The first question we hear from ISPs and enterprises evaluating DDoS protection is rarely about attack types. It is about where the mitigation lives.
Do you install CoreDetection™ and CoreEdge™ on hardware in your own datacenter — and scrub traffic locally? Or do you point BGP at CoreTech’s managed scrubbing network over a GRE tunnel and let us handle the infrastructure?
Both models deliver the same CoreEdge™ + CoreDetection™ protection stack. The difference is operational: who owns the hardware, where packets are filtered, and how quickly you can go live when CoreTech has no scrubbing PoP in your city.
This guide compares both paths so you can choose the model that fits your network — without wasting time on the wrong architecture.
Two Models, One Platform
Regardless of deployment model, the protection logic is identical:
- CoreDetection™ ingests NetFlow / IPFIX / sFlow from your routers, learns traffic baselines with AI, and detects attacks in real time.
- CoreEdge™ filters malicious packets at wire speed via XDP/eBPF — at the NIC level, before the kernel stack processes them.
- BGP diverts traffic to the scrubbing path; clean traffic returns to your network automatically.
The deployment model only changes where CoreEdge runs and who operates the hardware.
Model 1: Managed BGP over GRE
In the managed model, you establish a GRE tunnel between your edge router and CoreTech’s nearest scrubbing node. BGP sessions run over the tunnel. Your prefixes are announced to our network; attack traffic is scrubbed remotely and clean packets are returned through the same tunnel.
How it works:
- CoreTech provisions a GRE endpoint and BGP session on our side.
- You configure the tunnel on your edge router (Juniper, Arista, Cisco, or equivalent).
- You announce your IP prefixes via BGP.
- CoreDetection monitors flow telemetry; CoreEdge scrubs diverted traffic at our scrubbing node.
- Clean traffic is delivered back to you through the GRE tunnel.
What you get:
- No hardware to purchase or maintain on your side
- Same-day activation — often within hours; emergency onboarding in under 30 minutes during active attacks
- Fully managed scrubbing infrastructure and 24/7 SOC
- Typical added latency: 1–5 ms depending on distance to the nearest scrubbing node
- Clean traffic capacity tier based on your subscription (e.g. 10 Gbps managed GRE)
Best for:
- Networks in regions where CoreTech has no local scrubbing PoP (Southeast Asia, Central Europe, LATAM, etc.)
- Cloud-hosted or remote infrastructure without colocation at our facilities
- ISPs that want protection live quickly without a hardware procurement cycle
- Emergency onboarding while a longer-term on-premises deployment is planned
Trade-offs:
- Traffic transits to a remote scrubbing node — added latency vs local filtering
- Dependent on internet path quality between your edge and our GRE endpoint
- Clean traffic capacity is tied to your managed subscription tier
Model 2: On-Premises Appliance
In the on-premises model, CoreDetection™ and CoreEdge™ are installed on hardware at your facility — your datacenter in Vienna, Miami, Jakarta, or anywhere you operate. Traffic is analyzed and filtered locally. No dependency on CoreTech geographic presence in your city.
How it works:
- You provision a reference hardware build (AMD EPYC, Mellanox ConnectX-6 Dx NICs, NVMe storage — see Server Requirements).
- CoreTech installs CoreDetection + CoreEdge and activates your license.
- Your routers export flow telemetry to CoreDetection on the local network.
- CoreEdge filters traffic inline at your edge — zero GRE hop, zero remote scrubbing dependency.
- BGP announcements go to your local routers; mitigation is entirely on-site.
What you get:
- 100 Gbps clean traffic capacity with mitigation headroom up to 300 Gbps attack traffic (standard license tier)
- Lowest possible latency — filtering happens in your rack, not across the internet
- Full data sovereignty — attack traffic never leaves your facility
- No prefix cap — announce your entire IP space; on-demand
/32diversion per host during attacks - Software license with continuous updates and 24/7 support
Best for:
- ISPs and hosting providers with 100+ prefixes who need local control
- Regulated industries requiring on-site data processing
- High-bandwidth networks where remote scrubbing latency or capacity tiers are a constraint
- Organizations in cities where CoreTech has no managed PoP but the customer has datacenter space
Trade-offs:
- One-time hardware cost (reference build approximately USD 20–25k)
- You manage physical infrastructure, power, and NIC capacity
- Initial deployment takes longer than GRE (hardware procurement + installation)
Side-by-Side Comparison
| Factor | Managed GRE | On-Premises |
|---|---|---|
| Hardware on your side | None | Required |
| Time to go live | Same day (hours) | Days to weeks (hardware + install) |
| Latency added | 1–5 ms (tunnel + distance) | Near zero (local filtering) |
| Geographic dependency | Nearest CoreTech scrubbing node | None — runs in your DC |
| Data sovereignty | Traffic scrubbed remotely | Traffic stays on-site |
| Prefix limits | Unlimited | Unlimited |
| Clean traffic capacity | Tier-based (e.g. 10 Gbps) | 100 Gbps standard license |
| Attack headroom | Per tier | Up to 300 Gbps |
| Operational burden | CoreTech managed | Customer hardware + CoreTech software/support |
What If CoreTech Has No PoP in Your City?
This is the most common scenario we encounter — and it does not block deployment.
If CoreTech has no scrubbing presence in your city (Vienna, Miami, Jakarta, etc.), you have two viable paths:
Short term: Managed GRE to our nearest scrubbing node. Protection live same day. No waiting for hardware.
Long term: On-premises appliance in your local datacenter. Full capacity, zero remote dependency, data stays local.
Many customers start with GRE for immediate protection, then migrate to on-premises once hardware is procured — or run both, with GRE as failover.
Prefix Scale: No Limits Either Way
Whether you operate 10 prefixes or 1,000, CoreTech does not cap BGP announcements. You announce your full IP space via always-on BGP. During attacks, CoreDetection can additionally divert individual hosts on demand via /32 routes — automatic or manual through the Client Portal.
For ISPs managing hundreds of downstream /24 blocks, the on-premises multi-tenant architecture applies independent security policies per prefix at wire speed — no shared rate-limit buckets between tenants.
How to Decide
Choose Managed GRE if:
- You need protection this week, not next month
- You have no datacenter space or hardware budget right now
- Your clean traffic fits within a managed tier
- Added latency of 1–5 ms is acceptable for your services
Choose On-Premises if:
- You need 100 Gbps local capacity with 300 Gbps attack headroom
- Data must stay in your facility
- You are in a region with no CoreTech PoP and want zero dependency on remote scrubbing
- You operate at ISP scale with hundreds of prefixes and want full local control
Choose Both if:
- You want GRE live immediately while on-premises hardware is being procured
- You need GRE as a failover path alongside a primary on-premises scrubbing node
Getting Started
Both deployment models include the same platform capabilities: CoreEdge™ XDP/eBPF filtering, CoreDetection™ AI detection, Client Portal access, API/webhook integration, and 24/7 SOC support.
New GRE customers typically go from first contact to protected within hours. On-premises deployments follow hardware delivery and installation — typically 1–2 weeks from order to live mitigation.
Not sure which model fits? Share your approximate clean traffic volume, location, and prefix count — our network engineering team will recommend the right architecture.
Want to see this in action?
Get a live demonstration of CoreTech's DDoS mitigation platform.
