- Anycast routing and globally distributed edge nodes to absorb volumetric DDoS traffic.
- Upstream scrubbing centers and carrier-based DDoS protection (BGP diversion, GRE tunneling).
- Automated traffic filtering: rate limiting, connection limiting, SYN cookies, challenge/response (CAPTCHA, JS), behavioral/anomaly detection, and bot management.
- Web/API protection: WAF with managed rules, API gateways, schema validation, token binding, HMAC-signed requests, and strict throttles per client.
- Network controls: stateless ACLs at edges, stateful firewalls, IPS/IDS, BGP Flowspec/RTBH, geofencing, allowlisting for admin planes.
- DNS resilience: redundant authoritative DNS, DNSSEC, multi-provider DNS, query rate limiting, and response policy zones.
- Routing and peering hygiene: diverse transit/peers, RPKI/ROA validation, BGP monitoring/alerting, and max-prefix safeguards.
- Resilience and scaling: auto-scaling frontends, circuit breakers, load shedding, queue-based backpressure, graceful degradation, and multi-region failover.
- Segmentation and zero trust: microsegmentation, mTLS, least privilege, PAM/JIT access, strong MFA, device posture checks.
- Hardening and patching: baseline configs, minimal attack surface, timely OS/app updates, secure configs for CDN/edge caches.
- Monitoring and response: centralized logging, SIEM, UEBA, SOAR playbooks, real-time metrics/SLOs, 24/7 SOC, runbooks, and exercises.
- Data protection: TLS 1.2+/QUIC, HSTS, certificate pinning, encryption at rest with HSM-backed keys, immutable/offline backups (3-2-1).
- Application security: SAST/DAST, dependency and secret scanning, SBOM, code signing, CI/CD attestations (SLSA), container/Kubernetes policies.
- Supply chain and email security: package signing, provenance checks; SPF/DKIM/DMARC to deter phishing of ops staff.
- Physical and power/network redundancy for edge sites; tamper detection and secure access controls.