Infrastructure
An Anti-DDoS architecture built to return clean traffic
Peeryx combines adaptive mitigation, multiple delivery models and a clear network path so existing environments can be protected without becoming a black box.
Adaptive mitigation built around real traffic and production constraints
Integration compatible with BGP, GRE, IPIP, VXLAN, cross-connect and router VM
Clean traffic delivered back according to topology, target latency and desired control level
Architecture built for operators, hosters, gaming, SaaS and critical services
Peeryx infrastructure
An anti-DDoS architecture designed to absorb, filter and hand back clean traffic
The Peeryx infrastructure is built as a full chain: network exposure, mitigation, handoff decisions, clean traffic delivery and ongoing operations. The goal is to protect what already runs with a readable model, not to impose a black box.
- Clear view of the traffic path from Internet edge to production
- Several delivery models depending on the network control you need
- Positioning that fits environments already in production
- A concrete explanation of what Peeryx protects and how
Peeryx network blueprint
From exposed traffic to clean traffic
A readable model: protected ingress, mitigation, handoff decision and clean delivery aligned with your topology.
Protected ingress
Targeted mitigation
Clean traffic handoff
Catch the attack in the right place
The goal is to absorb the attack before it degrades production by placing mitigation at the right level of network exposure.
Upstream relief when it is useful
Upstream filtering can complement local mitigation when attack volume really demands it, without becoming the only answer to every event.
Clean handoff back to production
Cross-connect, tunnels or a router VM are integration choices. Peeryx treats them as design tools, not imposed constraints.
Readable operations for the customer
The customer should be able to understand what enters, what is filtered, what comes back and what remains under their own network control.
Mitigation capacity
15+ Tbps
Transit delivery modes
5
Supported protection layers
L3 / L4 / L5 / L7
Free trial on offers
24h
Architecture principles
A credible anti-DDoS architecture is judged by how it operates as well
Raw capacity matters, but it is not enough. A serious platform must also make entry points, mitigation model, handoff design and customer operations understandable.
Visibility into the traffic path
The customer should understand where traffic enters, where it is filtered and how clean traffic returns to production.
Upstream relief when it is useful
Upstream logic should help with extreme volumes without becoming the only answer to every attack pattern.
Handoff matched to topology
A good design does not force the same model on every customer: tunnel, BGP, cross-connect, protected IPs or hybrid approaches.
Production-first
The role of the service is to protect what already runs, keep operations possible and avoid introducing unnecessary opaque dependency.
Traffic path
From public exposure to clean traffic: the key steps
The Peeryx mitigation chain should stay readable for a technical team: ingress point, observation, filtering, handoff and return to production.
1. Network exposure
Prefixes are announced through BGP or services are exposed through protected IPs depending on rollout speed and the level of control required.
2. Legitimate traffic observation
Useful traffic provides the baseline for normal patterns, lower false positives and cleaner mitigation decisions.
3. Adaptive filtering
Attack signatures are correlated with real service behavior so the attack is blocked without breaking legitimate usage.
4. Handoff and delivery
Clean traffic is returned through cross-connect, GRE, IPIP, VXLAN or a router VM according to the chosen design.
5. Ongoing operations
The model remains documentable and understandable: your team knows what is protected, what is handed back and what stays locally controlled.
Mitigation fabric
Traffic enters a mitigation layer built to absorb volumetric and protocol attacks, then distinguish legitimate traffic before anything is handed back to production.
Datacenter or tunnel delivery
Depending on the topology, clean traffic can be delivered back through cross-connect, GRE, IPIP, VXLAN or a router VM so the integration model stays coherent with the existing environment.
Interconnection model
Peeryx fits both full BGP scenarios and architectures where the priority is to protect an existing production stack without rebuilding everything around a new edge design.
Operational resilience
A serious anti-DDoS architecture does not stop at filtering. It must also remain understandable for operations, preserve the useful routing choices and return legitimate traffic cleanly.
Anti-DDoS architecture
What a credible anti-DDoS architecture must control
A serious anti-DDoS infrastructure is more than raw capacity numbers. It must control ingress, filtering decisions, observability and clean traffic delivery all the way back to the useful layer.
Ingress capacity and real headroom
The design has to absorb volumetric attacks while preserving operational margin for signalling, clean return traffic and overall stability.
Readable filtering hot path
Mitigation logic must stay efficient, predictable and compatible with advanced filtering policies without turning operations into a black box.
Observability after the decision point
A good architecture separates the fast drop path from the visibility needed to understand attacks, tune rules and prepare upstream escalation.
A clean path back to the service
Legitimate traffic has to return to the right layer: server, proxy, cluster or backbone, with a handoff model that actually matches production.
What Peeryx tries to preserve in production
What Peeryx tries to preserve in production
Peeryx combines adaptive mitigation, multiple delivery models and a clear network path so existing environments can be protected without becoming a black box.
- A clear reading of the network path between ingress, mitigation and clean delivery
- Stable latency and a handoff model aligned with the service that is actually exposed
- A clean separation between upstream protection, custom logic and application layers
- A path to upstream offload when traffic volume requires additional coarse filtering
Blog
Technical guides and architecture notes
Content written for technical buyers: delivery models, protection for infrastructure already in production, latency, asymmetric routing and the criteria that matter before you buy.
How do you mitigate a DDoS attack above 100Gbps?
Link, PPS, CPU, upstream relief and clean handoff: the real framework behind credible 100Gbps mitigation.
Read the articleAnti-DDoS clean traffic delivery: why the handoff matters as much as mitigation
Many websites talk about mitigation capacity and far fewer talk about clean traffic delivery. Yet a credible Anti-DDoS design does not stop at scrubbing: legitimate traffic still has to be delivered back to the right target properly.
Read the articleUpstream Anti-DDoS pre-filtering: when to use it and why it changes everything
Upstream Anti-DDoS pre-filtering is not a magic layer. Used correctly, it removes obvious noise early, protects links and leaves the smarter layers enough room to keep working.
Read the articleDedicated Anti-DDoS filtering server: when is it the best compromise?
A dedicated Anti-DDoS filtering server takes pressure away from production, allows finer logic and gives you better control over clean traffic delivery. It is not always mandatory, but it is often the best balance between cost and flexibility.
Read the articleLatency, asymmetry and clean traffic delivery
Why the traffic path, local egress and handoff model matter as much as raw mitigation capacity.
Read the articleGaming Anti-DDoS: why generic filtering is not always enough
Gaming does not only need volume absorption. It also needs player experience protection, low false-positive rates and handling of protocol behaviours that do not look like a normal web frontend.
Read the articlePeeryx FAQ
Do I need to migrate my whole infrastructure to use Peeryx?
No. Peeryx can protect infrastructure already in production through BGP, protected IPs, tunnels, cross-connect or a router VM depending on your topology.
Is asymmetric routing compatible with this architecture?
Yes. Peeryx can take the inbound path while local egress stays elsewhere when that improves latency, cost or operations.
Is cross-connect mandatory?
No. It can be useful in some datacenter setups, but Peeryx also supports GRE, IPIP, VXLAN and router VM models to preserve flexibility.
Why explain the architecture in so much detail?
Because a readable architecture reduces misunderstandings, reassures technical teams and makes it faster to see whether Peeryx really fits the existing environment.
Does Peeryx infrastructure have to replace my application logic or custom filtering?
No. Peeryx can protect the upstream layer and return clean traffic to your own network or application logic. The goal is to strengthen anti-DDoS protection without forcing a full stack replacement.
Why does observability matter in an anti-DDoS architecture?
Because effective mitigation also has to remain operable. Knowing what is filtered, what still passes, when to escalate upstream and how to tune policies is essential over time.
Share your architecture and network constraints
Describe your prefixes, connectivity, egress points, target latency and the way you want clean traffic handed back. We will return with a credible integration design.