Always-On DDoS Protection: Proactive 24/7 Defense
Continuous traffic inspection and instant mitigation.
All traffic flows through our scrubbing centers 24/7, blocking attacks before they reach your infrastructure.
Always-on protection mode routes 100% of your traffic through our global scrubbing network at all times. Unlike on-demand protection that activates during attacks, always-on continuously inspects and filters traffic, providing instant mitigation without detection delays.
This proactive approach is part of our comprehensive DDoS protection services, delivering zero-downtime defense for mission-critical infrastructure that cannot tolerate even brief attack windows.
Built for financial services, e-commerce, gaming, and any operation where 100% uptime is mandatory. Instant mitigation with no ramp-up time.
What is Always-On Protection?
Always-on DDoS protection continuously routes all your network traffic through our global scrubbing infrastructure, even when no attack is occurring. Traffic is inspected in real-time using multiple detection engines (flow analysis, packet inspection, behavioral analysis) before being forwarded to your origin servers.
Because traffic analysis is already running, attack mitigation begins instantly when malicious patterns are detected—no DNS propagation delays, no traffic rerouting, no detection lag. Clean traffic reaches your infrastructure; attack traffic is dropped at the edge.
This contrasts with on-demand protection, which routes traffic directly to your servers during normal operation and only diverts through scrubbing centers when an attack is detected.
Always-On vs On-Demand Protection
Understanding the trade-offs between protection modes
| Feature | Always-On | On-Demand |
|---|---|---|
| Traffic Routing | Always via scrubbing centers | Direct until attack detected |
| Mitigation Time | Instant (0 seconds) | 30-180 seconds (DNS + detection) |
| Latency Impact | +1ms constant | None normally, +5ms during attack |
| Attack Window | Zero | 30-180 seconds vulnerability |
| Cost | Included free | Included free |
| Best For | Mission-critical, zero-tolerance | Standard workloads, cost-sensitive |
Both modes use the same 1.6 Tbps scrubbing capacity and protection techniques. The difference is when traffic enters the scrubbing network.
How Always-On Protection Works
BGP Anycast Routing
Your IP space is announced via BGP anycast from our 12 global scrubbing centers. All traffic automatically routes to the nearest scrubbing location.
Continuous Traffic Inspection
All packets are analyzed in real-time: flow statistics, packet headers, payload patterns, behavioral analysis. Legitimate traffic characteristics are learned continuously.
Instant Threat Detection
Multi-layer detection engines identify attack patterns: volumetric floods, protocol violations, application-layer abuse. Detection happens within milliseconds as traffic is already being analyzed.
Automatic Mitigation
Attack traffic is dropped immediately at the edge. Rate limiting, connection tracking, protocol validation, and payload inspection filter malicious packets while allowing legitimate traffic through.
Clean Traffic Forwarding
Only verified clean traffic is forwarded to your origin servers via GRE tunnel or direct routing. Your infrastructure receives attack-free traffic with minimal latency overhead (<1ms).
Benefits of Always-On Protection
Zero Attack Downtime
No vulnerability window. Attacks are blocked instantly without the 30-180 second detection and rerouting delay of on-demand protection.
Instant Mitigation
Because traffic is already flowing through scrubbing centers, mitigation begins the moment an attack is detected. No DNS propagation wait, no BGP convergence delay.
Zero Configuration Required
Set once and forget. No attack detection thresholds to tune, no manual activation during attacks. Protection is always active.
Full Global Capacity Available
Access to our complete 1.6 Tbps global scrubbing capacity at all times. Your traffic is distributed across all scrubbing centers, not concentrated at a single entry point.
Continuous Baseline Learning
Because your traffic is always being analyzed, our systems learn your normal traffic patterns more accurately, reducing false positives and improving detection.
Proactive Defense Posture
Attackers cannot probe your infrastructure directly. They interact only with hardened scrubbing infrastructure, preventing reconnaissance and exploit attempts.
Performance Impact Analysis
Understanding the latency trade-offs of always-on protection
Latency Overhead
<1ms added
Additional round-trip time through nearest scrubbing center. BGP anycast routing ensures traffic uses the geographically closest location.
Throughput Impact
Zero
No bandwidth reduction. Scrubbing centers support 100+ Gbps per customer. Network capacity is not a bottleneck.
Jitter
<0.5ms
Consistent routing paths mean predictable latency. No jitter spikes from traffic rerouting during attacks.
Latency Comparison
| Scenario | Always-On | On-Demand |
|---|---|---|
| Normal Operation | Your latency + 1ms | Your latency + 0ms |
| During Attack | Your latency + 1ms (unchanged) | Your latency + 5ms (after 30-180s downtime) |
For latency-sensitive applications (gaming, VoIP, financial trading), the 1ms constant overhead of always-on may be preferable to the unpredictable routing changes and downtime windows of on-demand protection.
Included in All Plans
Always-on protection is available at no additional cost
Both always-on and on-demand protection modes are included free with all Virtuasys services. Choose the mode that fits your requirements—no price difference.
Available With:
- Dedicated Servers
- Colocation Services
- IP Transit
- Cloud Infrastructure
Mode Switching
Switch between always-on and on-demand modes at any time via customer portal. Changes take effect within 15 minutes (BGP propagation time).
No Hidden Costs
No per-Gbps fees, no attack-based billing, no bandwidth overage charges. DDoS protection capacity is included regardless of attack size or frequency.
Technical Specifications
| Scrubbing Capacity | 1.6 Tbps (global network) |
| Scrubbing Locations | 12 global anycast POPs |
| Added Latency | <1ms (anycast routing) |
| Mitigation Time | Instant (0 seconds) |
| Protected Protocols | All TCP/UDP, ICMP, GRE, custom protocols |
| Protection Layers | Layer 3, 4, and 7 (HTTP/HTTPS) |
| Attack Types Mitigated | Volumetric, protocol, application-layer attacks |
| Clean Traffic Delivery | GRE tunnel or direct routing |
| Activation Time | 15 minutes (BGP propagation) |
| Uptime SLA | 99.99% scrubbing infrastructure availability |
Ideal Use Cases
Financial Services
Zero-downtime requirement for trading platforms, payment gateways, banking infrastructure. Instant mitigation prevents transaction disruption.
E-Commerce Platforms
Peak shopping periods (Black Friday, holidays) cannot tolerate attack windows. Always-on ensures uninterrupted sales even during targeted attacks.
Gaming Infrastructure
Game servers and matchmaking services require constant availability. 1ms overhead is acceptable; 30-second downtimes are not.
SaaS Platforms
Customer-facing applications with strict SLA commitments. Proactive protection prevents SLA violations from DDoS attacks.
Streaming & Media
Live streaming cannot tolerate interruptions. Always-on protection ensures continuous broadcast without attack-induced buffering.
DNS Infrastructure
DNS servers are critical single points of failure. Always-on protection prevents DNS outages that would take down all services.
Frequently Asked Questions
Common questions about proactive DDoS protection