DDoS-Guard L3-L4 protection

Last update: August 15 2025

DDoS-Guard L3-L4 protection is a solution based on a partner product from DDoS-Guard.

The service operates at the network (L3) and transport (L4) layers and protects against DDoS attacks that:

• are aimed at exhausting the traffic bandwidth and disrupting the network infrastructure;
• exploit weaknesses in TCP/IP protocols.

The service does not protect against application layer attacks (L7), select a different type of protection for this.

The service protects only IP addresses that are assigned to equipment in the Selectel infrastructure.The service cannot be activated for addresses from a shared subnet (/32) or public IP addresses.It can only be activated for addresses from a public dedicated subnet or public subnet.

Principle of operation

After ordering the service, you are given a secure public IPv4 address, and you configure traffic reception on the server through this secure address.The address should be assigned to the network interface of the public network as an additional one.

By default, one secure IP address is provided with the service. If you need to protect several servers in a pool, you need to order additional secure IP addresses for them.

Incoming traffic that is sent to the protected address passes through filtering nodes in different parts of the world, where it is analyzed and cleaned.Every incoming packet is filtered.The cleaned traffic is sent to the main address of the server.

Cost

The cost of the service adds up:

• from the selected tariff of DDoS-Guard L3-L4 DDoS-Guard Protection service with the required bandwidth — 10, 20, 50 or 100 Mbps;
• The first secure IPv4 address is provided free of charge, for each additional server in the pool it is necessary to order an additional secure address;
• the cost of a new subnet if it is needed to connect the service.

To view prices for DDoS-Guard L3-L4 DDoS-Guard protection service, please visit selectel.ru.

To pay for the service, depending on the type of balance in the account, a single balance or the main balance is used.The service is paid monthly, when ordering the service the payment for the first month is deducted from the balance, further payments are deducted automatically at the beginning of each following period.

Connect the service

1. If your server only has a public shared address or public IP address, or your servers are already under attack, order and configure a new subnet.
2. Order DDoS-Guard L3-L4 Protection service.
3. If you need to protect more than one server in the pool, order additional secure IP addresses.
4. Configure a secure IP address on the server.
5. If you are connecting protection for a cloud server, add the protected IP address as a resolved IP address per port.

1. Order and configure a new subnet

A new subnet is required if your server only has a public shared address (/32), or if your servers are already under attack, i.e. the target IP address is already known to the attackers.

Order a subnet and configure the address from it on the server:

• For a dedicated server, use the Connect additional public IP addresses subsection of the dedicated server IP address instructions;
• For a cloud server, use the Configure access to and from the Internet via a public subnet subsection of the Configure access to and from the Internet instructions.

2. Order a service

If you need to protect equipment in different pools, connect a separate protection service for each pool.

1. In the control panel, click Products in the top menu and select DDoS Protection.

2. Click Order Services.

3. In the service line DDoS-Guard DDoS Protection (L3-L4) with the required bandwidth (10, 20, 50, 100 Mbps) click Pay.

4. Click Pay for Service.

5. We will send you a ticket in which we will clarify the details.When the protection is connected, in the same ticket we will send:

   • secure IP address that you will need to configure on the server;
   • login data for DDoS-Guard personal cabinet, where you can view statistics.

3. Order additional secure IP addresses

One secure IP address is provided with the protection service.If you need to protect more than one server in the pool, order an additional secure address for each of them.

1. In the control panel, click Products in the top menu and select DDoS Protection.
2. Click Order Services.
3. In the DDoS-Guard DDoS Protection (L3-L4) — additional IP address service line, click Pay.
4. Click Pay for Service.

4. Configure a secure IP address on the server

Ubuntu

1. Connect to the server via SSH or via KVM console.

2. Open the netplan utility configuration file with the vi text editor:

   vi /etc/netplan/50-cloud-init.yaml

   or

   vi /etc/netplan/01-netcfg.yaml

3. Add the optional address data after the file contents:

   <eth_name>:0:
       addresses: [<ip_address>/32]

   Specify:

   • <eth_name> — the name of the network interface to which you want to add the additional address;
   • <ip_address> — the secure IP address that was received in the ticket.

4. Press the ESC key.

5. Exit the vi text editor with your changes saved:

   :wq

6. Apply the configuration:

   netplan apply

7. Optional: reboot the server.

8. Configure all server applications to work with a secure IP address.

Debian

1. Connect to the server via SSH or via KVM console.

2. Open the network interfaces configuration file with the vi text editor:

   vi /etc/network/interfaces/

3. Add the additional address data after the content:

   auto <eth_name>:0
   iface <eth_name>:0 inet static
   address <ip_address>/32
   mtu 1500

   Specify:

   • <eth_name> — the name of the network interface to which you want to add the additional address;
   • <ip_address> — the secure IP address that was received in the ticket.

4. Press the ESC key.

5. Exit the vi text editor with your changes saved:

   :wq

6. Restart the network:

   service networking restart

7. Optional: reboot the server.

8. Configure all server applications to work with a secure IP address.

CentOS

1. Connect to the server via SSH or via KVM console.

2. Display information about the network interfaces:

   ip address

3. Open the network interface configuration file with the vi text editor:

   vi /etc/sysconfig/network-scripts/ifcfg-<eth_name>:0

   Specify <eth_name> is the name of the network interface to which you want to add the additional address.

4. Add the additional address data to the file:

   DEVICE=<eth_name>:0
   ONBOOT=yes
   BOOTPROTO=static
   IPADDR=<ip_address>
   NETMASK=255.255.255.255

   Specify:

   • <eth_name> — the name of the network interface to which you want to add the additional address;
   • <ip_address> — the secure IP address that was received in the ticket.

5. Press the ESC key.

6. Exit the vi text editor with your changes saved:

   :wq

7. Restart the network:

   service network restart

8. Configure all server applications to work with a secure IP address.

Windows

1. Connect to the server via RDP or via KVM console.
2. Go to Ethernet settings → Change adapter settings.
3. Open the connection settings and right-click on the desired device.
4. Select Properties → double-click Internet Protocol Version 4 (TCP/IPv4) in the list.
5. Make sure the Use the following IP address option is selected.
6. Click Advanced.
7. Click Add.
8. In the IP address field, enter the secure IP address you received in the ticket.
9. Click Add.
10. Press OK.
11. Configure all server applications to work with a secure IP address.

5. Add a secure IP address as an authorized IP address on the cloud server port

If you are connecting security for a cloud server and port security is enabled on its public subnet, the protected address must be added as a permitted IP address on the port on which you configured the protected address.

1. Check the status of traffic filtering (port security) on the server network:

   1.1 In the Control Panel, on the top menu, click Products and select Cloud Servers.

   1.2. Go to Network → Public Networks tab.

   1.3 Look at the public subnet card of the IP address from which you configured the server.If the subnet is marked with a , port security is enabled on the network.

2. If subnet filtering is disabled, no additional settings are required.If filtering is enabled, add a secure IP address as the allowed IP address on the cloud server port:

   Control panel

   2.1.In the control panel, on the top menu, click Products and select Cloud Servers.

   2.2.Open the Server page → Ports tab.

   2.3.In the row of the port to which you assigned a secure address, in the Security Groups field, click .

   2.4.Click Add IP/MAC Pair.

   2.5.Enter the secure IP address you received in the ticket.

   2.6.Optional: Enter a MAC address that matches the IP address or leave the MAC address of the default port.

   2.7.Click Save.

   OpenStack CLI

   2.1 Open the OpenStack CLI.

   2.2.Add a resolved address:

   openstack port set \
     --allowed-address ip-address=<ip_address>[,mac-address=<mac_address>] \
     <port>

   Specify:

   • <ip_address> — the secure IP address that was received in the ticket;
   • optional: , mac-address=<mac_address> is the MAC address corresponding to the IP address. The parameter <mac_address> is the MAC address value. If you do not specify a MAC address, the default port MAC address will be used;
   • <port> — The ID of the port to which you have assigned a secure IP address, the port list can be viewed with the command openstack port list.

View statistics

1. Go to the DDoS-Guard personal cabinet. You can see the login details in the service activation ticket.
2. Open the IP transit tab.This displays statistics on total traffic before filter cleaning.The graphs are based on five-minute traffic measurements, so peaks can be smoothed out.

Deactivate the service

1. Make sure that you have reconfigured traffic reception to an address from your subnet.The protected address that you were given when you connected the service will be deactivated along with the protection.

2. In the Control Panel, click Products in the top menu and select DDoS Protection.

3. In the menu of the service, select Disable monthly payment.The service will run until the end of the paid period.

4. We will disconnect the service after the end of the paid period.