How do we protect you

When it comes to DDoS mitigation there are essentially two main technologies, scrubbing and remote triggered black hole (RTBH):

Scrubbing filters bad traffic while letting legitimate traffic through. Scrubbing comes in varying levels of granularity, the most blunt being firewall rules on ISP routers (to redirect, rate limit, or drop traffic), and the most fine being DDoS scrubbing appliances which steer traffic to scrubbing devices (which will in most cases increase latency).

RTBH signals to all global Tier 1 and many Tier 2 providers that an address is the target of DDoS and that we want them to no longer forward traffic to that address. Whilst this is very effective at preventing DDoS traffic from reaching the intended DDoS target, the DDoS target will be taken offline entirely by the mitigation itself. In practice this protects the ISP but not the DDoS target. This method sacrifices one subscriber for the good of the rest. In this scenario, wherever possible, we will give the subscriber a new IP addresses as fast as possible to get them back online.

In reality, effective DDoS mitigation uses a mix of both of the options listed above, and that’s the approach we have taken.


When we select our upstream carriers for Internet connectivity we evaluate what DDoS capabilities they have as part of the selection process. We believe that an effective DDoS strategy starts as close to the source as possible, partnering with companies with DDoS protection located overseas ensures that malicious traffic doesn’t reach NZ/AU shores is a key part of our design.

To date, our strategy has kept any unwanted traffic being scrubbed offshore before reaching our own network. 

Out-of-path protection

(default for all Lightwire customers)

Our selected partners maintain off shore scrubbing appliances in multiple continents. DDoS attacks are automatically detected in real-time and affected traffic is diverted to the scrubbing devices if the DDoS surpasses 100Mbit or 10000 packets per second.

The initial automation takes effect in about 2 minutes with automatic firewall rules directing traffic to the scrubbing appliances. If the DDoS attack surpasses the scrubbing appliances threshold, the system automatically switches to RTBH. If the system switches to RTBH, Lightwire is notified and will in turn notify any business and offer them the ability to change IP addresses.

For traffic within NZ/AU and exchanges Lightwire has both RTBH as an option and the ability to steer traffic manually to our partners scrubbing devices.

DDoS Protection by Lightwire

Inline scrubbing

(premium service)

If you choose to upgrade to the dedicated inline scrubbing model, then all of your international traffic will pass through our scrubbing devices all of the time. Advantages of this are;

  • Fast DDoS protection reaction time – 18 seconds or less compared to approx. 30 – 120 seconds.
  • Layer 3 up to Layer 7 deep packet analysis for detection – protects against more attack types
  • Detection of “low and slow” attacks – picks up on attacks that are low volume rather than just high volume “volumetric” attacks

Under this model, you will purchase dedicated bandwidth capacity on our scrubbing appliances and have this traffic scrubbed 24/7, adding protection for more attack types and lowering protection activation time.

If you’re interested in this option, just get in touch and we can talk pricing and design.

Choose a better way to get connected