How Our New DDoS Mitigation Layer Works
A technical look at the scrubbing infrastructure we deployed this year and why it's a meaningful upgrade over what came before.
A technical look at the scrubbing infrastructure we deployed this year and why it's a meaningful upgrade over what came before.
DDoS protection is one of those things that's easy to advertise and hard to actually deliver. Every host claims to have it. The real question is what happens when someone points 100+ Gbps at one of your IPs — does traffic get null-routed (meaning your server goes offline until the attack stops), or does it actually get scrubbed in real time while legitimate traffic continues to flow?
Our previous setup relied heavily on upstream null routing, which meant that during a sustained attack, the targeted IP would go dark for the duration. Not ideal. This year we replaced that with an inline scrubbing architecture. Here's how it actually works.
When an attack is detected — either by our automated monitoring or by manual escalation — we announce a more specific BGP route for the targeted IP range that points to our scrubbing infrastructure rather than directly to the origin node. This redirection happens at the routing protocol level, so it's fast (typically under 30 seconds to propagate) and doesn't require any changes at the physical layer.
Traffic arriving at the scrubbing layer is inspected at line rate using hardware packet processors. The inspection pipeline looks at several things:
One thing we spent real time on is making the mitigation Minecraft-aware. The Minecraft protocol has a specific handshake sequence. Connection attempts that don't follow that sequence correctly get dropped before they ever reach your server. This is particularly useful against connection-flood attacks that try to overwhelm the server's connection handling rather than the network pipe itself.
In practice, it means attacks that would previously have caused your server to go offline now get absorbed without your players noticing. We've handled several significant attacks since deploying this infrastructure and in each case, player-facing downtime was zero. That's the whole point.