CDN DDoS Mitigation SuperPoP Architecture


The 1Tbps DDoS attack is a total game changer for the edge security business model. For starters, we can throw away the idea of small companies becoming a DDoS mitigation service provider. Unfortunately, the DDoS mitigation business is going the way of video streaming, where a handful of players will dominate the market, due to the high cost of building and maintaining a mitigation platform.

That means DDoS mitigation will become the domain of well funded startups like CloudFlare and Fastly, and others like Akamai, Incapsula, Level 3, and Verizon. AWS won’t become a serious player in the market for several years, because they lack many things, but that is a topic for another conversation.


The arrival of the 100Gbps Internet Port (circuit) is a big gift to the industry, because it’s going to reduce the Internet connection count at PoPs locations by 10x. To thwart a 1Tbps attack, a service provider will need 10x100Gbps circuits at a minimum. What happens when DDoS attacks hit 3Tbps? That’s going to require 30x100Gbps circuits, and then some. Regardless, deploying 60x100Gbps per PoP is going to cost millions per year, as illustrated in the diagram.

Lets do some quick math (transit prices below are in the range):

  • 100Gbps circuit at 5Gbps/monthly minimum commit = 5,000Mbps x $1/Mbps = $5,000/month
  • 60 x 100Gbps circuits x $5,000/month = $300,000/month
  • 3 DDoS Mitigation SuperPoPs x $300,000/month = $900,000/month

As demonstrated here, it’s going to cost in excess of $10M just for transit, not including hardware, co-location and labor cost. And that is fixed cost, thus, there is a variable cost component as well, which increases as the attacks increase. This in turn will become cost prohibitive for many companies. That is why we say the DDoS mitigation business will be dominated by larger players who can afford to pay these high cost.

Scroll to Top