We have Arista 7150s 24-port Layer 3 switches for 10G switching and BGP peering with our providers from our own /24 network block. Control over our peering provides us the ability to use routing changes as a response to some types of malicious activity. Our firewall is provided by Sophos. The firewall and switch devices have the ability to identify and blackhole DoS and DDoS traffic whether it be ICMP Floods, SYN/TCP Floods or UDP floods at over 10 Gb/s. Additionally, while not automatic, our internet providers will also assist in blocking malicious traffic we identify.
While we have redundant fiber optic internet links at 1Gb/s per data center, once elected, we can scale to 10 Gb/s service links on demand. Typically, when DoS attackers realize they cannot fill the pipeline, they give up in less than a day and concentrate elsewhere.
Cloudflare will be immediately activated on demand as needed. Since we have SNMP monitoring on all interfaces tracking bandwidth utilization, an attack can reasonably be anticipated and mitigated.