The Detection Window Problem
Every traditional DDoS protection system has the same fundamental flaw: it waits.
The flow looks like this:
- Attack traffic arrives at your server
- The mitigation system detects anomalous traffic patterns
- Traffic is rerouted to a scrubbing center
- Clean traffic is returned to your server
Steps 2 through 4 take time. Usually 2 to 10 seconds. For a web application serving static content, that's annoying. For a game server, that's everyone disconnecting at once.
What Actually Happens During a Game Server Attack
When a flood hits an unprotected or on-demand-protected game server, the sequence from a player's perspective is:
- Sudden lag spike
- Connection timeout
- Kicked from the session
- Unable to reconnect while mitigation is active
Players don't wait. They leave, they review you negatively, they don't come back. The attack succeeded - not because it took your server offline, but because the mitigation process itself disrupted gameplay.
How Always-On Filtering Eliminates the Window
With always-on filtering, there is no detection step. Every packet that enters the network is inspected continuously, at wire speed, before it reaches your server.
When an attack starts:
- No rerouting occurs
- No detection delay occurs
- Traffic inspection was already happening
- Attack packets are dropped inline
- Legitimate packets continue uninterrupted
From a player's perspective, nothing happens. The attack is invisible.
The Latency Question
The common concern with always-on filtering is added latency. If every packet is inspected, doesn't that slow things down?
With inline filtering hardware - Arista 7280R series, Mellanox ConnectX-6 NICs - the latency added by the inspection process is sub-millisecond. At wire speed, packets are processed faster than any rerouting path could return them.
On-demand protection, by contrast, adds the full round-trip latency of rerouting: typically 10–40ms depending on scrubbing center location. This is the latency penalty players feel even when there is no attack, simply because traffic is flowing through a remote scrubbing center.
Always-on filtering, deployed locally, adds nothing measurable. Zero.ms PoPs are placed close to game servers specifically to avoid this.
When On-Demand Makes Sense
On-demand protection works for infrastructure where brief disruption is acceptable: websites, APIs, email servers. The cost savings are real, and a few seconds of disruption during a mitigation event is a minor inconvenience.
It does not work for anything real-time. VoIP, gaming, live streaming, financial trading - anything where session continuity matters requires always-on.
Summary
If you run game servers and you're evaluating DDoS protection:
- On-demand: Cheaper, acceptable for web infrastructure, will disconnect your players during every attack
- Always-on: More expensive, essential for game servers, players never notice attacks
The cost difference between the two is smaller than the cost of losing players to preventable disconnections.