Experience our network firsthand. Claim your free IP Transit (up to 300Mbps & 1 /24 prefix).
Back to Blog
TechnicalJune 10, 2026· 6 min read

Always-On DDoS Protection vs On-Demand: Why the Difference Costs You Players

Most DDoS protection activates after detection. That 2–5 second window is exactly when players disconnect. Here's why always-on filtering is the only architecture that works for game servers.

The Detection Window Problem

Every traditional DDoS protection system has the same fundamental flaw: it waits.

The flow looks like this:

  1. Attack traffic arrives at your server
  2. The mitigation system detects anomalous traffic patterns
  3. Traffic is rerouted to a scrubbing center
  4. Clean traffic is returned to your server

Steps 2 through 4 take time. Usually 2 to 10 seconds. For a web application serving static content, that's annoying. For a game server, that's everyone disconnecting at once.

What Actually Happens During a Game Server Attack

When a flood hits an unprotected or on-demand-protected game server, the sequence from a player's perspective is:

  • Sudden lag spike
  • Connection timeout
  • Kicked from the session
  • Unable to reconnect while mitigation is active

Players don't wait. They leave, they review you negatively, they don't come back. The attack succeeded - not because it took your server offline, but because the mitigation process itself disrupted gameplay.

How Always-On Filtering Eliminates the Window

With always-on filtering, there is no detection step. Every packet that enters the network is inspected continuously, at wire speed, before it reaches your server.

When an attack starts:

  • No rerouting occurs
  • No detection delay occurs
  • Traffic inspection was already happening
  • Attack packets are dropped inline
  • Legitimate packets continue uninterrupted

From a player's perspective, nothing happens. The attack is invisible.

The Latency Question

The common concern with always-on filtering is added latency. If every packet is inspected, doesn't that slow things down?

With inline filtering hardware - Arista 7280R series, Mellanox ConnectX-6 NICs - the latency added by the inspection process is sub-millisecond. At wire speed, packets are processed faster than any rerouting path could return them.

On-demand protection, by contrast, adds the full round-trip latency of rerouting: typically 10–40ms depending on scrubbing center location. This is the latency penalty players feel even when there is no attack, simply because traffic is flowing through a remote scrubbing center.

Always-on filtering, deployed locally, adds nothing measurable. Zero.ms PoPs are placed close to game servers specifically to avoid this.

When On-Demand Makes Sense

On-demand protection works for infrastructure where brief disruption is acceptable: websites, APIs, email servers. The cost savings are real, and a few seconds of disruption during a mitigation event is a minor inconvenience.

It does not work for anything real-time. VoIP, gaming, live streaming, financial trading - anything where session continuity matters requires always-on.

Summary

If you run game servers and you're evaluating DDoS protection:

  • On-demand: Cheaper, acceptable for web infrastructure, will disconnect your players during every attack
  • Always-on: More expensive, essential for game servers, players never notice attacks

The cost difference between the two is smaller than the cost of losing players to preventable disconnections.

Ready to protect your servers?

Get always-on DDoS filtering with zero added latency. Request a quote today.

Request a Quote