DDoS-Guard protection

Last update: October 02 2025

DDoS-Guard protection is a solution based on a partner product from DDoS-Guard.Services available:

• DDoS-Guard L3-L4 protection — Acts at the network (L3) and transport (L4) layers.Protects against DDoS attacks that exploit weaknesses in TCP/IP protocols and are aimed at exhausting traffic bandwidth and disrupting network infrastructure.

• DDoS-Guard protection and acceleration of websites — operates at the application level (L7).Allows you to block attacks on web applications and sites, accelerate the application or site using CDN and load balancing.The service can be activated in conjunction with DDoS-Guard L3-L4 protection service or separately.

DDoS-Guard L3-L4 protection

Principle of operation

warning

The service protects only IP addresses that are assigned to equipment in the Selectel infrastructure.The service can be activated only for addresses from a public dedicated subnet or a  public subnet.It is not available for addresses from a shared subnet (/32) or public IP addresses.

After ordering the service you get a secure public IPv4-address and configure traffic reception on the server through it. The address should be assigned to the network interface of the public network as an additional one.

By default, one secure IP address is provided with the service. If you need to protect several servers in a pool, you need to order additional secure IP addresses for them.

Incoming traffic that is sent to the protected address passes through filtering nodes in different parts of the world, where it is analyzed and cleaned.Every incoming packet is filtered.The cleaned traffic is sent to the main address of the server.

Cost

The cost of the service adds up:

• from the selected DDoS-Guard L3-L4 DDoS-Guard Protection service tariff with the required bandwidth — 10, 20, 50 or 100 Mbps. To see the prices for DDoS-Guard L3-L4 DDoS-Guard Protection service tariffs, please visit selectel.ru;
• The first secure IPv4 address is provided free of charge, for each additional server in the pool it is necessary to order an additional secure address;
• the cost of a new subnet if it is needed to connect the service.

A single balance or a basic balance is used to pay for the service depending on the type of balance in the account.

The service is paid monthly, when ordering the service the payment for the first month is deducted from the balance, further payments are deducted automatically at the beginning of each following period.

Connect the service

1. Order and configure a new subnet If your server only has a public shared address or public IP address, or if your servers are already under attack.
2. Order DDoS-Guard L3-L4 Protection service.
3. Optional: order additional protected IP addresses if you need to protect more than one server in the pool.
4. Configure a secure IP address on the server.
5. Optional: add the protected IP address as a resolved IP address per port if you are connecting protection for a cloud server.

1. Optional: order and configure a new subnet

A new subnet is required if your server only has a public shared address (/32), or your servers are under attack and the target IP address is already known to the attackers.

Order a subnet and configure the address from it on the server:

• For a dedicated server, use the Connect additional public IP addresses subsection of the dedicated server IP address instructions;
• For a cloud server, use the Configure access to and from the Internet via a public subnet subsection of the Configure access to and from the Internet instructions.

2. Order a service

If you need to protect equipment in different pools, connect a separate protection service for each pool.

Before activating the service , top up the balance by the required amount.

1. In the control panel, click Products in the top menu and select DDoS Protection.

2. Go to the DDoS Protection section.

3. Click Order Services.

4. In the service line DDoS-Guard DDoS Protection (L3-L4) with the required bandwidth (10, 20, 50, 100 Mbps) click Pay.

5. Verify the details and click Pay for the service.

6. We will create a ticket to connect the service.

7. In this ticket, send us:

   • IP address to be put under protection;
   • email to register in DDoS-Guard personal cabinet. The login details will be sent to this email.

8. We will process the order and specify in the ticket a secure IP address to be configured on the server.

3. Optional: order additional secure IP addresses

One secure IP address is provided with the protection service.If you need to protect more than one server in the pool, order an additional secure address for each of them.

1. In the control panel, click Products in the top menu and select DDoS Protection.
2. Go to the DDoS Protection section.
3. Click Order Services.
4. In the DDoS-Guard DDoS Protection (L3-L4) — additional IP address service line, click Pay.
5. Click Pay for Service.

4. Configure a secure IP address on the server

Ubuntu

1. Connect to the server via SSH or via KVM console.

2. Open the netplan utility configuration file with the vi text editor:

   vi /etc/netplan/50-cloud-init.yaml

   or

   vi /etc/netplan/01-netcfg.yaml

3. Add the optional address data after the file contents:

   <eth_name>:0:
       addresses: [<ip_address>/32]

   Specify:

   • <eth_name> — the name of the network interface to which you want to add the additional address;
   • <ip_address> — the secure IP address that was received in the ticket.

4. Press the ESC key.

5. Exit the vi text editor with your changes saved:

   :wq

6. Apply the configuration:

   netplan apply

7. Optional: reboot the server.

8. Configure all server applications to work with a secure IP address.

Debian

1. Connect to the server via SSH or via KVM console.

2. Open the network interfaces configuration file with the vi text editor:

   vi /etc/network/interfaces/

3. Add the additional address data after the content:

   auto <eth_name>:0
   iface <eth_name>:0 inet static
   address <ip_address>/32
   mtu 1500

   Specify:

   • <eth_name> — the name of the network interface to which you want to add the additional address;
   • <ip_address> — the secure IP address that was received in the ticket.

4. Press the ESC key.

5. Exit the vi text editor with your changes saved:

   :wq

6. Restart the network:

   service networking restart

7. Optional: reboot the server.

8. Configure all server applications to work with a secure IP address.

CentOS

1. Connect to the server via SSH or via KVM console.

2. Output information about the network interfaces:

   ip address

3. Open the network interface configuration file with the vi text editor:

   vi /etc/sysconfig/network-scripts/ifcfg-<eth_name>:0

   Specify <eth_name> is the name of the network interface to which you want to add the additional address.

4. Add the additional address data to the file:

   DEVICE=<eth_name>:0
   ONBOOT=yes
   BOOTPROTO=static
   IPADDR=<ip_address>
   NETMASK=255.255.255.255

   Specify:

   • <eth_name> — the name of the network interface to which you want to add the additional address;
   • <ip_address> — the secure IP address that was received in the ticket.

5. Press the ESC key.

6. Exit the vi text editor with your changes saved:

   :wq

7. Restart the network:

   service network restart

8. Configure all server applications to work with a secure IP address.

Windows

1. Connect to the server via RDP or via KVM console.
2. Go to Ethernet settings → Change adapter settings.
3. Open the connection settings and right-click on the desired device.
4. Select Properties → double-click Internet Protocol Version 4 (TCP/IPv4) in the list.
5. Make sure the Use the following IP address option is selected.
6. Click Advanced.
7. Click Add.
8. In the IP address field, enter the secure IP address you received in the ticket.
9. Click Add.
10. Press OK.
11. Configure all server applications to work with a secure IP address.

5. Optional: Add a secure IP address as a resolved IP address on the cloud server port

If you are connecting security for a cloud server and port security is enabled on its public subnet, add the protected address as an allowed IP address on the port on which you configured the protected address.

1. Check the status of traffic filtering (port security) on the server network:

   1.1 In the Control Panel, on the top menu, click Products and select Cloud Servers.

   1.2. Go to Network → Public Networks tab.

   1.3 Look at the public subnet card of the IP address from which you configured the server.If the subnet is marked with a , port security is enabled on the network.

2. If subnet filtering is disabled, no additional settings are required.If filtering is enabled, add a secure IP address as the allowed IP address on the cloud server port:

   Control panel

   2.1.In the control panel, on the top menu, click Products and select Cloud Servers.

   2.2.Open the Server page → Ports tab.

   2.3.In the row of the port to which you assigned a secure address, in the Security Groups field, click .

   2.4.Click Add IP/MAC Pair.

   2.5.Enter the secure IP address you received in the ticket.

   2.6.Optional: Enter a MAC address that matches the IP address or leave the MAC address of the default port.

   2.7.Click Save.

   OpenStack CLI

   2.1 Open the OpenStack CLI.

   2.2.Add a resolved address:

   openstack port set \
     --allowed-address ip-address=<ip_address>[,mac-address=<mac_address>] \
     <port>

   Specify:

   • <ip_address> — the secure IP address that was received in the ticket;
   • optional: , mac-address=<mac_address> is the MAC address corresponding to the IP address. The parameter <mac_address> is the MAC address value. If you do not specify a MAC address, the default port MAC address will be used;
   • <port> — The ID of the port to which you assigned the secure IP address. The list of ports can be viewed with the command openstack port list.

View statistics

1. Go to the DDoS-Guard personal cabinet, you can see the login details in the service activation ticket.
2. Open the IP transit tab.This displays statistics on total traffic before filter cleaning.The graphs are based on five-minute traffic measurements, so peaks can be smoothed out.

Deactivate the service

1. Make sure that you have reconfigured to receive traffic to an address from your subnet.The protected address you received when ordering the service will be disabled along with the protection.

2. In the control panel, click Products in the top menu and select DDoS Protection.

3. Go to the DDoS Protection section.

4. In the menu of the service, select Disable monthly payment.The service will run until the end of the paid period.

5. We will disconnect the service after the end of the paid period.

DDoS-Guard website protection and acceleration

Principle of operation

After ordering the service, you receive a secure address to which you need to redirect your traffic. All traffic to the secure address is sent to DDoS-Guard filtering nodes, where it is analyzed and cleaned, and then redirected to the secure server in Selectel infrastructure.

The protection works with HTTP and HTTPS requests only on ports 80 and 443, requests on other ports are not processed.

Connecting the service will not protect against DDoS attacks if the attackers know the target IP address.Before connecting, you should remove references to all IP addresses you want to protect from external resources.If IP addresses are already under attack, you should order a new subnet and configure it on your servers.

Cost

The following tariffs are available for ordering the service: Normal, Medium, Premium, Enterprise.Their main differences:

• number of protected domains;
• number of servers for load balancing;
• number of rules to restrict access by IP addresses.You can purchase an additional set of rules for any tariff via ticket;
• the ability to flexibly customize filtering rules.

The filter bandwidth and traffic volume, including legitimate traffic, are not limited.

You can see a detailed comparison of tariffs and their costs at selectel.ru.

A single balance or a basic balance is used to pay for the service depending on the type of balance in the account.

The service is paid monthly, when ordering the service the payment for the first month is deducted from the balance, further payments are deducted automatically at the beginning of each following period.

Connect the service

The minimum term of connection is 1-2 days.If the connection of protection is required urgently — create a ticket, in it specify the domain and IP-address to be protected, and email for registration in the DDoS-Guard personal cabinet.After creating a ticket , call us.

1. Order and configure a new subnet If the IP address of the domain is already known to attackers.
2. Order DDoS-Guard website protection and acceleration service.
3. Specify a protected address in the domain's A-record.
4. Optional: restrict connection to the server from IP addresses.
5. Optional: configure additional protection.

1. Order and configure a new subnet

A new subnet is required if your servers are under attack and the target IP address is already known to the attackers.

Order a subnet and configure the address from it on the server:

• For a dedicated server, use the Connect additional public IP addresses subsection of the dedicated server IP address instructions;
• For a cloud server, use the Create a public subnet subsection of the Public Subnets instruction.

2. Order a service

Before activating the service , top up the balance by the required amount.

1. In the control panel, click Products in the top menu and select DDoS Protection.

2. Go to the DDoS Protection section.

3. Click Order Services.

4. In the line of the desired tariff DDoS-Guard. Web Protection and Acceleration (Normal, Medium, Premium, Enterprise), click Pay.

5. Verify the details and click Pay for Service.

6. We will create a ticket to connect the service and clarify the date of connection.

7. In this ticket, send us:

   • a domain that needs to be put under protection;
   • Domain IP address.You can specify multiple IP addresses if they point to the same domain and you want load balancing between them;
   • email to register in the DDoS-Guard personal cabinet.

8. We will process the order and notify you when the service is activated.

3. Specify a secure IP address in the domain A record

1. Go to your DDoS-Guard personal cabinet.
2. Enter the login and password you received by email when ordering the service.
3. Open the Site Protection and Acceleration service page.
4. Open the Domains tab.
5. Save the protected IP address that is specified in the Protected IP field.
6. Go to your domain registrar's control panel where your domain records are stored.
7. In A records, change the value to the secure IP address that you saved in step 5.If the A record is not for web traffic, such as a mail or FTP server, do not change its value.
8. If AAAA records are specified for the domain, delete them.DDoS-Guard does not work with IPv6 addresses, they can be attacked to bypass the protection.
9. If you want to protect subdomains, add an A-record with a protected IP address for each.You can protect an unlimited number of subdomains.

4. Optional: restrict connection to the server from IP addresses

You can restrict connection to the server from all IP addresses except DDoS-Guard trusted IP addresses.For more details on the configuration, see the Firewall Config uration subsection of the Configuring L7 level protection in the DDoS-Guard documentation.

5. Optional: configure additional protection

You can configure additional protection in DDoS-Guard personal cabinet, for example, set up traffic filtering rules, enable geo-blocking or other options.Full list of options in the DDoS-Guard Documentation Site Protection section.

To configure additional protection:

1. Log in to your personal cabinet.To log in, use the login and password you received by email when ordering the service.
2. Follow the necessary instructions in the Site Protection section of the DDoS-Guard documentation.

View statistics

1. Go to your personal cabinet and use the login and password you received by email when ordering the service.
2. Check out the statistics on the L7 Attack L7 instructions and the DDoS-Guard documentation attack reports.

Deactivate the service

1. Make sure that you have reconfigured to receive traffic to an address from your subnet.The protected address you received when ordering the service will be disabled along with the protection.
2. Go to your domain registrar's control panel where your domain records are stored.
3. In the domain A record, change the value to an address from your subnet.
4. In the control panel, click Products in the top menu and select DDoS Protection.
5. Go to the DDoS Protection section.
6. In the menu of the service, select Disable monthly payment.The service will run until the end of the paid period.
7. We will disconnect the service after the end of the paid period.