“DDoS protected” appears on almost every hosting page, but the number behind it — Gbps or Tbps — tells you how much an attack the network can actually absorb. This guide explains the attack types, what mitigation capacity really means, why Tbps-class matters, and how to right-size protection for your project.
What a DDoS attack actually is
A Distributed Denial of Service attack uses many machines — often a botnet of compromised devices — to overwhelm a target with traffic or requests until legitimate users can no longer get through. “Distributed” is the key word: the load comes from thousands of sources at once, which is why you cannot simply block one IP and move on.
Attacks fall into two broad families, and they are mitigated very differently.
Layer 3/4: volumetric attacks
These target the network and transport layers. The goal is brute volume: saturate the link or exhaust the server's connection state so nothing else gets in. Common forms include:
- UDP / ICMP floods — raw packet volume aimed at filling the pipe.
- SYN floods — half-open TCP connections that exhaust the connection table.
- Amplification / reflection (DNS, NTP, memcached) — small spoofed requests that trigger huge responses toward the victim, multiplying the attacker's bandwidth many times over.
Volumetric attacks are measured in bits per second (Gbps/Tbps) and packets per second (Mpps). They are won or lost on raw capacity: you need a network with more clean bandwidth and filtering headroom than the attacker can throw at you.
Layer 7: application attacks
These target the application itself — usually HTTP/HTTPS. Instead of flooding the wire, they send requests that look legitimate but are expensive to serve: hammering a search endpoint, replaying a login form, or requesting heavy dynamic pages. An L7 attack can take a site down with a tiny fraction of the bandwidth of a volumetric one, because the cost is in the CPU and database work each request triggers.
Because the packets look real, L7 mitigation is about inspection and behaviour — rate limiting, fingerprinting, challenge pages, and bot scoring — not just capacity. This is why volumetric and application protection are separate disciplines.
What mitigation capacity means
When a provider advertises “X Tbps of protection,” that figure is the total volume the scrubbing network can ingest and filter before clean traffic is forwarded to your server. Capacity matters on two axes:
- Bandwidth (Gbps/Tbps) — can the network swallow the flood without the upstream link saturating?
- Packet rate (Mpps) — can the filtering hardware inspect and drop bad packets fast enough? Many small packets can break a device long before the bandwidth ceiling is hit.
Equally important is where the filtering happens. Always-on protection means traffic is scrubbed continuously at the network edge, so an attack is absorbed from the first packet. “On-demand” protection only reroutes traffic through scrubbing after an attack is detected, which leaves a gap of seconds to minutes — long enough to drop you offline.
Why “Tbps-class” matters
The size of real-world attacks has climbed relentlessly. Record volumetric events have pushed into the multi-terabit range, and even routine attacks for hire now reach hundreds of Gbps. If a network's total mitigation ceiling is, say, 500 Gbps, an attacker renting a larger botnet simply overruns it and everything behind that network goes dark — including your server, even if you were not the original target (collateral damage from shared infrastructure).
Tbps-class capacity changes the math. It means the network has enough headroom to absorb the largest attacks seen in the wild and keep forwarding clean traffic. You are not relying on the attacker being small; you are relying on a pipe wider than they can fill. That is the protection included on every ServPrivacy VPS and dedicated server.
How ServPrivacy's protection works
Every plan ships with always-on Tbps-class L3/4 mitigation at no extra cost. Traffic is continuously scrubbed at the edge, so volumetric floods — UDP, SYN, ICMP, amplification — are filtered before they ever reach your instance. There is nothing to enable and no detection delay.
For workloads that face application-layer abuse, optional L7 filtering adds HTTP/S inspection: rate limiting, bot challenges, and behavioural scoring tuned to your site. You add it when your threat model includes someone targeting your application logic, not just your bandwidth.
- Always-on, included: L3/4 volumetric protection on every plan.
- Optional: L7 application filtering for web-facing services.
- Pairs with: jurisdiction choice across our 6 locations and the privacy posture explained in why offshore.
Right-sizing what you need
You do not need to over-buy. Match the protection to the workload:
- Game servers, voice, VPN, anything UDP-heavy: the always-on L3/4 layer is exactly the right tool — these are classic volumetric targets and need raw capacity, not L7.
- Public websites, APIs, login portals, e-commerce: keep L3/4 and add L7, because application floods and credential-stuffing hit you at the request layer.
- Private or backend infrastructure (databases, internal tooling): the always-on layer plus a tight firewall is usually enough — see how to harden a fresh VPS.
- High-value or frequently targeted services: run L7, keep good monitoring, and lean on Tbps headroom so a bigger botnet does not change your day.
Key takeaways
- DDoS attacks split into volumetric L3/4 (a bandwidth problem) and application L7 (a logic problem) — mitigated differently.
- Mitigation capacity is measured in Gbps/Tbps and Mpps; where and how fast filtering happens matters as much as the headline number.
- Tbps-class capacity means the network can absorb the largest real-world attacks instead of hoping the attacker stays small.
- ServPrivacy includes always-on L3/4 protection on every plan and offers optional L7 filtering for web-facing apps.
- Right-size by workload: UDP services lean on L3/4; public web apps add L7; always pair protection with a hardened host.