DoS attacks come in a wide variety of forms, some of which can be readily filtered upstream, some of which can be filtered at the network edge with specialized equipment, some of which can only be filtered effectively on the machine itself, and some of which can't be effectively filtered (though this final type can potentially be partially mitigated with a whitelist/rate-limit combination).
Because sometimes particularly huge attacks can be entirely filtered upstream (extending attack mitigation potential beyond the combined size of all external links); sometimes edge-filterable attacks overload only certain external links (reducing attack mitigation potential); sometimes attacks overload upstreams internally in unexpected ways (reducing attack mitigation potential); and sometimes even very small, unfilterable attacks can be damaging to specific services (reducing mitigation potential); among other reasons, no company can put a specific number to the largest attack that can be fully mitigated on its network. Companies that boil down DDoS mitigation potential to a single overall number are not being honest with their customers, and likely have very limited knowledge of how DDoS mitigation actually works.
For an idea of the relative strength of our various locations when it comes to mitigation, review the numbers for overall upstream capacity on our network locations page. Again, these don't represent specifically how much we can mitigate -- our upstreams have helped us fend off far larger reflection attacks than these link sizes, for instance -- but they provide a general idea of location strengths.
All of our locations have routers with the same filtering options, and all of these capabilities are applied to all services that we offer at the location (including dedicated servers, VDSes, game servers, voice servers, and so on), at no additional cost.
1 post • Page 1 of 1