VPSCryptoWhat is DDoS protection?
DDoS protection is infrastructure that detects flood attacks and scrubs the hostile traffic upstream, so your server keeps answering legitimate requests while the attack pours into a filter instead.
Updated 2026-06-12
A distributed denial-of-service (DDoS) attack does not hack anything. It simply sends so much traffic — from thousands of compromised devices at once — that the pipe, the network stack or the application drowns, and legitimate users can no longer get through. Attacks are cheap to rent by the hour, which is why they hit game servers over grudges, businesses over ransom notes, and controversial-but-lawful sites over disagreement. DDoS protection is the counter-infrastructure: detection that recognises a flood within seconds, and scrubbing capacity big enough to absorb it while forwarding the real traffic. On a VPS, you cannot bolt this on yourself — by the time packets reach your virtual NIC, the battle is upstream and already lost. It has to be a property of the host’s network, which is why it belongs on the spec sheet next to CPU and disk.
The three layers of attack
- Volumetric (L3/L4 floods). Raw bandwidth saturation: UDP floods, DNS/NTP amplification, the Mirai-style botnet classics. Measured in gigabits — modern attacks routinely exceed 100 Gbps, far beyond any single server’s uplink. Only upstream scrubbing capacity answers this.
- Protocol attacks. Exhausting connection-state instead of bandwidth: SYN floods, fragmented-packet tricks, connection-table exhaustion. Smaller in volume, deadlier per packet; filtered by stateful inspection at the edge.
- Application-layer (L7). Floods of legitimate-looking HTTP requests aimed at expensive endpoints — search pages, login forms, API calls. Hardest to filter generically because each request resembles a real user; mitigated by rate-limiting, challenges and caching at the application edge.
A real protection stack addresses all three; “DDoS protected” that only means a router ACL addresses none of them.
How mitigation actually works
The pipeline is detection → diversion → scrubbing → re-injection. Flow telemetry (NetFlow/sFlow) watches every customer IP for anomalies — a traffic baseline suddenly multiplied, a protocol mix that matches a known attack signature. Within seconds, the target prefix is diverted into scrubbing capacity: filtering hardware that drops spoofed sources, rate-limits flows, validates protocol behaviour and passes what remains. Clean traffic re-enters the network toward your server, which mostly notices nothing. The two figures that matter are time-to-mitigate (seconds vs minutes decides whether players/users ever notice) and scrubbing headroom (a 10 Gbps scrubber facing a 400 Gbps flood is decoration). “Always-on” means traffic is permanently analysed inline rather than diverted only after damage; for attack-prone workloads that difference is the product.
What “free DDoS protection” covers — and what it can’t
Included protection (ours included) covers the network layers: volumetric absorption and protocol filtering to multi-hundred-gigabit scale, always-on, at no extra charge, in every location. What no network-level filter can fully cover is your application’s own efficiency: if a single cheap HTTP request makes your app run a five-second database query, an attacker only needs a few hundred requests per second — indistinguishable from users — to hurt you. L7 resilience is shared work: the host filters the floods; you cache aggressively, rate-limit expensive endpoints, and (if you want challenge pages) front with a CDN. Honest hosts say this; be wary of any that promise “unhackable”.
Why attack-prone projects go offshore for it
There is an ugly pattern in mainstream hosting: get attacked, get suspended. Many budget providers’ real DDoS policy is to null-route the victim — your IP goes dark until the attack stops, which means the attacker wins instantly and repeatably. Networks with serious mitigation and a culture of not punishing victims are disproportionately found in the offshore/DDoS-tolerant corner of the market — Romania is famous for exactly this. Our policy is the sane one: being attacked is not a violation, mitigation engages automatically, and nobody gets null-routed for being a victim. (Launching attacks, of course, sits on the other side of the AUP.)
Frequently asked questions
Is DDoS protection really free on every VPSCrypto plan?
Yes — always-on volumetric and protocol mitigation is included on every tier in every location, Pup through Fenrir. There is no “DDoS add-on” tier; we consider reachability part of the base product.
Will I get suspended if my server is attacked?
No. Being the victim of an attack is not an AUP violation here. Mitigation engages automatically and your service stays up within the protection’s capacity. The suspend-the-victim reflex of budget hosts is exactly what attack-prone projects should be fleeing.
Does protection slow down my normal traffic?
Not measurably. Outside attack conditions traffic flows normally with inline analysis; during mitigation, clean flows are forwarded after filtering with latency overhead in the low milliseconds — invisible next to the alternative, which is being offline.
Can I protect a game server against L7-style flooding?
Game protocols benefit from the volumetric and protocol layers, which is where most game attacks live (UDP floods). For application-level abuse inside the game protocol itself, pair host-level protection with the game server’s own rate and session limits — see our game server VPS page.
Do I still need Cloudflare or a CDN in front of a website?
For pure network floods, no. For HTTP-layer abuse against expensive endpoints, a CDN’s caching and challenge pages add a useful L7 shield, and hiding your origin IP behind it removes the direct-attack surface entirely. They compose well: scrubbing below, CDN above.
Keep exploring.
Deploy an offshore VPS in about a minute
No-KYC, crypto-paid, all-NVMe. Pick a tier, pay in Monero or any major coin, and get root in roughly 60 seconds.
