Home / Products & Services / Internet & Cloud / DDoS Mitigation Services

DDoS Mitigation

Arelion's DDoS mitigation automatic detection capability enables quick identification of any attack on your system. There is no need for your organization to dedicate resources to monitor data traffic or risk realizing you are under attack only when your system starts to crash.

Backbone strength

DDoS mitigation with superior precision

Arelion’s DDoS mitigation service applies surgical mitigation techniques to mitigate attacks automatically. Malicious traffic is dropped already within our backbone before it reaches your Internet connection, ensuring that only legitimate traffic passes through.

DDoS security for business continuity

Today’s DDoS attacks can have an immediate and profound impact on businesses. We have designed our DDoS mitigation service to scale across the global Internet for each tier. We can absorb highly distributed, heavy attacks and allow data centers, servers, and Internet connections to operate normally even when under attack.

What does DDoS mitigation service do?

Arelion DDoS mitigation automatically detects when you are under attack. This means that you don’t have to dedicate resources to monitoring traffic or worse still, stop your organization to know you are under attack long before your systems start to crash.

Arelion DDoS Mitigation cleans or “scrubs” the Internet flow coming into your network and IT systems to remove the attack traffic. In this way your organization can continue to function as normal during the attack. Protection can start and stop as required, always ensuring your organization is covered.

How to protect against DDoS attacks

DDoS attack - redirection and clearing

Why is DDoS protection valuable for Enterprises?

Global companies have a significant portion of their business online, demanding a high level of network protection against DDoS attacks. 

We provide a high-capacity solution throughout our global IP backbone that can be scaled to add more protected IP ranges, but also DDoS mitigation capacity to support your growing protection needs. Using Arelion’s DDoS protection service you:

  • Protect your business costs, revenue, and reputation
  • Minimize your network interruption and disturbances
  • Ensure your online availability
  • Increase your overall effectivity and productivity 

Flexible pricing mechanisms

We have adapted our pricing model to the risk profile of each customer, making it more economical than in-house edge solutions that can cause additional bottlenecks during DDoS attacks.

Multi-homed DDoS protection

Arelion’s multi-homed DDoS service works in a similar way as the standard service, leveraging the same carrier grade – best in class detection and mitigation system. 

There are two main differences:

  • DDoS attacks detection on traffic outside our network
  • How we pull the traffic to our scrubbing centers for cleaning

Our DDoS system collects and analyzes flow data from AS1299’s edge routers. This gives us visibility into the traffic, including attack traffic, that flows through our network. Since many customers have connections to multiple providers and may also ‘peer’ with networks of similar size, there is a customer request for a multi-homing DDoS protection that covers these additional links. 

That means that when an attack hits our edge, we direct it to the nearest scrubber, clean it, and then return back to the customer using their direct links to us. If requested, we hijack the traffic for other providers and scrub these as well. Once the attack is over, the system alerts all edge routers to release the more specific BGP announcement and traffic flow returns to normal. 

See, Multi-homing DDoS attack protection video animation.

Want to get in touch with us immediately? Contact our Customer Support and they’ll put you through the right contact.

Call us anytime at

+46 (0) 771 191 170

Or email us


Toll-free numbers

Toll-free numbers

If I were to sum up the best things about Arelion, I would include extremely competent staff, quick response times, comprehensive DDoS protection with additional services and competitive pricing. Our company (...) was increasingly affected by DDoS attacks over a long period of time, to the extent that our business suffered daily. Thanks to the help we got from Arelion, we got back on track again, as a stable and reliable IT-company for our customers who always expect the best service 24/7.

Yilmaz Turkan, CEO Cygrids

DDoS FAQ video and DDoS Protection animation video

Learn more about the Arelion's DDoS protection in this video – frequently asked questions and answers with Arelion’s IP and Security expert. Learn more about DDoS Protection by Arelion.
Technical highlights
Protection against evolving attack vectors: volumetric, protocol, application
Surgical host level mitigation
Manual or automatic protection
24/7/365 protection
Security highlights
Secure by design features
NOC situated in a well secured and connected building with multiple power sources
Physical and logical security from design to deployment
A network-wide Acceptable Use Policy (AUP)
Customer Service authentication procedures
Clear customer data handling policies

DDoS Mitigation frequently asked questions

10 quick questions for our IP & Security Product Manager at Arelion.

How does the Arelion DDoS service work?

All the edge routers in AS1299 send traffic data in the form of NetFlow, BGP and SNMP to our DDoS system. Using detailed profiling and continuously updated threat intelligence, this data is analyzed for attack traffic. This is all run by our dedicated in-house SecOps team and backed by our industry leading DDoS vendor. If the system detects malicious traffic destined to one of our DDoS customers, it will initiate a redirect within our network to the nearest scrubbing center. Arelion has 5 of these locations globally. Using a variety of methods, we ensure that the traffic is routed to the scrubbing center nearest to the source of the attack, rather than the target. This ensures the lowest possible increment in Round Trip Delay (RTD).


Also, as this redirect is internal to our network, we can redirect only the traffic we absolutely need to – right down to a single host /32. This means that we leave as much customer traffic flowing as normal as we possibly can, minimizing the attack impact still further.


Once the traffic reaches the scrubbing center, it passes through our Threat Management System which drops the malicious traffic and allows the good/legitimate traffic through. This ‘clean’ traffic is sent into a clean VRF or other tunnel and handed to the customer’s nearest port.


Once the attack is over, any redirections are withdrawn, and peacetime routing is restored.

What about the onboarding process? Is that complicated?

The onboarding process should not be complicated, but it really depends on the customer. Arelion offers quite a lot of flexibility to our customers which could add complexity. However, for most of our customers we recommend simply applying default settings, so all we need is some admin information (i.e., contacts for alerts and reports etc.) and details of the IP prefixes they wish to protect.


Customers may not want all of their IP’s protected, and some may run very sensitive DNS, web or email servers. These can be configured into the system separately allowing for customization of thresholds. Our solution engineers work with customers to optimize the set-up.

Multi-homed DDoS service - what is it and how does it work?

Multi-homed DDoS is Arelion’s solution for customers who buy IP access from more than one provider. Typically, in this scenario the customer would buy DDoS protection from each provider, but this service allows customers to buy a complete DDoS service solution from just us, covering the whole system end to end.


  • Multi-homing service works very much like our base service, but with a couple of key additions:

    - We need to be able to ‘see’ the traffic that doesn’t flow through our network. For this, we need the customer to send Netflow (or SFlow) data from the relevant edge routers to our system.
    - We need to be able to steer traffic to our network when we see an attack, so that we can push it to our scrubbers. To do this, we initiate a friendly BGP hijack, by announcing a more specific prefix to our peers and customers. Once the attack is over, we release this BGP announcement and traffic returns to the normal path.
  • Multi-homing service is a fully automated feature.

  • Based on these two key things, the service may not suit everyone. Some customers may even struggle with providing Netflow data (e.g., due to security policy or not having capable devices). Our more specific announcement should win the BGP routing decision, so ideally in normal operation the customer announces /23 or larger prefixes to the outside world. The prefixes to be protected by us must be covered by an RPKI ROA that has AS1299 as originating ASN and a max length of 24. Our systems will not initiate a BGP announcement that would not be considered valid by RPKI validation.

Once we set up the service, do we need to have any legal papers signed regarding GDPR?

AS1299 is a very large IP Transit backbone, with large number of connected ASN’s globally and edge traffic > 70Tbs, so we obviously have access to a lot of data.


We use this data for the purpose of supplying the services, running and maintaining the network. So, this does mean collecting flow data and using that within our analysis tools to determine the network demands for planning and forecasting.


For DDoS we use this kind of data to detect and identify suspicious traffic. We only apply these more detailed detection mechanisms to customers who purchase our DDoS services.


With multi-homing, there’s a slight difference as we need to collect some data that is not available from our AS1299 routers, but from customer routers themselves. We ask customers to send us not only Netflow/sFlow data from the routers on their other boundaries, but also SNMP data.
This enables us to better identify the external interfaces and only look at the interfaces that are relevant to the service we provide.


Arelion ONLY uses data for the purpose of providing the DDoS Service and we do not retain this data any longer than needed.

Is it possible to have “Premium IP Transit service” that by definition includes DDoS?

We currently do not offer such a service. In principle it is possible and it’s something we may consider in the future. If and when we do, it’s likely to be part of our Enterprise Product portfolio.

What is Arelion’s maximum DDoS traffic capacity available?

We need to explain a bit more about the mechanisms we have available to mitigate DDoS attacks

  • Highly-capable edge routers – meaning they support detailed filtering and Flowspec when needed

  • Filtering pre-TMS. We have dedicated routers fronting our TMSs. Here our SecOps team manages filters on an ongoing basis

  • TMS. These are the vendor scrubbing devices and form our last line of defense. They are modular and each can easily be upgraded to 400Gb/s each before a new chassis is needed


For these reasons, finite TMS scrubbing capacity is less relevant for us, as AS1299 essentially forms a global scrubbing centre. We have successfully mitigated a peak attack of >990Gbps. This capacity is currently being upgraded to ensure that it is future-proofed for our customers.

Is there any alternative to the billing method Arelion offers now, i.e., based on clean traffic, based on ports, including DDoS “burst”?

Currently – our only charging model is based on actual mitigation minutes. This, we believe, is pretty unique in the market. As mentioned, there might be some ‘all inclusive’ options coming in the future, but we are not planning on introducing a charging based on either clean or ‘dirty’ traffic.

Is it possible to have a DDoS quick deployment option marketed, i.e. that CSC/NOC can implement within minutes on a “Sunday night” when the client is under attack?

We are working on being able to launch an ‘Express DDoS’ which would be exactly as described – an existing IP customer can tell us they are under attack and to which prefix(es), so we can instruct our routers to divert traffic to those prefixes to the TMSs. This would be a quick way to get traffic scrubbed. It is not a replacement for the full DDoS service and can run for up to 24 hours. Client would be responsible for telling us to stop the mitigation.

Few quickfire questions from new clients/early adopters of DDoS

Is there a learning phase?

Yes – this is typically done during Delivery – and can be relatively short. It’s there to set some baselines in the system.


What if I realize I made a mistake on the IP addresses?

Simply notify Customer Service Center and we can get these amended/removed. The capability to update through the portal is road-mapped and is a priority for Arelion.


Am I limited in the number of IP addresses?

No, we do not have a limitation. You can have a number of prefixes – down to /32 host IP. We also protect IPv6 addresses, which have their own configured managed objects.


How do I make changes on my Mobile Operator configuration?

Currently by updating the configuration template and sending back to CSC.

Watch our Network security video

Did you know our IP backbone is ranked #1 worldwide?

  • World's #1 IP backbone
  • Awarded customer service
  • 350+ PoPs in 35 countries 


Want to get in touch with us immediately? Contact our Customer Support and they’ll put you through the right contact.

Call us anytime at

+46 (0) 771 191 170

Or email us


Toll-free numbers

Toll-free numbers