I have it on decent authority they use a product called Arbor.

[https://www.netscout.com/arbor](https://www.netscout.com/arbor)

There are a couple of techniques that are well known for use with DDOS, things like a DNS amplification attack. Even if you run a large network, it is really hard for you to mitigate an attack like that. If you are the size of cloudflare or one of a few American ISPs, you actually can. Arbor devices sit in line with the traffic and can initiate a mitigation in under a minute. It is smart enough to know “those 10,000 dns responders shouldn’t act that way because they haven’t for the last three years”. That traffic is quietly dropped by devices running multiple 100Gb network interfaces, at present there is not enough traffic on the internet to swamp the trunks headed into the arbor devices. This is all very expensive, the kind of routers that feed an Arbor devices are like $90,000 or more. So the senders send all this traffic, but cloudflare drops it, the cloudflare customer barely notices anything happened.

Others have responded that cloudflare can mitigate the endpoint with something called a ‘captcha’, which is true, but a true DDOS attack will quickly overwhelm that. They can literally swamp network port with traffic sourced from across the world. The system can’t throw enough CAPTCHA’s up, and even if it could, each of those sessions takes up bandwidth. Eventually, the server ends up doing nothing but denying / refusing connections. That IS a successful DDOS attack, you overwhelmed the target with traffic. The only way to fix that is to drop the traffic well in advance of it getting to any kind of cloudflare instance.