In today’s rapidly evolving threat landscape, traditional DDoS mitigation techniques are no longer sufficient for modern service provider networks. In 2025, the number of DDoS attacks nearly doubled and network layer attacks nearly tripled.¹ Additionally, 78% of DDoS attacks observed in 2025 lasted five minutes or less,² making quick detection all the more vital. Hyper-volumetric attacks reached a staggering peak of 31 Tbps in 2025, with AI-driven botnets like Aisuru and Kimwolf infecting millions of devices to launch stealthy, high-impact campaigns.³ 

Guarding against evolving DDoS attacks: Cisco Secure DDoS Edge Protection 

Cisco Secure DDoS Edge Protection helps organizations guard against these threats, offering a simplified architecture that utilizes a modular, containerized design and turns your network edge into a distributed security shield.  

Figure 1: Cisco Secure DDoS Edge Protection solution architecture
 

On-box detection and mitigation 

Instead of exporting NetFlow data to a central collector, customers can deploy Cisco Secure DDoS Edge Protection containers directly on Cisco IOS XR routers to analyze the traffic samples. Cisco extends the traditional NetFlow to Protobuf, with additional parameters to be captured from the packet headers, which will help enable: 

• Ultra-fast response: Detection and mitigation occur in under 30 seconds. 
• Zero added latency: Because the attacks are mitigated at the edge, there is no backhauling to scrubbing centers and no impact on legitimate traffic performance. 

The system can also use advanced machine learning (ML) algorithms to establish baselines for every host, effectively identifying behavioral anomalies and neutralizing zero-day threats. 

 

Comprehensive use case support

Cisco Secure DDoS Edge Protection equips organizations to guard against and respond to a variety of cyberattacks, whether inbound, outbound, or originating from east-west traffic. 

Peering (inbound) 

Inbound peering traffic is often the target of hyper-volumetric attacks designed to saturate infrastructure before it can reach a scrubber. Dynamic detection algorithms re-characterize the defense logic based on the attack vectors—in real time as attack vectors change, protecting the core from massive L3–L7 volumetric floods. 

Access/broadband (outbound) 

Botnets like Aisuru are infecting the end user customer premises equipment (CPE) to use service provider networks as an “attack launchpad” for DDoS attacks, camouflaging as legitimate traffic. Once the origin of the attack is known, the service provider’s peering IP addresses get blacklisted. As a result, it’s no longer just security operations (SecOps) teams that have to worry about DDoS attacks; network operations (NetOps) teams must also take a more central role in addressing DDoS issues. 

Cisco Secure DDoS Edge Protection identifies the attacks directly at the access router and mitigates them. 

East-west traffic 

Cisco Secure DDoS Edge Protection closes the visibility gaps in the aggregation networks by monitoring internal traffic, preventing malicious flows from spreading horizontally between users and helping service provider networks avoid choking. 

 

Compatible with routing platforms 

Cisco Provider Connectivity routing platforms (ASR 9000, NCS 5500 Series, NCS 5700 Series, NCS 540 Series, 8000 Series) have application hosting capabilities and run the Cisco Secure DDoS Edge Protection agent. These routing platforms empower teams to mitigate attack traffic in a granular manner with attack vectors fed into the user-defined fields of the access lists. Additionally, the platforms also support other traditional mitigation methods of BGP Flowspec-based diversion or rate limiting and BGP Remotely Triggered Black Hole (RTBH). 

 

Reduced total cost of ownership (TCO) 

Cisco Secure DDoS Edge Protection helps save costs across the board, by avoiding dedicated hardware, power, and the hosting of scrubbers; it also eliminates the need for backhaul network capacity to route the traffic to centralized scrubbing centers. Teams enjoy predictable and future-proof costs without needing to add capacity every year. Realistic comparisons indicate potential TCO savings of up to 60% compared to traditional scrubber-based deployments.⁴

 

Unlocking new revenue streams: The MSSP opportunity 

The solution offers built-in support for managed security service providers (MSSPs) included with the license, allowing service providers to turn DDoS protection into a potential revenue stream. 

• Massive multi-tenancy: Onboard 10,000+ customers with full data isolation. 
• Tiered service models: Create tiered plans like Bronze, Silver, and Gold, with different service level agreements (SLAs) and flexible detection and mitigation policies. 
• Customizable logic: Define specific actions tailored to individual customer needs with the built-in scripting language. 
• Customer-facing portals: Provide branded reports and real-time dashboards that show the value of the service during active attacks.
  
  

Preparing for the next generation of DDoS threats 

By integrating security directly into Cisco routers, you can reduce TCO, improve customer experience, and make sure your network is ready for the next generation of evolving DDoS threats. 

Fortify your network edge against hyper-volumetric threats with Cisco Secure DDoS Edge Protection 

1. 2025 Q4 DDoS threat report: A record-setting 31.4 Tbps attack caps a year of massive DDoS assaults, Cloudflare, February 5, 2026.

2. DDoS in 2025: what a difference a year makes, TechRadar, January 13, 2026.

3. See note 1.

4. Potential TCO savings based on Cisco calculations for a 4 Tbps peering network, comparing Cisco Secure DDoS Edge Protection to Cisco estimates for a traditional scrubber-based deployment.

• Cisco IOS XR: A simple, modern, and trustworthy network operating system
• Cisco Service Provider Security