Protect prefixes before attack traffic reaches your edge.
BGP DDoS protection uses route announcements to steer traffic through mitigation capacity, keeping IP networks reachable during large network-layer attacks.
A provider announces protected prefixes or more-specific routes so inbound traffic flows through its scrubbing network. After filtering, clean traffic is delivered to the customer over transit, GRE tunnels, cross-connects or private backbone paths.
BGP protection is service-agnostic. It can protect web apps, game servers, VPNs, mail, DNS and whole subnets because mitigation happens before traffic reaches the customer edge, not only at an application proxy.
Remote triggered blackholing can protect the rest of a network when a single target is overwhelmed, but it intentionally drops traffic to that destination. It should be documented as a last resort, not the primary mitigation plan.
Verify prefix ownership, ROAs and route objects
Agree normal and emergency BGP communities before incidents
Test clean-traffic delivery over GRE, transit or private handoff
Decide which prefixes require always-on protection
Monitor route convergence, packet loss and asymmetric paths
Document blackhole policy and escalation approvals
It depends on the deployment. Networks with their own ASN can announce prefixes directly; smaller customers can often use provider-managed routing or protected IP space.
GRE delivery encapsulates clean traffic from the scrubbing network back to your router when direct transit or private connectivity is not used.
No. It is common for ISPs and enterprises, but it also helps hosting platforms, SaaS companies and game networks that need direct IP protection.
TMW Shield supports BGP-routed mitigation, protected transit and engineer-assisted routing design.