DDoS Protection Australia: 15+ Years of Keeping Australian Networks Online

23 Jun 2026, by James Braunegg, CEO and Founder, Micron21

From the moment we decided to provide mission-critical hosting services, one truth was unavoidable: there is no such thing as mission-critical hosting without a way to stop cyber attacks. A perfect data centre with an undefended network is a fortress with the gates open. We needed a way to protect our customers and keep them online while they were being attacked, and for more than 15 years we have continuously developed, rebuilt and expanded our ability to stop unwanted attack traffic from taking our customers offline.

The threat has never been bigger. DDoS attacks have become background radiation on the internet, with tens of millions of attacks mitigated globally every year, bandwidth records repeatedly shattered at terabit scale, and attackers shifting to multi-vector campaigns that hit layers 3, 4 and 7 simultaneously. This article explains how DDoS protection in Australia actually works, tells the story of how we built our platform, and covers the practical decisions you need to make: always-on versus on-demand protection, and what to do in an emergency.

How our DDoS protection platform was born (and rebuilt, repeatedly)

I want to walk through this history because it explains something important: real DDoS mitigation capability cannot be bought off a shelf. It is accumulated, painfully, over years of absorbing real attacks.

2008: detection and the blunt instrument

In the early days, around 2008, we relied on NetFlow software to detect unwanted traffic and trigger a remote blackhole null route. When an attack hit, we would route the victim's traffic to nowhere, protecting the rest of the network. It worked, but it had a fatal flaw: null routing completes the attack for the attacker. The customer goes offline, which is exactly what the attacker wanted. We were protecting the network by sacrificing the victim, and that was never going to be good enough for mission-critical services.

2010: absorb and scrub

So we matured the model quickly. In 2010 we purchased some of the very first 10-gigabit Brocade MLXe routers, giving us what was at the time a massive amount of bandwidth, and paired them with dedicated filtering hardware that could scrub unwanted attack traffic away from legitimate traffic. Instead of dropping everything, we could now absorb an attack, clean it, and deliver the real users through. This was a generational improvement over null routing: the customer stayed online while under attack.

But it surfaced the next problem: bandwidth costs in Australia in 2010 were enormous, and buying enough capacity to absorb attack traffic onshore was prohibitively expensive. Defence at scale needed a different geography.

2010 onwards: going global to defend Australia

The answer was to expand our network internationally. We built our first international point of presence in Los Angeles, at CoreSite One Wilshire, one of the most interconnected buildings in the world, chosen so we could peer with as many networks as possible and buy bandwidth from as many providers as possible. That gave us the capacity to absorb attacks at a price that made protection commercially viable, and in 2010 we began offering DDoS protection services to Australian networks: international traffic scrubbed in the USA, domestic traffic scrubbed in Australia.

It worked, but we were honest with ourselves about the downside: routing all international traffic via the USA added latency for non-US international traffic. As we grew, we justified expanding the network into Singapore and Amsterdam, which let us buy capacity within each region, peer with every major network globally, and establish dedicated scrubbing hardware in each region to inspect and clean traffic close to its source, bringing only the clean traffic back to Australia.

Today: a global scrubbing platform built for Australian networks

Today we peer with more than 2,000 networks, operate one of the largest peered networks in Australia (AS38880), and deliver mission-critical DDoS protection for Australian networks requiring layer 3, 4 and 7 protection. The platform has matured over 15+ years into an IRAP assessed DDoS protection service designed specifically for Australian networks: attacks are absorbed and scrubbed globally, close to where they originate, while clean traffic flows home to Australia. Your users overseas get low latency; your infrastructure onshore gets clean pipes; your data stays sovereign.

What modern attacks look like (and why layers matter)

DDoS protection in Australia has to answer three different kinds of attack at once:

• Layer 3 (network) attacks flood your connection with sheer volume: amplification floods and packet storms now reaching terabit scale globally. The defence is capacity and filtering, which is why we never stopped buying both.
• Layer 4 (transport) attacks exhaust the connection-handling capacity of firewalls, load balancers and servers with floods like SYN attacks. The defence is stateful inspection at the scrubbing edge before traffic ever reaches your equipment.
• Layer 7 (application) attacks are the surgical ones: low-bandwidth requests that mimic legitimate users, hammering a login page, an API or a search function until the application collapses. These are the fastest-growing category and the hardest to detect, requiring deep inspection that can tell a real customer from a convincing bot.

Modern campaigns increasingly combine all three simultaneously, and most attacks now last minutes, not hours, which means human-speed response is too slow. Detection and mitigation have to be automatic, and they have to already be in the traffic path or able to enter it in moments.

The people behind the platform

Automation does the first seconds; people do everything else. Our 24/7 Network Operations Centre and Security Operations Centre monitor and maintain the flow of traffic around the world, watching attack patterns, tuning mitigations and managing capacity across every region. And we never stop investing: we are continuously buying more capacity and infrastructure to stay ahead of attack growth, because you cannot provide a Tier IV data centre and an insecure network at the same time. The facility and the network have to be engineered to the same standard.

That philosophy is what lets Micron21 deliver hyperscale-style services from sovereign Australian infrastructure: we own and operate our own Tier IV data centre, we run our own cloud platform in mCloud providing public and private cloud plus GPU as a service, and everything is secured via our global network AS38880 and the DDoS protection platform built into it.

Always-on, on-demand, and emergency DDoS protection

Customers consume our DDoS mitigation service in three ways, and choosing the right one matters.

Always-on protection

Your traffic permanently flows through the scrubbing platform. Attacks are detected and mitigated automatically, often before you know they started. This is the right model for anything mission critical: government services, finance, gaming, VoIP, hosting providers and any business where minutes of downtime cost real money or reputation.

On-demand protection

On-demand protection sits ready but inactive: your traffic flows normally until an attack is detected or declared, at which point traffic is redirected through the scrubbing centres and cleaned. It suits organisations that want lower steady-state cost and can tolerate the brief window while mitigation activates.

Emergency DDoS protection

Then there is the phone call we know well: a network under active attack, services down, and a provider unable to help. We provide emergency DDoS protection for networks in trouble, onboarding them onto the platform mid-attack and restoring service. We have done it many times, and we will always take that call.

But here is my honest, hard-earned advice: do not plan to meet us for the first time during an attack. Proper mitigation requires routing changes that take time to authorise and propagate. A Letter of Authorisation (LOA) must be in place so we can announce your IP space, and Route Origin Authorisations (ROAs) need to be configured so the world's networks accept the routing change that swings your traffic into protection. None of this is instant, and every hour spent arranging paperwork mid-attack is an hour your services stay down. Set up protection before you need it, even if it is on-demand and dormant. The difference between activating a prepared defence and building one under fire is the difference between minutes and days.

What to look for in a DDoS mitigation service in Australia

• Real, owned capacity: can the provider absorb terabit-scale volumetric attacks, and do they own the network doing it, or resell someone else's?
• Global scrubbing, local delivery: attacks should be cleaned near their source, with clean traffic delivered onshore without unnecessary latency detours.
• Full-stack coverage: layers 3, 4 and 7, because attackers no longer pick just one.
• Independent assessment: our platform is IRAP assessed, meaning an ASD-endorsed assessor has independently examined it against the Australian Government Information Security Manual.
• 24/7 humans: a NOC and SOC who answer at 3am, in Australia, with their hands on the actual infrastructure.
• Sovereignty: protection operated by an Australian-owned provider, with clean traffic terminating in Australian, Tier IV certified infrastructure.

Frequently asked questions

What is a DDoS mitigation service?

A DDoS mitigation service detects distributed denial of service attacks and filters the malicious traffic away from legitimate users, keeping your services online during the attack. Effective services combine large network capacity to absorb volumetric floods with intelligent scrubbing that separates real users from attack traffic across network, transport and application layers.

How quickly can emergency DDoS protection be activated?

It depends on preparation. For networks already onboarded, mitigation activates in moments. For a brand-new network under active attack, onboarding requires authorisation paperwork (LOA) and routing configuration (ROAs) before traffic can be redirected for scrubbing, which can take hours. This is why we strongly recommend establishing at least on-demand protection before an attack occurs.

Should I choose always-on or on-demand protection?

Always-on suits mission-critical services where any downtime is unacceptable, since attacks are mitigated automatically with no activation window. On-demand suits organisations with more downtime tolerance who want a lower ongoing cost while keeping a prepared defence ready to activate.

The bottom line

DDoS protection is not a feature you bolt on; it is a capability you build, and we have spent more than 15 years building ours: from null routes that sacrificed the victim, to Brocade-powered scrubbing, to a global platform spanning Los Angeles, Singapore, Amsterdam and Australia, peering with over 2,000 networks and cleaning attacks before they ever touch Australian soil. It is IRAP assessed, watched 24/7 by our Australian NOC and SOC, and backed by the same philosophy as everything we run: own the infrastructure, prove the capability, never let a single failure, or a single attacker, take a customer down.

If your network needs DDoS protection in Australia, talk to us before the attack. And if you are under attack right now, call us anyway. We have taken that call for fifteen years.