, path, JA4 fingerprint. Block, rate-limit, challenge, or allow. Drag-and-drop priority.
RPS, bandwidth, response codes, threats blocked. Real-time health of all edge nodes at a glance.
ACME automation (Let's Encrypt, Buypass, ZeroSSL, Google) or custom upload. Auto-renewal, zero downtime.
Instant blocking and maintenance mode. Propagates to all edge nodes within seconds.
Every change logged with timestamp, user, and diff. Full traceability for compliance.
Custom logo, colors, challenge pages, error pages. Full branding on Dedicated plan.
A full edge platform on our own network (AS215197). German and European data residency. No third-party bottlenecks.
Multi-site anycast edge nodes with git-based config distribution. Edge nodes keep running if the control plane is down.
Active health checks. Automatic failover. Traffic distributed across healthy backends.
Backhaul via CrossConnect, MPLS, or VPN. Origin never exposed to the public internet.
Protect TCP services and VPN endpoints. Standalone L3/L4 filtering available for IP-Transit customers.
The same team that runs the servers, the clusters, and the network also builds and operates ZERO-PROTECT. No hand-offs.
Per-service metrics for your own Grafana, alerting, and long-term retention.
BSI-qualified. German infrastructure. For organizations where downtime has real consequences.
Utilities, energy, telecom, government. BSI-qualified per §3 BSIG. German data residency. Audit logging for compliance.
Every minute of downtime is lost revenue. Edge caching, instant emergency actions, and transparent clean-traffic billing.
Strict compliance requirements. German contract partner. Full audit trail. Dedicated edge nodes for complete tenant isolation.
Layer 3/4 mitigation via BGP Flowspec is applied at the network edge within seconds. Layer 7 protections (rate limiting, PoW challenges, WAF) are always-on — they don't need to "kick in" because they're already active on every request.
Instead of showing a CAPTCHA, we send the browser a small computational puzzle (Argon2-based). A real browser solves it in milliseconds — the user doesn't notice. A bot farm needs real CPU time per request, making large-scale L7 attacks economically unviable. Difficulty is adjustable per service.
JA4 creates a fingerprint from TLS handshake parameters — cipher suites, extensions, supported versions. Bots using the same framework produce identical fingerprints even when rotating through thousands of IPs. We rate-limit by fingerprint, not just by IP.
Yes. You point your DNS records to the ZERO-PROTECT anycast IPs. Traffic flows through our edge nodes first, gets filtered, and clean traffic is forwarded to your origin servers. Setup takes minutes.
All traffic processing happens on German and European infrastructure (AS215197). Zero Services GmbH is a German company. No CLOUD Act. No FISA 702. Your traffic data stays in Europe.
White-label branding (custom logo, colors, support URLs, challenge page text, error pages) is available on the Dedicated plan. Shared customers can customize challenge and error page text.
Yes. Zero Services GmbH is listed as a BSI-qualified DDoS mitigation provider pursuant to §3 BSIG. All traffic processing runs on German and European infrastructure (AS215197). The qualification is specifically designed for providers serving operators of critical infrastructure.
We could claim unlimited capacity or ultra-high Tbps values. Every large DDoS provider does. But those numbers represent theoretical global scrubbing capacity across all their PoPs combined — not what's actually available at the edge location where your traffic lands. Real-world mitigation depends on where the attack originates, which paths it takes, and how much capacity sits at that specific ingress point. The headline number on a marketing page won't help you when a 400 Gbps flood hits a single location.
We take a different approach: we tell you exactly what our edge can absorb at each location, and we have clear escalation paths beyond that — upstream scrubbing and BGP blackholing at the peering level (DE-CIX Frankfurt, AMS-IX Amsterdam). Honest dimensioning beats marketing claims.
Yes. If you route your own traffic and don't need a reverse proxy, we offer standalone L3/L4 protection via BGP Flowspec. Volumetric attacks (UDP floods, SYN floods, amplification) are filtered at the network edge across our upstream routers. No DNS change, no reverse proxy, no application-layer stack — just clean transit.
Describe your setup. We'll recommend the right plan, onboard you to the portal — and stay available whenever you need us.