@thatpinguino: can be used both, it depends on how big of a infrastructure you want to protect.
the way it works is the Ddos protection filters out traffic by having all the traffic go to their services first, which filters out normal traffic from the 'bad' traffic.
normal traffic gets routed to the servers.. 'bad traffic' simply gets dropped.
the thing to keep in mind is that companies the size of Microsoft or Google do not deal with ISPs, they deal with multiple peering providers.. basically they have multiple direct lines going to their multiple data centers around the word directly.. so it no longer viable to do it at 'ISP level'.
the one thing I will add that network equipment is becoming more automated or 'smart'
where pattern inspection of packets like the ones Verisign, F5 or Nexusguard provides for its costumer is becoming better and more able to stop DDoS attacks once they happen.
so its not impossible to stop DDoS attacks in the cases of Xbox live and PSN, it just very costly to do it at that scale.
StressedOutCat's comments