If your network is online and generating revenue, it is a potential target. That is not an exaggeration, but the reality of the modern internet. And if you are currently relying on a standard transit provider with a DDoS mitigation service bolted on top, there is a possibility that your protection has a gap in it that you have not had to feel yet.
This article explains what Link11 Clean Transit is, how it works, who it was built for and why the way most networks are protected today makes them more vulnerable than their operators realise.
The problem with today’s attack landscape
Most networks are built on the same principle: IP transit is purchased from a carrier that provides connectivity to the internet. Separately, either a DDoS mitigation service is added or you rely on the limited protection the transit provider includes. When an attack arrives, traffic is redirected to a scrubbing centre, cleaned up and then routed back.
For years this worked well enough. Attacks were large, but the response time was sufficient. The problem is that attacks have changed fundamentally, while the traditional architecture has not.
DDoS attacks grew by 121 percent in 2025 and reached an average of 5,376 automatically mitigated attacks per hour by year end. The largest individual attack that year peaked at 31.4 Tbps and lasted 35 seconds. That is not a typo. The largest publicly documented DDoS attack ever was over before most automated systems had finished their response. In total, 47.1 million DDoS attacks were recorded globally in 2025. That is more than one attack per second, every day of the year.
Two technical developments are driving this growth. First, large-scale IoT botnets now give even attackers with limited technical knowledge access to enormous traffic volumes. The Aisuru-Kimwolf botnet, which was responsible for many of the largest attacks in autumn 2025, consisted of an estimated one to four million compromised Android TV devices and was capable of generating hyper-volumetric floods on demand.
Second, carpet-bombing attacks distribute traffic across entire CIDR blocks rather than individual IP addresses. This defeats per-IP detection thresholds and rate-limiting rules, because no individual address crosses a trigger point even as the subnet as a whole is flooded. Mitigation systems that operate on a single-target basis do not trigger until the pattern is identified at the prefix level. By that point, significant damage has often already occurred.
Why overlay mitigation fails against fast, large attacks
The core problem with bolt-on DDoS mitigation is the response chain. When anomaly detection fires, the standard process runs as follows: identify the attack signature, redirect traffic via BGP announcement to a scrubbing centre, clean the traffic, route clean traffic back. Each of these steps takes time. Under realistic conditions, the full detection-to-mitigation cycle takes between 10 and 30 seconds.
When the largest documented attack peaks at 31.4 Tbps and is fully resolved in 35 seconds, an activation window of 10 to 30 seconds is not a minor detail. It is a gap that covers most or all of the attack duration. The mitigation layer was simply not designed for this kind of event, and there is no configuration change that closes the problem, because the delay is inherent to the architecture.
Short-burst attacks are also increasingly used as a deliberate technique. Attackers can saturate uplinks, exhaust connection state tables on stateful devices or trigger SLA violations with floods that last under a minute and disappear before an automated response had time to take effect. This is particularly damaging for services where even brief unavailability has direct operational consequences: live event streaming, financial trading, real-time communications and online gaming.
When overlay mitigation is fully overwhelmed, the fallback for most transit providers is BGP blackhole routing. A null route is propagated for the attacked prefix, which causes all traffic for those addresses to be discarded at the upstream level. Attack traffic no longer reaches the customer, but neither does legitimate traffic. The prefix disappears from the routing table. The customer’s service is offline. This protects the carrier’s own infrastructure at the cost of the customer’s availability.
The financial consequences are measurable: according to the ITIC 2024 Hourly Cost of Downtime Survey, more than 90 percent of mid-size and large companies report that a single hour of downtime costs over $300,000. For around 41 percent of those companies the figure is over one million USD per hour. For the largest enterprises in sectors such as banking, financial services and manufacturing, average hourly outage costs exceeded five million USD.
Find out more about Clean Transit from Link11.
Always-on DDoS scrubbing built directly into your transit. No separate mitigation tool, no activation delay.
What Clean Transit is
Clean Transit is a security-native IP transit product. It is not a bolt-on mitigation layer and does not sit alongside existing transit. It replaces the upstream transit entirely, with DDoS scrubbing built directly into the data plane from the ground up.
The key architectural difference: scrubbing is always active. There is no detection phase, no redirection step and no activation delay. Every incoming byte passes through Link11’s scrubbing infrastructure before it is forwarded to the customer network. The filtering is continuous and runs at line rate, regardless of whether an attack is currently taking place. Clean traffic is the only thing that gets delivered. That is the product.
This eliminates the timing problem described above entirely. A 35-second attack that peaks at 31 Tbps is handled identically to normal traffic on a quiet day. The infrastructure does not need to detect, classify and respond, because it never stops filtering.
There is also no blackhole fallback. Since scrubbing is operated continuously at the infrastructure level, there is no scenario in which Link11 would need to withdraw a customer’s prefix to protect its own network. The backbone is designed to absorb multi-terabit attack traffic, not to route around it.
How Clean Transit works technically
Integration with a customer’s existing network is handled entirely via BGP. Customers announce their IP prefixes to Link11’s ASN via standard BGP sessions. All traffic destined for those prefixes is then intercepted at Link11’s ingress points, passed through the scrubbing pipeline and forwarded as clean traffic.
The scrubbing pipeline operates simultaneously across all peering and transit ports. No traffic steering is required on the customer side and no changes to internal routing architecture are necessary. The customer receives clean traffic via the agreed delivery method.
Return traffic, meaning outbound from the customer network, is delivered via the interconnect method that fits the customer’s topology. Available options are a physical cross-connect at a colocation facility, a VLAN handoff at an Internet Exchange Point such as DE-CIX, AMS-IX or LINX, remote peering via route servers, or a GRE or IPsec tunnel for customers who cannot arrange a physical handoff. Each of these options carries the full BGP routing table, giving customers optimised routes via Link11’s upstream carriers and peering partners.
The product also includes a real-time monitoring dashboard with live traffic analytics, Netflow data and attack reports. This gives operators full transparency over incoming traffic at any point in time, including during an active attack, without any separate tooling or manual intervention being required to generate reports.
From a GDPR and data sovereignty perspective, Link11 operates European infrastructure and processes traffic within the EU regulatory framework. For operators in Germany, Austria, Switzerland or elsewhere in the EU with data residency requirements, this is relevant both for compliance and for contractual obligations to customers.
Who Clean Transit was built for
Clean Transit is aimed at network operators whose business depends on availability and who either cannot absorb the cost of an outage or do not want to build and operate their own scrubbing infrastructure.
Hosting providers typically carry DDoS risk on behalf of their customers. An attack on one tenant can affect shared upstream capacity and impact other customers on the same infrastructure. Clean Transit moves the protection to the upstream level, so that scrubbing takes place before traffic reaches the hosting network at all.
Regional ISPs forward traffic for their downstream subscribers. A successful attack on their upstream causes connectivity loss for their entire customer base. Clean Transit provides upstream protection without the ISP needing to operate its own scrubbing infrastructure or negotiate separate mitigation contracts.
Gaming platforms are among the most frequently attacked services on the internet and are particularly sensitive to the latency introduced by traffic redirection. Standard mitigation approaches that redirect traffic through a scrubbing centre increase round-trip time even when they work correctly. Since Clean Transit filters directly at the transit layer without redirection, no additional latency path is created for legitimate traffic.
SaaS and cloud providers sell availability as part of their product. SLA obligations, churn risk and reputational damage follow directly from an outage. These operators frequently face attacks across multiple prefixes simultaneously, which is exactly what carpet-bombing techniques are designed to exploit. Clean Transit protects the entire announced address space at the upstream level.
Financial services firms face both direct revenue losses and regulatory risks from downtime. In some jurisdictions, availability obligations for certain financial services are embedded in regulatory frameworks, meaning an outage is not just a commercial problem but also a compliance issue. The 99.99 percent SLA of the Enterprise tier is designed to meet these requirements.
E-commerce operators are frequently targeted specifically during their most revenue-intensive periods, because the financial damage is greatest at those moments. A mitigation service that takes 20 seconds to activate while a flash attack is timed to coincide with a product launch or sales event may not protect in time. Always-on scrubbing eliminates this risk.
Service tiers
Clean Transit is available in three tiers. Pricing is set at the level of standard mid-tier transit providers. The argument for Clean Transit is not a lower price, but that at the same price, scrubbing at the infrastructure level is included, rather than as a separate service you have to manage and hope activates in time.
Essential covers 1 to 10 Gbps committed bandwidth with burst to 2x and a 99.9 percent SLA. Suited to regional ISPs and smaller network operators.
Professional covers 10 to 50 Gbps with burst to 3x and a 99.95 percent SLA. Suited to hosting providers and gaming platforms where bandwidth requirements are higher and uptime is directly tied to customer commitments.
Enterprise covers 50 to 100 Gbps and above with burst to 5x and a 99.99 percent SLA. Suited to SaaS providers, financial services firms, streaming platforms and CDN operators where outages have immediate financial and regulatory consequences.
All tiers include always-on scrubbing, the full BGP routing table, all available delivery options and dashboard access. Volume-based pricing is available for larger or phased deployments.
What sets Clean Transit apart from conventional solutions
The simplest way to put it is this: most DDoS protection products are activated when something goes wrong. Clean Transit is active before something goes wrong and remains active regardless of what happens.
With a standard mitigation overlay, protection depends on three things working at the same time: the attack is detected quickly enough, the traffic redirection does not cause too much latency, and the scrubbing capacity is sufficient for the attack volume. If even one of those fails, the protection fails. With Clean Transit, these variables do not exist in the same way. There is no detection step, no redirection and no capacity limit that only applies during an attack. The scrubbing runs at line rate, continuously.
Link11 built its network to handle large-scale DDoS attacks because that is its core business. The scrubbing infrastructure that Clean Transit is built on is the same infrastructure that protects Link11’s enterprise customers. Clean Transit makes that capacity available as a wholesale transit product. Customers are not buying protection from a company that retrospectively added security features to a connectivity product. They are buying connectivity from a company that built the network from the ground up to absorb terabit-scale attacks.
Conclusion
DDoS attacks are bigger, faster and easier to launch than ever before. The current record stands at 31.4 Tbps and lasted 35 seconds. The conventional model of buying transit and layering protection on top was not designed for attacks at this speed and scale. If your mitigation service needs to detect an attack before it can respond, and attacks today are designed to peak and end in under a minute, you have an exposure window that cannot be closed through configuration alone.
Clean Transit closes that window. The protection is built into the transit layer. Every packet is filtered before it reaches your network. No activation delay, no blackhole fallback, no separate service to manage.
If you operate infrastructure where downtime costs money, where customers notice when you go offline, or where you have SLA or regulatory obligations to meet, Clean Transit is worth a closer look. Link11 offers a technical assessment of your current setup as a starting point, with no commitment required.
If you have any questions about the technology, our cybersecurity experts are always happy to assist you.
Contact us now >>
You might also like:
