Skip to content
Communications tower absorbing a lightning strike — infrastructure resilient under attack

DDoS protection

DDoS protection across your entire IP space. For every carrier and every path.

  • AEX
  • Resound
  • Sprout Fiber Internet
  • AEX
  • Resound
  • Sprout Fiber Internet

Your own IP space is only as protected as your weakest upstream

The DDoS protection from your transit provider only sees their trafficThe DDoS protection bundled with a transit provider is scoped to traffic entering through their network. If you carry your own IP space or connect through multiple providers, that leaves significant attack surfaces uncovered.

Multiple carriers mean attacks can arrive from any directionConnecting through more than one upstream provider means an attack can arrive from any direction. Defending each carrier independently isn't feasible - and most per-carrier solutions don't coordinate.

Building in-house DDoS mitigation is expensive and hard to sustainStaffing and maintaining a security operations center for DDoS detection and response is a significant ongoing investment. For most operators, the cost and complexity of in-house mitigation can't be justified.

How we keep your network reachable across every path, even under attack

Coverage that follows your routes, not your provider

We bind protection to your announced IP prefixes, not to any single carrier link. Flow telemetry from every upstream feeds one detection engine watching your address space, so when an attack appears we scrub it regardless of which carrier it came through. Protection stays with your address space wherever it routes.

One platform watching every path into your network

Each upstream you add is another way in, so we watch all of them from one platform instead of carrier by carrier. When traffic on any path turns malicious, we reroute it to the nearest of five scrubbing centers, clean it, and return it - the same automated response on every connection. One console, one NOC to call.

Enterprise scrubbing capacity, run by our NOC

Detection to mitigation runs automatically in under three minutes, across volumetric, protocol, and application-layer attacks. It runs on Arbor Netscout with over 2TB of scrubbing capacity across five distributed centers, operated by our NOC around the clock. You get the platform and operations team of a major carrier without standing up a SOC.

Detection to mitigation in under three minutes

The moment an attack hits one of your protected prefixes, the response runs on its own. We analyze flows in real time, divert the attack to the nearest scrubbing center, and return clean traffic to you. Nothing waits on a human, and you can see every step as it happens.

01

Detect

We monitor traffic flows continuously, analyzing patterns across your protected prefixes to catch suspicious activity the moment it begins.

02

Divert

When an attack is confirmed, we steer traffic to the nearest of our five geographically distributed scrubbing centers - before it reaches your connection.

03

Filter

We separate malicious traffic from legitimate. Clean traffic continues to its destination, and we drop the attack traffic at the backbone.

04

Restore

Once the attack subsides, we withdraw the redirections automatically and traffic returns to normal - no manual steps, no service disruption.

Built for internet-scale attacks

Our DDoS infrastructure isn't sized for average threats. It's built to absorb the largest volumetric attacks on the internet. Five scrubbing centers, carrier-grade hardware, and a backbone that routes 65% of global internet traffic give our mitigation platform a reach that per-carrier solutions can't match.

Scrubbing capacity
2TB+Scrubbing capacity

Absorb attacks at scale without overloading your connection.

Time to mitigate
<3 minTime to mitigate

Traffic redirected to the nearest scrubbing center in record time.

Scrubbing centers
5Scrubbing centers

Geographically distributed for fast, low-latency diversion.

Global routing reach
65%Global routing reach

Backbone connectivity with BGP flowspec control at the prefix level.

Security is built into our network, so attacks are scrubbed nearest to you

Tap a dot to explore our network

AS 14016Our backbone networkEquinix IX Dallas · Equinix IX Chicago · DRIX Atlanta · CIX-ATL · DE-CIX New York
About our network

Coverage across every attack vector

Our platform is engineered to handle the full spectrum of DDoS attack types - not just volumetric floods. From application-layer attacks that target specific services to protocol exploits and SSL/TLS abuse, our mitigation techniques adapt automatically to each attack's characteristics.

Volumetric and flood attacks

Reflection, amplification, and UDP/ICMP floods

TCP, UDP, ICMP, DNS, mDNS, SSDP, NTP, NetBIOS, RIPv1, rpcbind, SNMP, Chargen, L2TP, and Microsoft SQL resolution service reflection amplification attacks - absorbed before they saturate your uplink.

Protocol and TCP stack attacks

Fragmentation exploits and TCP flag abuse

SYN, FIN, RST, ACK, SYN-ACK, and URG-PSH attacks, plus slow TCP variations. Fragmentation attacks including Teardrop, Targa3, Jolt2, and Nestea are caught and dropped at the backbone.

Application-layer attacks

HTTP floods, SIP abuse, and DNS attacks

HTTP GET/POST floods, slow HTTP attacks, SIP Invite floods, DNS attacks, and HTTPS protocol attacks - including resource exhaustion attacks like Slowloris, Pyloris, and LOIC.

SSL/TLS and specialty attacks

Encrypted traffic threats and gaming protocol attacks

Malformed SSL floods, SSL renegotiation, SSL session floods, DNS cache poisoning, vulnerability attacks, and attacks targeting gaming protocols - all covered under a single managed service.

NaaS

Let us run your whole upstream, not just the attacks.

Move your upstream onto AS 14016 and protection stops being a service you buy and becomes something already in every connection: always-on across all your carriers, and across your entire address space if you run your own IP. IP transit, direct peering, cloud on-ramps, and 24/7 support all come in one managed service, under one contract and one bill. One accountable team that goes above and beyond for your network, the reach of a major operator, and none of the work that used to come with running it yourself.

About NaaS

Our client portal gives you full visibility into every attack and every mitigation

ClearView surfaces active mitigations, traffic pattern anomalies, historical attack reports, and support tickets in one dashboard. When an attack is underway, you see exactly what's happening - without waiting for a call.

Explore ClearView

Real-time DDoS alerts.Active mitigations surface the moment an attack is detected - with event timestamps, affected service IDs, and mitigation duration. You see what's under attack and how it's being handled, without waiting for a status update.

Traffic pattern monitoring.Monitor bandwidth utilization across your protected prefixes. Spot anomalies before they escalate and use historical data to understand your network's baseline - informing both security decisions and capacity planning.

Historical attack reports.Download detailed analytics on past attack events - attack type, volume, mitigation time, and outcome. Use reports to demonstrate protection ROI, satisfy compliance requirements, or brief your team after a major event.

Protection scaled to how you connect

Exposure depends on how you connect. Capcon offers two tiers of DDoS protection: one built into every AS 14016 circuit, and one for operators carrying their own IP space or connecting through multiple upstream providers.

Base protection

Included

Built into every AS 14016 circuit

Every connection on our network includes baseline DDoS protection as standard. Traffic entering through AS 14016 is monitored and scrubbed as part of the service, with no configuration on your end.

Always on, every Capcon circuit. No added cost.

Multi-homed protection

Add-on

Coverage for your own IP space, across every carrier

Our à la carte DDoS service extends protection to your address space across all upstream providers. NetFlow and sFlow data from your edge routers feeds our detection engine, and eBGP announcements pull attack traffic onto AS 14016 for scrubbing, no matter which carrier it arrived on.

Available as an add-on. Talk to us to scope your coverage.

The difference managed DDoS protection makes

One service protects every carrier you connect through. Transit-provider protection only covers that provider's network. Ours protects your address space across every upstream you connect through - from one managed service.

Attacks stopped before they reach your connection. Traffic is diverted to scrubbing infrastructure at the backbone level. Your connection sees clean traffic. The attack never arrives.

Full visibility into every active mitigation. ClearView surfaces every active mitigation, traffic anomaly, and historical attack report in real time. You always know what's happening - without a phone call.

Protection that scales with how you connect. Every AS 14016 circuit includes baseline protection. Operators with their own IP space or multiple carriers can extend coverage across their entire address space with multi-homed protection.

See how we work
Network server infrastructure representing reliable DDoS protection infrastructure

Sprout Fiber — From Complexity to Clarity

How Capcon replaced 4–5 separate vendors, then cut outage restoration time by more than half.

Read the case study
Sprout Fiber Internet

We succeed when you stop worrying about connectivity

The best connectivity partner is one you rarely have to think about. Responsive when you need us, invisible when you don't.

72.9

Net Promoter Score

95% of our customers would recommend us. Live NPS tracker

9.52

NOC satisfaction

Rated out of 10 across all support interactions.

9.8

Provisioning satisfaction

Client-rated score on circuit delivery and onboarding.

What our clients say

We allow our customers to focus on what they do best – putting glass in the ground and focusing on their customers while we manage the backend network.

John McLauchlin
AEX

Support always does a great job in keeping us updated and it is a great value add.

Client
BrightRidge

I am always pleased with the quick response to our tickets and constant updates until the problem is resolved.

Client
CDE Lightband

Very easy to work with the entire team. As a reseller, Capcon has a fantastic relationship with the underlying vendors which ensures my circuit will be installed in a professional and timely manner.

Client
Centric Fiber

Capcon was great, easy to reach phone support, regular updates and I was able to communicate with the same support team through the entire incident.

Client
Community Action Marin

It's just great to work with Capcon all-around, in every aspect of the business. They understand our needs and take great care of us!

Mike Neverdusky
Cumberland Connect

Communication and connecting with customers was great!

Client
EM#

They are personable and seem to care about all of their clientele.

Client
GoSemo

Your guys are great, keep doing what you're doing.

Client
Hyperleaf

Reduce your exposure. Let us close the gaps a single provider leaves open.