DDoS Guard L3-L4
DDoS Guard L3-L4 protection is a solution based on a partner product from DDoS-Guard.
The service protects against DDoS attacks at the network and transport layers (L3-L4):
- for bandwidth exhaustion and disruption of network infrastructure;
- weaknesses of TCP/IP protocols.
The service does not protect against application level attacks (L7), select another type of protection for this.
The service protects only IP addresses assigned to equipment in the Selectel infrastructure. The service cannot be activated for addresses from a shared subnet (/32
) or public IP addresses, only for addresses from a public dedicated subnet or public subnet.
Principle of operation
After ordering the service, you are given a secure public IPv4 address, and you configure the server to receive traffic through this secure address. The address must be assigned to a network interface on the public network as an additional address.
By default, one secure IP address is provided with the service. If you need to protect several servers in the pool, you need to order additional secure IP addresses for them.
Incoming traffic that is sent to a secure address passes through filtering nodes in different parts of the world, where it is analyzed and cleaned. Each incoming packet is filtered. The cleaned traffic is sent to the main address of the server.
Connecting the service will not protect against DDoS attacks if the attackers know the target IP address. Before connecting, you should remove all references to IP addresses you want to protect from external resources. If the addresses are already under attack, you should order a new subnet and configure it on your servers.
Cost
The cost of the service adds up:
- from the selected tariff of DDoS Guard L3-L4 service with the required bandwidth — 10, 20, 50 or 100 Mbps;
- cost of additional secure IPv4 addresses. The first secure address is provided free of charge, for each additional server in the pool you need to order an additional secure address;
- the cost of a new subnet if it is needed to connect the service.
You can view prices for DDoS Guard L3-L4 protection at selectel.ru.
To pay for the service, depending on the type of balance in the account, a single balance or the main balance is used. The service is paid monthly, when ordering the service the payment for the first month is deducted from the balance, further payments are deducted automatically at the beginning of each following period.
Connect DDoS Guard L3-L4
- If your server only has a public shared address or public IP address, or your servers are already under attack, order and configure a new subnet.
- Order DDoS Guard L3-L4 protection service.
- If you need to protect more than one server in the pool, order additional secure IP addresses.
- Configure a secure IP address on the server.
1. Order and configure a new subnet
A new subnet is required if your server only has a public shared address (/32
), or if your servers are already under attack, i.e. the target IP address is already known to the attackers.
Order a subnet and configure the address from it on the server:
- For a dedicated server, use the Connect additional public IP addresses subsection;
- For the cloud server, use the Configure access to and from the Internet via a public subnet subsection.
2. Order a service
If you need to protect equipment in different pools, connect a separate protection service for each pool.
-
In the control panel, click Products in the top menu and select DDoS Protection.
-
Click Order Services.
-
In the DDoS Guard DDoS Protection (L3-L4) service line with the required bandwidth (10, 20, 50, 100 Mbps), click Pay.
-
Click Pay for Service.
-
We will send you a ticket with the details. When the protection is connected, in the same ticket we will send:
- secure IP address that you will need to configure on the server;
- login details to the partner's personal cabinet, where you can view statistics.
3. Order additional secure IP addresses
One secure IP address is provided with the protection service. If you need to protect more than one server in the pool, order an additional secure address for each server.
- In the control panel, click Products in the top menu and select DDoS Protection.
- Click Order Services.
- In the DDoS Guard DDoS Protection (L3-L4) — additional IP address service line, click Pay.
- Click Pay for Service.
4. Configure a secure IP address on the server
Ubuntu
Debian
CentOS
Windows
-
Open the
netplan
utility configuration file with thevi
text editor:vi /etc/netplan/50-cloud-init.yaml
or
vi /etc/netplan/01-netcfg.yaml
-
Add the optional address data after the file contents:
<eth_name>:0:
addresses: [<ip_address>/32]Specify:
<eth_name>
— the name of the network interface to which you want to add the additional address;<ip_address>
— the secure IP address that was received in the ticket.
-
Press the
ESC
key. -
Exit the
vi
text editor with your changes saved::wq
-
Apply the configuration:
netplan apply
-
Optional: reboot the server.
-
Configure all server applications to work with a secure IP address.
-
Open the network interfaces configuration file with the
vi
text editor:vi /etc/network/interfaces/
-
Add the additional address data after the content:
auto <eth_name>:0
iface <eth_name>:0 inet static
address <ip_address>/32
mtu 1500Specify:
<eth_name>
— the name of the network interface to which you want to add the additional address;<ip_address>
— the secure IP address that was received in the ticket.
-
Press the
ESC
key. -
Exit the
vi
text editor with your changes saved::wq
-
Restart the network:
service networking restart
-
Optional: reboot the server.
-
Configure all server applications to work with a secure IP address.
-
Output information about the network interfaces:
ip address
-
Open the network interface configuration file with the
vi
text editor:vi /etc/sysconfig/network-scripts/ifcfg-<eth_name>:0
Specify
<eth_name>
is the name of the network interface to which you want to add the additional address. -
Add the additional address data to the file:
DEVICE=<eth_name>:0
ONBOOT=yes
BOOTPROTO=static
IPADDR=<ip_address>
NETMASK=255.255.255.255Specify:
<eth_name>
— the name of the network interface to which you want to add the additional address;<ip_address>
— the secure IP address that was received in the ticket.
-
Press the
ESC
key. -
Exit the
vi
text editor with your changes saved::wq
-
Restart the network:
service network restart
-
Configure all server applications to work with a secure IP address.
- Connect to the server via RDP or via KVM console.
- Go to Ethernet settings → Change adapter settings.
- Open the connection settings and right-click on the desired device.
- Select Properties → double-click Internet Protocol Version 4 (TCP/IPv4) in the list.
- Make sure the Use the following IP address option is selected.
- Click Advanced.
- Click Add.
- In the IP address field, enter the secure IP address you received in the ticket.
- Click Add.
- Press OK.
- Configure all server applications to work with a secure IP address.
View statistics
- Go to your partner's personal cabinet. The data for entering the cabinet can be found in the service connection ticket.
- Open the IP transit tab. This displays statistics on total traffic before filter cleaning. The graphs are based on five-minute traffic measurements, so peaks can be smoothed out.
Disable DDoS Guard L3-L4
- Make sure that you have reconfigured traffic reception to an address from your subnet. The protected address issued when the service was activated will be deactivated along with the protection.
- In the Control Panel, click Products in the top menu and select DDoS Protection.
- In the menu of the service, select Disable monthly payment. The service will run until the end of the paid period.
- We will disconnect the service after the end of the paid period.