If your organisation buys bandwidth from one of the big backbone carriers, you already sit behind formidable pipes and global scrubbing clouds. Sales decks often call this ‘built-in DDoS protection’. It sounds reassuring: why invest in extra defences when petabit routers stand between you and the internet? Yet every quarter we see outages at banks, gaming platforms and government portals that purchase Tier 1 connectivity. The lesson is simple. Backbone capacity alone is not a full shield, and some attack types glide straight past provider-side filters until damage is visible on your side of the hand-off.
What is a Tier 1 ISP?
The public Internet is stitched together by thousands of networks known as autonomous systems. At the top sit a handful of carriers, often called Tier 1s, that can reach every other network without paying anyone for transit. They achieve this by exchanging traffic with their peers on a settlement-free basis and by owning, leasing or swapping enough international capacity to deliver packets to any corner of the globe.
If you buy a connection from a Tier 1 you are said to have ‘transit’. The carrier advertises your routes to the rest of the Internet and carries inbound and outbound traffic across its backbone. Below Tier 1 you find Tier 2 providers (large regionals that still pay at least some transit costs) and Tier 3 or ‘access’ ISPs (local broadband or hosting companies that rely almost entirely on upstreams).
Why is DDoS protection often bundled with transit?
Large carriers operate routers that push terabits per second and peer at dozens of exchange points. Any attack they can block at the outer edge saves backbone bandwidth, keeps latency stable for all customers, and prevents knock-on failures in congested links. Scrubbing early is therefore cheaper than allowing junk traffic to travel halfway around the world before it is discarded.
To achieve this, most Tier 1s install several layers of defence. Stateless access-control lists drop obviously spoofed packets in hardware. Remote-triggered black-hole routes can be injected within seconds to sink traffic aimed at an overloaded prefix. For bigger or more complex floods, traffic is diverted into regional scrubbing centres that inspect every packet and return only the clean flows to the customer. Because these measures also protect the carrier’s own infrastructure, a basic level of filtering is offered ‘for free’, with enhanced tiers sold as add-ons.
Marketing turns that operational necessity into a pitch: ‘Our backbone is so large a flood can’t touch you, and if it does we’ll clean it automatically.’ In reality, the bundled protection is designed to keep the core safe first; ensuring every individual service stays online still requires local visibility and policy control on the customer side.
The comfort myth: where blind spots appear
Carrier defences are tuned for events that threaten the backbone itself. They watch for sudden multi-terabit floods, spoofed reflection traffic or routing loops. Smaller yet still damaging attacks can slip through because they never trigger backbone-level alarms. A four-gigabit HTTPS flood will sail under the radar of a router handling six-terabit links, but it can still choke a data-centre link or exhaust a web cluster.
Even when the carrier intervenes the preferred tool is often a black-hole route that simply drops every packet to the victim prefix. That saves upstream capacity yet removes the target application from the Internet. Granular filters, blocking only one port, one botnet subnet or one protocol option, require context carriers rarely have for thousands of customers.
Application-layer floods add another wrinkle. These attacks mimic genuine user sessions and produce modest packet rates, so backbone monitors that focus on bandwidth or packets per second may mark the traffic as normal.
Why ‘leave it to the carrier’ fails during hyper-volumetric events
Tier 1 backbones can swallow multi-terabit floods, but that capacity is gated by operational and commercial caveats. A carrier generally waits until traffic crosses a pre-set threshold (often 2 Gbps for a /32 or 10 Gbps for a /24) before it diverts flows into its scrubbing cloud. The trigger is usually a BGP community tag or a ticket raised via the customer portal, and both steps rely on humans or automation inside the customer’s NOC. Industry incident reviews by NANOG and FIRST show an average of three to five minutes between the first alarm and full diversion.
Billing is rarely transparent. Most wholesale contracts bundle a fixed ‘clean-traffic’ allowance, typically 2–5 Gbps, after which the provider charges by 95th-percentile or per-gigabit egress.
And latency is the quiet tax. Scrubbing nodes sit where fibre is cheap, not necessarily next door to users. For example, Riot Games has documented packet-time jumps of 15–20 ms when traffic for its European shard is rerouted through London during mitigation, enough to trigger hit-registration complaints in fast-twitch titles. Voice-over-IP codecs like Opus tolerate roughly 20 ms jitter; add another dozen and call quality degrades audibly. In capital-markets networks governed by MiFID II and Reg SCI, even a 2 ms swing can flag best-execution alerts.
There are architectural blind spots too. Carriers seldom accept BGP advertisements more specific than /24, forcing an operator to black-hole an entire subnet to stop a single host’s flood. Encrypted L7 assaults—HTTP/2, WebSocket, QUIC – get past volumetric filters because backbone scrubbers do not terminate TLS. The attack footprint shrinks from terabits to a few gigabits, but those connections still hammer application threads and database pools once they exit the cloud.
For businesses that trade on milliseconds or maintain stateful services, carrier mitigation is a safety net, not a silver bullet. Local detection, prefix-level FlowSpec, and the ability to shed only the bad traffic remain indispensable for staying online while the backbone catches up.
Building a layered defence
Defence works best when upstream capacity and local intelligence cooperate. Keep the carrier’s giant pipes in reserve, but place fast detection at your edge, inside your own routing domain, so that every flow is inspected from the first packet. FastNetMon listens to NetFlow, sFlow, IPFIX or mirrored traffic, flags anomalies in seconds and generates precise BGP Flow Spec or RTBH announcements. Malicious sources can be rate-limited or dropped while legitimate sessions keep flowing.
When the attack grows toward circuit capacity, the same system can automatically signal your transit provider or cloud scrubbing partner and withdraw the route once the wave subsides. That automation shortens downtime, avoids unnecessary detours and keeps bills predictable.
What does FastNetMon add that a Tier 1 cannot?
- First-hop visibility – your routers export flows that show packet sizes, port numbers and TCP flags. FastNetMon turns those details into real-time alerts long before an upstream sees trouble.
- Fine-grained mitigation – generate Flow Spec rules that block only the abusive port or subnet instead of null-routing the whole prefix.
- Actionable telemetry – Grafana dashboards reveal whether the attacker is using UDP floods, HTTPS keep-alive abuse or mixed vectors, arming you with data for post-incident tuning and insurance reporting.
Tier 1 transit stops a fair share of the noise, but its view is wholesale and its triggers protect the backbone, not your customer experience. Precision filtering, application awareness and rapid escalation still need to live inside your perimeter. Combine carrier scale with site-level detection, keep clear run-books for triggering upstream scrubbing, and treat DDoS defence as a partnership—not a single outsourced checkbox.
About FastNetMon
FastNetMon is a leading solution for network security, offering advanced DDoS detection and mitigation. With real-time analytics and rapid response capabilities, FastNetMon helps organisations protect their infrastructure from evolving cyber threats.
For more information, visit https://fastnetmon.com