The First Time We Got Hit

We don't usually write retrospectives like this but it feels relevant given how much we've invested in DDoS mitigation since. Before we had the scrubbing infrastructure we have now, before the BGP-level steering, before any of it — we had upstream null routing and a lot of hope. Then one evening, a customer's server got targeted and we found out pretty quickly what "hope" is worth as a mitigation strategy.

The attack itself wasn't enormous by modern standards — maybe 12–15 Gbps. But at the time, that was enough to saturate our transit uplink and bring down not just the targeted server but everything else on the same node. About 40 minutes of total downtime before our upstream provider null-routed the targeted IP and traffic normalised. Those 40 minutes were not a good time.

What we did about it

The immediate fix was embarrassingly manual — we worked with our upstream to get the IP null-routed faster, and we moved the affected customer to a new IP once things settled. But the bigger response was a longer-term project to actually build proper mitigation rather than rely on null routing, which is really just "go offline until the attack stops" with better branding.

It took several months to get the scrubbing infrastructure in place. During that time we were transparent with customers about our mitigation limitations and made sure our pricing reflected what we were actually offering. Once the real mitigation came online, the difference was immediate and obvious.

Why we're telling you this

Because anyone can claim to have DDoS protection. We wanted to be honest about the fact that ours wasn't always what it is now — and that the investment we've made in it since that first attack is real, not a marketing line. Every time we've been hit since, the result has been zero customer-facing downtime. That track record is what actually matters.