DDoS Protection
This is an overview of our DDoS protection.
DDoS Protection
In our Los Angeles, Miami, Secaucus, Kansas City, and Johor locations, we do not provide DDoS protection. We make no guarantees that we can keep your service online during a DDoS attack, and an attack may lead to a complete IP nullroute or complete service suspension depending on the size, frequency, and complexity. We will do our best to contact you if we notice that there is a problematic trend of DDoS toward your service, but this may not always be possible, especially in cases where DDoS is starting to impact our entire network.
DDoS Protection Add-on
Price and Availability
For a price of $4 per DDoS-Protected IP, we can offer you an IP address that is protected by NeoProtect. This service is offered for any virtual servers in Los Angeles, Miami, or Johor. If you would like to add this, please open a support ticket. This addon is extremely important to have if you are anticipating DDoS at all.
For services in Nuremberg, we include DDoS mitigation by Avoro/Dataforest at no additional charge (this may change in the future). Services protected by Avoro/Dataforest have access to similar filters as those that are protected by NeoProtect, and have access to configurable firewall filters.
Filters
Currently, we provide the following filters (this may change in the future):
| Name | Protocol | Action | Filter | Tags |
|---|---|---|---|---|
| SCP: Secret Laboratory | UDP | FILTER | SCP: Secret Laboratory | Default |
| Arma | UDP | FILTER | Arma Reforger | Default |
| Palworld | UDP | FILTER | Palworld | Default |
| TeamSpeak 3 Query/Filetransfer | TCP | FILTER | TeamSpeak 3 Query/Filetransfer | Default |
| AltV UDP | UDP | FILTER | AltV UDP | Default |
| AltV TCP | TCP | FILTER | AltV TCP | Default |
| txAdmin | TCP | FILTER | txAdmin | Default |
| OpenVPN | UDP | FILTER | OpenVPN | Default |
| FiveM TCP Ultra Strict | TCP | FILTER | FiveM TCP Ultra Strict | Default |
| FiveM TCP Strict | TCP | FILTER | FiveM TCP Strict | Default |
| Plasmo Voice | UDP | FILTER | Plasmo Voice | Default |
| UDP Light Generic | UDP | FILTER | UDP Generic | Default |
| HTTP | TCP | FILTER | HTTP | Default |
| Minecraft Java | TCP | FILTER | Minecraft Java | Default |
| any TCP application | TCP | FILTER | Stateful TCP | Default |
| Source Engine / A2S | UDP | FILTER | Source Engine / A2S | Default |
| FiveM TCP | TCP | FILTER | FiveM TCP | Default |
| FiveM UDP | UDP | FILTER | FiveM UDP | Default |
| RakNet (Rust, MC Bedrock, Terraria, 7 Days to Die, …) | UDP | FILTER | RakNet (Rust, MCPE, Terraria, …) | Default |
| QUIC | UDP | FILTER | QUIC | Default |
| DayZ | UDP | FILTER | DayZ | Default |
| TLS | TCP | FILTER | TLS | Default |
| TeamSpeak 3 | UDP | FILTER | TeamSpeak 3 | Default |
| WireGuard | UDP | FILTER | WireGuard | Default |
| any UDP application | UDP | FILTER | UDP Generic | Default |
| Remote Desktop Protocol | TCP | FILTER | RDP | Default |
| FiveM UDP Strict | UDP | FILTER | FiveM UDP Strict | Default |
| SSH | TCP | FILTER | SSH2 | Default |
Configuration
When you buy the DDoS protection add-on in Los Angeles, Miami, or Johor, a second IP address will be added to your VPS control panel. This is the DDoS-protected IP address. Your original unprotected IP address will still be active. To use the protected IP, you will need to manually add it as a second IP address in your server’s network settings. If you prefer to use the DDoS-protected IP as your only or primary IP address, we can remove the original one. Just open a support ticket to let us know.
You will gain access to a new tab within the VPS control panel called the DDoS Protection.
We recommend enabling “Allow Egress Traffic” and “Symmetric Filtering” if it is available in this tab.
Set the “Default Action” to Drop in order to block all traffic unless it matches a specific rule. This means that if you want to allow something (like a port or app), you must create a rule for it, otherwise, it will be blocked.
Make sure to create firewall rules for each of the applications that you are running on your VPS. For example, if you have SSH on port 22, make a firewall rule with:
You can also create port ranges. For example, if you have Minecraft Java servers running on Port 25565 to Port 25575, you can make a firewall rule like:
If you do not perform these steps to add rules for each of your applications, then the mitigation will not work properly.
Networking Differences
We use the same network upstream (CDN77) for both non-protected addresses and DDoS-Protected addresses in Los Angeles, Miami, and Johor. Generally, you may see a 1-2ms latency increase with a DDoS-Protected IP address depending on the location.
Because we leverage NeoProtect’s anycast network, there can be some differences in routing. This can be especially prevalent in Asia Pacific. If you see any problems with high latency from certain sources, then please open a ticket with MTRs. We may be able to contact NeoProtect to make certain adjustments.
See the Network Problems page for information on how to run and provide us with an MTR.
Sending DDoS Attacks
We strictly prohibit any form of Distributed Denial of Service (DDoS) activity toward our network, even if the target is your own DDoS-protected IP address. Launching or simulating DDoS attacks is illegal in many jurisdiction. In the United States, it constitutes a violation of the Computer Fraud and Abuse Act of 1986, and can lead to a prison sentence, fine, or a criminal record.
Furthermore, purchasing access to DDoS tools or botnets is not only unethical but also contributes directly to cybercrime. These tools are commonly powered by networks of compromised devices, often without the knowledge or consent of their owners.
Therefore, we highly advise against participating in sending DDoS attacks, even if it is to only test your DDoS mitigation.