Anti-DDoS service provider, part of which can potentially be generated by an attacker. The security provider processes and filters this traffic, then sends clean traffic to the customer.
First off, the result of traffic cleaning depends on the professionalism of the DDoS protection provider and its filtering capabilities. Since Anti-DDoS services are very popular nowadays, there are too many providers on the market. Usually these providers do not have much knowledge and experience in DDoS mitigation. Often security services are offered, for example, by Internet service providers (ISPs). To understand exactly what their protection offers and how effective it will be, you will have to figure it out in advance.
Secondly, the quality of traffic cleaning depends on the method of connection to the Anti-DDoS service. If it is chosen wrong, an attacker can easily find a hole in the protection and continue to attack the customer with new force bypassing the filters of the Anti-DDoS service. Depending on the features of the service and its architecture, various options may be suitable - symmetric or asymmetric filtering, at the packet level or at the application level, using proxying or the BGP Protocol.
Third, a customer may (in order to save money or out of knowledge) purchase limited protection capabilities from a provider. As a result, his resources will be protected only from certain kinds of attacks, while other DDoS attacks (for example, more intelligent ones) can cause him a lot of trouble and inflict significant damage to his business.