DDoS Protection

In our Los Angeles, Miami, Secaucus, Kansas City, and Johor locations, we do not provide DDoS protection. We make no guarantees that we can keep your service online during a DDoS attack, and an attack may lead to a complete IP nullroute or complete service suspension depending on the size, frequency, and complexity. We will do our best to contact you if we notice that there is a problematic trend of DDoS toward your service, but this may not always be possible, especially in cases where DDoS is starting to impact our entire network.

DDoS Protection Add-on

Price and Availability

For a price of $4 per DDoS-Protected IP, we can offer you an IP address that is protected by NeoProtect. This service is offered for any virtual servers in Los Angeles, Miami, or Johor. If you would like to add this, please open a support ticket. This addon is extremely important to have if you are anticipating DDoS at all. For services in Nuremberg, we include DDoS mitigation by Avoro/Dataforest at no additional charge (this may change in the future). Services protected by Avoro/Dataforest have access to similar filters as those that are protected by NeoProtect, and have access to configurable firewall filters. If you would like to purchase a DDoS-Protected IP, please open a ticket and we will assign one.

Filters

Currently, we provide the following filters (this may change in the future):
NameProtocolActionFilterTags
SCP: Secret LaboratoryUDPFILTERSCP: Secret LaboratoryDefault
ArmaUDPFILTERArma ReforgerDefault
PalworldUDPFILTERPalworldDefault
TeamSpeak 3 Query/FiletransferTCPFILTERTeamSpeak 3 Query/FiletransferDefault
AltV UDPUDPFILTERAltV UDPDefault
AltV TCPTCPFILTERAltV TCPDefault
txAdminTCPFILTERtxAdminDefault
OpenVPNUDPFILTEROpenVPNDefault
FiveM TCP Ultra StrictTCPFILTERFiveM TCP Ultra StrictDefault
FiveM TCP StrictTCPFILTERFiveM TCP StrictDefault
Plasmo VoiceUDPFILTERPlasmo VoiceDefault
UDP Light GenericUDPFILTERUDP GenericDefault
HTTPTCPFILTERHTTPDefault
Minecraft JavaTCPFILTERMinecraft JavaDefault
any TCP applicationTCPFILTERStateful TCPDefault
Source Engine / A2SUDPFILTERSource Engine / A2SDefault
FiveM TCPTCPFILTERFiveM TCPDefault
FiveM UDPUDPFILTERFiveM UDPDefault
RakNet (Rust, MC Bedrock, Terraria, 7 Days to Die, …)UDPFILTERRakNet (Rust, MCPE, Terraria, …)Default
QUICUDPFILTERQUICDefault
DayZUDPFILTERDayZDefault
TLSTCPFILTERTLSDefault
TeamSpeak 3UDPFILTERTeamSpeak 3Default
WireGuardUDPFILTERWireGuardDefault
any UDP applicationUDPFILTERUDP GenericDefault
Remote Desktop ProtocolTCPFILTERRDPDefault
FiveM UDP StrictUDPFILTERFiveM UDP StrictDefault
SSHTCPFILTERSSH2Default

Configuration

When you buy the DDoS protection add-on in Los Angeles, Miami, or Johor, a second IP address will be added to your VPS control panel. This is the DDoS-protected IP address. Your original unprotected IP address will still be active. To use the protected IP, you will need to manually add it as a second IP address in your server’s network settings. If you prefer to use the DDoS-protected IP as your only or primary IP address, we can remove the original one. Just open a support ticket to let us know. You will gain access to a new tab within the VPS control panel called the DDoS Protection. image We recommend enabling “Allow Egress Traffic” and “Symmetric Filtering” if it is available in this tab. Set the “Default Action” to Drop in order to block all traffic unless it matches a specific rule. This means that if you want to allow something (like a port or app), you must create a rule for it, otherwise, it will be blocked. image Make sure to create firewall rules for each of the applications that you are running on your VPS. For example, if you have SSH on port 22, make a firewall rule with: 
Protocol: TCP
Preset: SSH (TCP)
Min Port: 22
Max Port: Blank
You can also create port ranges. For example, if you have Minecraft Java servers running on Port 25565 to Port 25575, you can make a firewall rule like: 
Protocol: TCP
Preset: Minecraft Java (TCP)
Min Port: 25565
Max Port: 25575
If you do not perform these steps to add rules for each of your applications, then the mitigation will not work properly.

Networking Differences

We use the same network upstream (CDN77) for both non-protected addresses and DDoS-Protected addresses in Los Angeles, Miami, and Johor. Generally, you may see a 1-2ms latency increase with a DDoS-Protected IP address depending on the location. Because we leverage NeoProtect’s anycast network, there can be some differences in routing. This can be especially prevalent in Asia Pacific. If you see any problems with high latency from certain sources, then please open a ticket with MTRs. We may be able to contact NeoProtect to make certain adjustments. See the Network Problems page for information on how to run and provide us with an MTR.

Sending DDoS Attacks

We strictly prohibit any form of Distributed Denial of Service (DDoS) activity toward our network, even if the target is your own DDoS-protected IP address. Launching or simulating DDoS attacks is illegal in many jurisdiction. In the United States, it constitutes a violation of the Computer Fraud and Abuse Act of 1986, and can lead to a prison sentence, fine, or a criminal record. Furthermore, purchasing access to DDoS tools or botnets is not only unethical but also contributes directly to cybercrime. These tools are commonly powered by networks of compromised devices, often without the knowledge or consent of their owners. Therefore, we highly advise against participating in sending DDoS attacks, even if it is to only test your DDoS mitigation.