Skip to main content

DDoS Protection

In our Los Angeles, Miami, Secaucus, Kansas City, and Johor locations, we do not provide DDoS protection. We make no guarantees that we can keep your service online during a DDoS attack, and an attack may lead to a complete IP nullroute or complete service suspension depending on the size, frequency, and complexity. We will do our best to contact you if we notice that there is a problematic trend of DDoS toward your service, but this may not always be possible, especially in cases where DDoS is starting to impact our entire network.

DDoS Protection Add-on

Price and Availability

For a price of $4 per DDoS-Protected IP, we can offer you an IP address that is protected by NeoProtect. This service is offered for any virtual servers in Los Angeles, Miami, Kansas City, or Johor. If you would like to add this, please open a support ticket. This addon is extremely important to have if you are anticipating DDoS at all. For services in Nuremberg, we include DDoS mitigation by Avoro/Dataforest at no additional charge (this may change in the future). Services protected by Avoro/Dataforest have access to similar filters as those that are protected by NeoProtect, and have access to configurable firewall filters.

Ordering DDoS Protected IP

You can order a DDoS-Protected IP through our client area here. These are billed seperately, meaning that if you cancel your VPS, you will also need to submit a seperate cancellation request for the IP. DDoS-Protected IPs qualify under our 72-hour refund policy, and are eligible for pro-rata refunds if you cancel before the IP renewal date. In order to place an order for a DDoS-Protected IP, you will need to input the UUID of the VPS that you want to attach it to. To find the UUID, you can open a VPS in the billing portal and look under Server Information -> UUID.
image
 The VPS that you want to attach the IP to must belong to the same account ordering the IP. In addition, you must order a DDoS-Protected IP in the location of the VPS. For example, if your VPS is in Kansas City, you must order a DDoS-Protected IP in Kansas City. Failure to meet these requirements will result in the order being placed on hold and refunded.

OS Configuration

Ubuntu

In most Linux servers using Ubuntu, you can configure a DDoS-Protected IP by doing: 
echo "network:
    version: 2
    ethernets:
        eth0:
            addresses:
            - ip/32" > /etc/netplan/99-ddos-protected-ip.yaml

netplan apply
Replace ip with your DDoS-Protected IP. In the future, if you want to add additional IPs, you can modify /etc/netplan/99-ddos-protected-ip.yaml and add more lines with more addresses like so: 
network:
    version: 2
    ethernets:
        eth0:
            addresses:
            - ip1/32
            - ip2/32
            - ip3/32

Debian

In Debian, you can configure a DDoS-Protected IP by doing: 
echo "iface eth0 inet static
    address ip/32" > /etc/network/interfaces.d/99-ddos-protected-ip

systemctl restart networking
Replace ip with your DDoS-Protected IP. In the future, if you want to add additional IPs, you can modify /etc/network/interfaces.d/99-ddos-protected-ip and add more lines with more addresses like so: 
face eth0 inet static
    address ip1/32
    address ip2/32
    address ip3/32

Filters

Currently, we provide the following filters (this may change in the future):
NameProtocolActionFilterTags
SCP: Secret LaboratoryUDPFILTERSCP: Secret LaboratoryDefault
ArmaUDPFILTERArma ReforgerDefault
PalworldUDPFILTERPalworldDefault
TeamSpeak 3 Query/FiletransferTCPFILTERTeamSpeak 3 Query/FiletransferDefault
AltV UDPUDPFILTERAltV UDPDefault
AltV TCPTCPFILTERAltV TCPDefault
txAdminTCPFILTERtxAdminDefault
OpenVPNUDPFILTEROpenVPNDefault
FiveM TCP Ultra StrictTCPFILTERFiveM TCP Ultra StrictDefault
FiveM TCP StrictTCPFILTERFiveM TCP StrictDefault
Plasmo VoiceUDPFILTERPlasmo VoiceDefault
UDP Light GenericUDPFILTERUDP GenericDefault
HTTPTCPFILTERHTTPDefault
Minecraft JavaTCPFILTERMinecraft JavaDefault
any TCP applicationTCPFILTERStateful TCPDefault
Source Engine / A2SUDPFILTERSource Engine / A2SDefault
FiveM TCPTCPFILTERFiveM TCPDefault
FiveM UDPUDPFILTERFiveM UDPDefault
RakNet (Rust, MC Bedrock, Terraria, 7 Days to Die, …)UDPFILTERRakNet (Rust, MCPE, Terraria, …)Default
QUICUDPFILTERQUICDefault
DayZUDPFILTERDayZDefault
TLSTCPFILTERTLSDefault
TeamSpeak 3UDPFILTERTeamSpeak 3Default
WireGuardUDPFILTERWireGuardDefault
any UDP applicationUDPFILTERUDP GenericDefault
Remote Desktop ProtocolTCPFILTERRDPDefault
FiveM UDP StrictUDPFILTERFiveM UDP StrictDefault
SSHTCPFILTERSSH2Default

Configuration

When you buy the DDoS protection add-on in Los Angeles, Miami, Kansas City, or Johor, a second IP address will be added to your VPS control panel. This is the DDoS-protected IP address. Your original unprotected IP address will still be active. To use the protected IP, you will need to manually add it as a second IP address in your server’s network settings. If you prefer to use the DDoS-protected IP as your only or primary IP address, we can remove the original one. Just open a support ticket to let us know. You will gain access to a new tab within the VPS control panel called the DDoS Protection.
image
 We recommend enabling “Allow Egress Traffic” and “Symmetric Filtering” if it is available in this tab. Set the “Default Action” to Drop in order to block all traffic unless it matches a specific rule. This means that if you want to allow something (like a port or app), you must create a rule for it, otherwise, it will be blocked.
image
 Make sure to create firewall rules for each of the applications that you are running on your VPS. For example, if you have SSH on port 22, make a firewall rule with: 
Protocol: TCP
Preset: SSH (TCP)
Min Port: 22
Max Port: Blank
You can also create port ranges. For example, if you have Minecraft Java servers running on Port 25565 to Port 25575, you can make a firewall rule like: 
Protocol: TCP
Preset: Minecraft Java (TCP)
Min Port: 25565
Max Port: 25575
If you do not perform these steps to add rules for each of your applications, then the mitigation will not work properly.

Networking Differences

Generally, you may see a 1-3ms latency increase with a DDoS-Protected IP address in Johor, Los Angeles, and Miami. There is currently no latency difference in Germany. In our Kansas City location, traffic through DDoS-Protected IPs is tunneled through Chicago. This adds approximately 10-14ms of latency. Because we leverage NeoProtect’s network, there can be some differences in routing. If you see any problems with high latency from certain sources, then please open a ticket with MTRs. We may be able to contact NeoProtect to make certain adjustments. See the Network Problems page for information on how to run and provide us with an MTR.

Sending DDoS Attacks

We strictly prohibit any form of Distributed Denial of Service (DDoS) activity toward our network, even if the target is your own DDoS-protected IP address. Launching or simulating DDoS attacks is illegal in many jurisdiction. In the United States, it constitutes a violation of the Computer Fraud and Abuse Act of 1986, and can lead to a prison sentence, fine, or a criminal record. Furthermore, purchasing access to DDoS tools or botnets is not only unethical but also contributes directly to cybercrime. These tools are commonly powered by networks of compromised devices, often without the knowledge or consent of their owners. Therefore, we highly advise against participating in sending DDoS attacks, even if it is to only test your DDoS mitigation.
I