Always-on DDoS mitigation for networks, hosts, game platforms and enterprises with BGP, GRE/IPIP, L7 proxying and NOC escalation.
Mitigation architecture
TMW Shield is positioned as an operator workflow, not a black-box appliance. Traffic is detected, classified, filtered, scrubbed, and forwarded over the handoff that matches the customer network.
Per-prefix baselines, flow telemetry, packet counters, SYN/ACK ratios, DNS/NTP signatures, and L7 request behavior.
Traffic is split into volumetric, protocol, reflection, application, and game-protocol vectors before a filter is selected.
Edge ACLs, stateless drops, SYN validation, reflector signature blocks, service filters, and WAF/proxy controls remove attack traffic.
Clean packets are forwarded over native transit, cross-connect, GRE, IPIP, or BGP-routed protected transit handoff.
Mitigation state, BGP announcements, customer community controls, alerts, and dashboards are updated without waiting for manual tickets.
Numbers are defined by what they measure.
Total edge capacity
1+ Tbps
Aggregate ingress and filtering capacity available across the mitigation edge.
Clean capacity
100G+
Capacity reserved for customer traffic after filtering, measured as clean egress to handoff.
Peak absorb capacity
1+ Tbps
Short-duration attack traffic absorption before upstream coordination or selective blackholing.
Detection target
< 100 ms
Telemetry to mitigation rule activation for known L3/L4 vectors.
Case-style mitigation status shown to customers.
Peak pressure
High
Packet rate
Elevated
Vectors
UDP / SYN / DNS
High-pps stateless floods, random source ports, and payload pattern attacks.
Spoofed handshakes, ACK storms, connection table pressure, and retransmit abuse.
Reflection traffic from DNS, NTP, SSDP, CLDAP, memcached, and similar amplifiers.
Minecraft, Source, FiveM, Rust, TeamSpeak, and custom UDP game protocol floods.
NOC acknowledgement
15 min
24/7 emergency requests receive engineer acknowledgement within 15 minutes.
Critical mitigation response
5 min
Active attacks on protected services are escalated directly to the on-call engineer.
Standard change window
Same day
BGP session, prefix, tunnel, and filter changes are normally completed same business day.
Availability SLA
up to 99.9%
Commercial SLA depends on product, handoff type, and contracted redundancy.
Attack
38 Mpps mixed UDP flood against matchmaking and voice ports
Action
Per-port packet signatures and source-distribution policers were activated automatically, then tuned by the NOC.
Result
Legitimate player traffic stayed on the protected path with no origin firewall state exhaustion.
Attack
Low-volume floods spread across hundreds of customer /32s inside a shared /24
Action
Prefix-wide correlation grouped the attack into one mitigation event instead of chasing each host.
Result
Clean traffic was forwarded normally while attacked destinations were rate-limited and, where requested, blackholed.
Attack
DNS amplification against infrastructure hosted outside the TMW network
Action
Temporary BGP announcement, ROA/IRR validation, GRE handoff, and clean-only route policy were completed under emergency process.
Result
Traffic moved behind TMW Shield without changing the customer origin network.
Send ASN, prefixes, origin location, tunnel endpoint, critical ports, and bandwidth target. The NOC can move faster with those fields ready.
UDP floods, SYN/ACK floods, DNS/NTP amplification, HTTP floods and game-protocol attacks are handled with distinct controls instead of one generic rate limit.
Network, transport and application-layer filtering for customer prefixes, hosted services and proxied HTTP workloads.
Flow telemetry, packet counters and request behavior trigger mitigation before the origin becomes the bottleneck.
Traffic is ingested at TMW edge locations, filtered close to ingress and forwarded clean over native or tunnel handoff.
Protected routes stay on the mitigation path; no DNS cutover or manual activation is required during an incident.
Block or allow only traffic by country or region with surgical precision - drop anything outside your reach.
Allow, challenge or drop traffic by source ASN when an attack is concentrated in specific networks.
Stateful packet inspection runs at the network edge, before traffic ever touches your origin.
Profiles for HTTP, gaming, voice, mail, VPN and DNS services are tuned per protocol and can be adjusted by the NOC.
Fact
Asymmetric by default
Attack traffic is stopped at the edge before it can touch your origin, delivering symmetric-strength protection without symmetric infrastructure.
Anywhere a few minutes of downtime is unacceptable, TMW Shield is in the path. Every customer gets the same mitigation - small or large.
Login servers, game servers and matchmaking under constant attack. Filters tuned per-title, latency low enough that pros don't notice.
Protect entire prefixes for your downstream customers. BGP-routed mitigation with no per-IP licensing or surprise overage fees.
Keep checkout, sign-up and APIs online during launches, sales and ransom-note campaigns - without sacrificing latency.
Sub-millisecond mitigation on the path that matters. Order entry stays predictable even under sustained extortion attacks.
Real-time UDP stays in real time. SIP, RTP and broadcast paths are protected with payload-aware filters that don't add jitter.
DNS, mail, government and healthcare endpoints. Always-on protection, BGP-routed, no opt-out windows.
Why TMW Shield
We operate the ASN, scrubbing edge and filters behind TMW Shield. You get direct engineering response and pricing based on clean traffic, not attack volume.
AS215828
Owned network
24/7 NOC
Mitigation NOC
Clean traffic
Traffic billing
Our ASN, scrubbing edge and transit are operated by us. There is no reseller chain between your traffic and our engineers.
You pay for clean traffic, not attack volume. No per-prefix fees, rule licensing or surprise overage during an attack.
A mitigation engineer is available 24/7 and can push filters directly. No queue, no handoff, no waiting on another provider.
If the default profile does not match your protocol, we build a filter for it without a services contract or six-week wait.
Per-prefix dashboards, attack timelines and reports show the same mitigation view our NOC uses.
Bring your own ASN and IP space. Run TMW Shield in front of, behind or alongside another provider.
TMW Shield DDoS filters
Specialized filters for gaming servers, web applications, VPN services, and more.
This list is not exhaustive. Need a specific game or protocol filter? Contact us for custom solutions.
Free Trial - 30 Days
Bring your ASN, your prefixes, your tunnel endpoint or your origin service. TMW Shield can be delivered as protected transit, remote protection, proxy protection or protected hosting.