Skip to main content

DDoS Guard L3-L4

Last update:

DDoS Guard L3-L4 protection is a solution based on a partner product from DDoS-Guard.

The service protects against DDoS attacks at the network and transport layers (L3-L4):

  • for bandwidth exhaustion and disruption of network infrastructure;
  • weaknesses of TCP/IP protocols.

The service does not protect against application level attacks (L7), select another type of protection for this.

The service protects only IP addresses assigned to equipment in the Selectel infrastructure. The service cannot be activated for addresses from a shared subnet (/32) or public IP addresses, only for addresses from a public dedicated subnet or public subnet.

Principle of operation

After ordering the service, you are given a secure public IPv4 address, and you configure the server to receive traffic through this secure address. The address must be assigned to a network interface on the public network as an additional address.

By default, one secure IP address is provided with the service. If you need to protect several servers in the pool, you need to order additional secure IP addresses for them.

Incoming traffic that is sent to a secure address passes through filtering nodes in different parts of the world, where it is analyzed and cleaned. Each incoming packet is filtered. The cleaned traffic is sent to the main address of the server.

Connecting the service will not protect against DDoS attacks if the attackers know the target IP address. Before connecting, you should remove all references to IP addresses you want to protect from external resources. If the addresses are already under attack, you should order a new subnet and configure it on your servers.

Cost

The cost of the service adds up:

  • from the selected tariff of DDoS Guard L3-L4 service with the required bandwidth — 10, 20, 50 or 100 Mbps;
  • cost of additional secure IPv4 addresses. The first secure address is provided free of charge, for each additional server in the pool you need to order an additional secure address;
  • the cost of a new subnet if it is needed to connect the service.

You can view prices for DDoS Guard L3-L4 protection at selectel.ru.

To pay for the service, depending on the type of balance in the account, a single balance or the main balance is used. The service is paid monthly, when ordering the service the payment for the first month is deducted from the balance, further payments are deducted automatically at the beginning of each following period.

Connect DDoS Guard L3-L4

  1. If your server only has a public shared address or public IP address, or your servers are already under attack, order and configure a new subnet.
  2. Order DDoS Guard L3-L4 protection service.
  3. If you need to protect more than one server in the pool, order additional secure IP addresses.
  4. Configure a secure IP address on the server.

1. Order and configure a new subnet

A new subnet is required if your server only has a public shared address (/32), or if your servers are already under attack, i.e. the target IP address is already known to the attackers.

Order a subnet and configure the address from it on the server:

2. Order a service

If you need to protect equipment in different pools, connect a separate protection service for each pool.

  1. In the control panel, click Products in the top menu and select DDoS Protection.

  2. Click Order Services.

  3. In the DDoS Guard DDoS Protection (L3-L4) service line with the required bandwidth (10, 20, 50, 100 Mbps), click Pay.

  4. Click Pay for Service.

  5. We will send you a ticket with the details. When the protection is connected, in the same ticket we will send:

3. Order additional secure IP addresses

One secure IP address is provided with the protection service. If you need to protect more than one server in the pool, order an additional secure address for each server.

  1. In the control panel, click Products in the top menu and select DDoS Protection.
  2. Click Order Services.
  3. In the DDoS Guard DDoS Protection (L3-L4) — additional IP address service line, click Pay.
  4. Click Pay for Service.

4. Configure a secure IP address on the server

  1. Connect to the server via SSH or via KVM console.

  2. Open the netplan utility configuration file with the vi text editor:

    vi /etc/netplan/50-cloud-init.yaml

    or

    vi /etc/netplan/01-netcfg.yaml

  3. Add the optional address data after the file contents:

    <eth_name>:0:
        addresses: [<ip_address>/32]

    Specify:

    • <eth_name> — the name of the network interface to which you want to add the additional address;
    • <ip_address> — the secure IP address that was received in the ticket.

  4. Press the ESC key.

  5. Exit the vi text editor with your changes saved:

    :wq

  6. Apply the configuration:

    netplan apply

  7. Optional: reboot the server.

  8. Configure all server applications to work with a secure IP address.

View statistics

  1. Go to your partner's personal cabinet. The data for entering the cabinet can be found in the service connection ticket.
  2. Open the IP transit tab. This displays statistics on total traffic before filter cleaning. The graphs are based on five-minute traffic measurements, so peaks can be smoothed out.

Disable DDoS Guard L3-L4

  1. Make sure that you have reconfigured traffic reception to an address from your subnet. The protected address issued when the service was activated will be deactivated along with the protection.
  2. In the Control Panel, click Products in the top menu and select DDoS Protection.
  3. In the menu of the service, select Disable monthly payment. The service will run until the end of the paid period.
  4. We will disconnect the service after the end of the paid period.