PEERYX Network
EN — English FR — Français ES — Español DE — Deutsch NL — Nederlands
Request a quote
Protected IP Transit Reverse Proxy Game Infrastructure Blog Contact Request a quote
← Back to blog
Network guide Published on April 19, 2026 Reading time: 9 min

Latency, asymmetric routing and clean traffic: what really matters in anti-DDoS

Capacity alone is not enough. You also need to understand latency, asymmetric routing, clean traffic delivery and the importance of reading both Gbps and Mpps.

Peeryx architecture

Protected transit

Adaptive mitigation and clean delivery

Client edge BGP / handoff
Mitigation Adaptive filtering
Transit out Local egress
Clean delivery GRE · IPIP · VXLAN
Capacity is not the whole story

A credible anti-DDoS network must also manage latency and delivery quality.

Asymmetric routing can be useful

It is not automatically a problem when the use case and return traffic are designed properly.

Clean traffic is the real business metric

The goal is not only to stop the attack but to deliver legitimate traffic correctly.

Gbps and Mpps must be read together

A modest bandwidth attack can still be brutal in packets per second.

Anti-DDoS marketing often focuses on the same numbers: bandwidth, total mitigation capacity and raw Tbps. Those numbers matter, but they do not tell the full story about the real quality of a protection service.

What makes the difference in production is also how legitimate traffic is handled, how much latency is added, whether routing is symmetric or asymmetric and how clean traffic is delivered back to the customer environment.

Why latency matters as much as raw mitigation

A service may technically stay online while still becoming painful to use if latency rises too much. This is especially true for online gaming, response-sensitive APIs, admin panels and some transactional flows.

A serious anti-DDoS design must therefore do more than absorb an attack. It must preserve a reasonable path for legitimate traffic with a routing model that matches the protected service.

Asymmetric routing is not automatically a problem

Asymmetric routing means that ingress and egress do not follow the exact same path. In anti-DDoS, that can be a very valid choice when traffic enters through the mitigation layer and exits locally closer to the customer infrastructure.

This model can reduce egress latency, simplify deployments and avoid a full migration. It just needs to be designed correctly: return traffic, announcements, session handling and application constraints must be understood from the start.

When asymmetry helps

Useful when traffic should enter through protection but leave more directly towards the Internet or the customer infra.

When symmetry helps

Useful when a homogeneous path is required or when specific network constraints apply.

No universal rule

The right choice depends on the protected service, its latency sensitivity and its operational model.

Why clean traffic delivery is a central topic

The most important part is not only filtering. It is the quality of legitimate traffic delivery after filtering. If clean traffic is sent back in an unstable, overly complex or operationally painful way, the architecture loses a large part of its value.

Cross-connect, GRE, IPIP, VXLAN or other delivery modes should be seen as a direct extension of mitigation. The service only has real value if clean traffic reaches production in a way the customer can operate.

  • Avoid unnecessary complexity
  • Validate MTU and return traffic
  • Choose a delivery model that fits the existing infrastructure
  • Measure the real effect on application latency

Gbps, Mpps and the real shape of an attack

An anti-DDoS operator cannot look only at Gbps. Some attacks are moderate in bandwidth yet extremely aggressive in packets per second, which can stress network devices, queues, firewalls or software stacks long before a link is full.

The opposite is also true: a very large bandwidth flood with a lower packet rate does not impact every environment in the same way. Reading an attack correctly always means looking at volume, rate and how the traffic moves through the system.

1. Read the bandwidth

Useful to estimate upstream pressure and saturation risk on links.

2. Read packets per second

Essential to understand the real load on devices and software.

3. Read the traffic shape

Protocols, packet sizes, symmetry and distribution matter as much as raw volume.

4. Adapt the mitigation

The right filter depends on the exact attack profile, not on a single number.

Practical cases where these choices really matter

For a game server, a few extra milliseconds can already be visible. For a web service, overall stability and keeping the frontend reachable often matter even more. For a hosting provider or a multi-service platform, the challenge is usually to preserve delivery flexibility without creating a rigid network design.

That is why a credible anti-DDoS architecture must be seen as a full chain: traffic enters mitigation, filtering decisions are made, routing is chosen and clean traffic is delivered back.

Online gaming

Strong focus on latency and on flow stability during an attack.

API / SaaS

Availability, response times and session continuity matter most.

Hosting provider

Needs a flexible, clean and repeatable delivery model across services.

Existing production infra

The right design is often the one that protects without forcing a full rebuild.

Common mistakes to avoid

The first mistake is to focus only on mitigation capacity numbers. The second is to treat asymmetric routing as an automatic flaw. The third is to forget that clean traffic delivery is just as important as filtering itself.

Does very large advertised capacity guarantee good protection?

No. It matters, but it does not replace a good delivery architecture or good latency control for legitimate traffic.

Is asymmetric routing inherently bad?

No. It can be very relevant when the network design matches the service and the return path.

Why talk about Mpps if the link is not full?

Because many devices and software stacks can suffer from high packet pressure long before a Gbps saturation event.

Does the delivery model affect business outcomes?

Yes, because it directly affects rollout speed, production stability and the real customer experience.

Conclusion

A credible anti-DDoS offer is not just about theoretical mitigation capacity. It is also judged by latency, routing choices and the way clean traffic is actually delivered into production.

In practice, the architectures that inspire trust are the ones that protect the infrastructure while respecting legitimate traffic and the customer’s real operating constraints.

Resources

Related reading

To go deeper, here are other useful pages and articles.

Featured article Reading time: 8 min

Protected IP Transit Against DDoS: Mitigation Designed to Preserve Legitimate Traffic

A practical guide to link saturation, 95th percentile billing risk, blackholing, asymmetric routing, adaptive filtering and the importance of both Gbps and Mpps.

Read the article
Practical guide Reading time: 9 min

How to protect a Hetzner or OVH dedicated server against DDoS with GRE and optional BGP

A practical guide for protecting a production dedicated server hosted at OVH, Hetzner or another provider without migrating the whole stack, using GRE with or without BGP.

Read the article
Technical comparison Reading time: 8 min

GRE, BGP or protected IPs: which model should you choose to protect a service against DDoS?

Simple GRE tunnel, GRE + BGP or protected IP delivery: here is how to choose the right model depending on your architecture, routing control requirements and deployment speed.

Read the article

Need a cleaner network design for your service?

Tell us about your latency sensitivity, your current routing model and your production environment, and we can point you to the most coherent architecture.

Request a quote View transit offer