One of the first questions enterprise and ISP prospects ask is not about peak mitigation capacity. It is about collateral damage:
Will your DDoS protection block our VPN? Will SIP/VoIP calls drop during an attack? Do CCTV camera streams get filtered? Can 4K video traffic pass through without false positives?
These are the right questions. A mitigation platform that stops attacks but breaks production services has failed — regardless of how fast it drops malicious packets.
CoreTech is engineered around near-zero false positives. Under normal conditions, we do not block legitimate services. During active attacks, mitigation targets attack signatures — not your production traffic patterns.
The False Positive Problem
Legacy DDoS systems rely on static thresholds: if bandwidth exceeds X Gbps, if packets per second exceed Y, declare an attack and drop everything. This logic breaks the moment legitimate traffic looks unusual:
- A VPN concentrator handling thousands of encrypted tunnels generates high connection counts
- A SIP trunk carrying hundreds of concurrent VoIP calls produces steady UDP on port 5060
- CCTV / RTSP streams push continuous UDP from hundreds of cameras
- 4K video delivery creates sustained high-bandwidth flows that look like floods to threshold-based systems
- GRE and IPsec tunnels carry encapsulated traffic that naive filters misclassify
A false positive during an attack is indistinguishable from an outage to your users. CoreDetection™ replaces static thresholds with AI-learned behavioral baselines that understand what normal looks like for your specific network — including VPN peaks, camera streams, and video delivery patterns.
What Stays Online: Service by Service
VPN (OpenVPN, WireGuard, IPSec)
VPN traffic is not blocked by default. CoreEdge includes allow templates for common VPN protocols with sensible rate limits that prevent VPN floods without affecting legitimate remote access:
- OpenVPN (UDP/TCP 1194) — rate-limited per source, not globally blocked
- WireGuard (UDP 51820) — allowed with flood protection
- IPSec IKE (UDP 500/4500) — key exchange permitted; only abusive volumes are shaped
During an attack on a different service, VPN traffic to unaffected prefixes continues normally. CoreDetection’s ML baseline accounts for VPN connection patterns as part of your network’s learned rhythm.
SIP / VoIP (5060, 5061)
Voice over IP is latency-sensitive and connection-heavy — exactly the kind of traffic that breaks under aggressive blanket filtering. CoreEdge supports SIP allow rules with per-source rate limiting:
- SIP signaling (UDP/TCP 5060) — allowed with configurable PPS limits
- SIP TLS (5061) — secure signaling permitted
- RTP media streams — pass through when signaling is validated
VoIP providers and contact centers can pre-configure SIP-specific policies through the Client Portal. During an attack, only the attacked vector is mitigated — not your entire voice infrastructure.
CCTV / Camera Streams (RTSP, ONVIF)
IP camera networks generate continuous UDP/TCP streams from dozens or hundreds of devices. This traffic pattern resembles a UDP flood to threshold-based systems. CoreDetection learns camera stream baselines as part of your normal traffic profile:
- Steady per-camera bandwidth is recognized as legitimate
- Sudden spikes from spoofed sources are filtered
- GeoIP and per-source rate limits catch camera botnet floods without blocking real devices
No special configuration is required for baseline protection. Custom allow rules can tighten camera-specific port and protocol policies if needed.
4K / High-Bandwidth Video
High-bandwidth video delivery — streaming platforms, CDN origin servers, media encoding farms — creates sustained flows that exceed typical threshold limits. CoreDetection’s behavioral engine learns peak usage patterns including time-of-day cycles, event-driven spikes, and seasonal growth:
- A product launch traffic surge is recognized against learned baselines
- A CDN cache purge spike does not trigger false mitigation
- Only traffic that deviates from behavioral norms — source dispersion, protocol anomalies, timing patterns — raises the AI threat score
Rate limiting applies to attack sources, not aggregate bandwidth caps on your service.
Tunnels (GRE, IPsec, VXLAN)
Ironically, GRE is also how many customers connect to CoreTech for managed scrubbing. Tunnel protocols are not blocked:
- GRE — standard delivery method for BGP-over-GRE deployments
- IPsec — site-to-site VPN tunnels pass through with stateful validation
- Encapsulated traffic is inspected at the outer packet layer; legitimate tunnel endpoints are not dropped
What Happens During an Active Attack
The protection model has two layers that work together:
Layer 1 — Pre-configured rules (always active). Firewall policies you define through the Client Portal — allow lists, rate limits, GeoIP rules, TCP flag validation — protect your prefixes from the moment BGP is established. Legitimate services with pre-configured allow rules stay online immediately.
Layer 2 — AI-driven dynamic rules (automatic). When CoreDetection confirms an attack, it generates targeted mitigation rules based on the specific attack vector — SYN flood, UDP amplification, ICMP overload — and deploys them to CoreEdge within seconds. These rules target attack signatures, not your production service patterns.
Customer-defined rules are evaluated first. System-generated dynamic rules apply only to confirmed attack traffic. The result: VPN stays up, cameras keep streaming, VoIP calls continue — while attack packets are dropped.
What Can Be Blocked — If You Choose
CoreTech does not block services by default. But you have full control to restrict traffic when your policy requires it:
- GeoIP blocking — temporarily block countries during an attack (configurable per prefix)
- Port/protocol rules — deny specific ports or protocols on any prefix
- ASN blocking — drop traffic from known problematic autonomous systems
- Per-source rate limits — throttle abusive sources without affecting legitimate users
- Custom default policies — define SYN, UDP, ICMP thresholds per prefix
Any intentional restriction is customer-defined through the portal or API — not a platform default.
Symmetric vs Asymmetric: Impact on L7 Services
For application-layer services (HTTP/S inspection, connection validation), symmetric routing — where both inbound and outbound traffic pass through CoreEdge — provides the highest mitigation accuracy (up to 99% SLA). This is recommended for web applications and API services.
For infrastructure services like VPN, SIP, and CCTV that primarily need L3/L4 protection, asymmetric routing works effectively (~97% SLA) — CoreEdge filters based on packet-level inspection and rate limiting without requiring full return-path visibility.
Summary
| Service | Default behavior | During attack |
|---|---|---|
| VPN (OpenVPN, WireGuard, IPSec) | Allowed | Attack sources filtered; legitimate VPN continues |
| SIP / VoIP | Allowed with rate limits | Signaling protected; attack vectors mitigated surgically |
| CCTV / RTSP streams | Allowed (learned baseline) | Camera botnet floods filtered; real devices continue |
| 4K / high-bandwidth video | Allowed (ML baseline) | Only anomalous attack patterns dropped |
| GRE / IPsec tunnels | Allowed | Tunnel protocol not blocked; abuse rate-limited |
CoreTech protects your network without breaking the services running on it. That is the difference between a mitigation platform and an outage generator.
Want to see this in action?
Get a live demonstration of CoreTech's DDoS mitigation platform.
