DDoS-Guard Protection

Last update: May 30 2026

DDoS-Guard protection is a solution based on a partner product from DDoS-Guard. The following services are available:

• DDoS-Guard L3-L4 Protection — operates at the network (L3) and transport (L4) layers. Protects against DDoS attacks that exploit TCP/IP protocol vulnerabilities and aim to exhaust traffic bandwidth and disrupt network infrastructure operations;

• DDoS-Guard Website Protection and Acceleration — operates at the application layer (L7). It allows you to block attacks on web applications and websites, and accelerates your application or website using CDN and load balancing. The service can be connected together with DDoS-Guard L3-L4 Protection or separately.

DDoS-Guard L3-L4 Protection

How it works

For your information

The service protects only IP addresses assigned to equipment in the Selectel infrastructure. The service can only be connected for addresses from a public dedicated subnet or a public subnet. It is not available for addresses from shared subnets (/32) or public IP addresses.

You receive a protected public IPv4 address and configure traffic reception on your server through it. The address must be assigned to a public network interface as an additional one.

By default, one protected IP address is provided with the service. If you need to protect several servers in a pool, you must order additional protected IP addresses for them.

Incoming traffic directed to the protected address passes through filtering nodes located around the world, where it is analyzed and scrubbed. Every incoming packet is filtered. The scrubbed traffic is then routed to the server's main address.

Pricing

The service cost consists of:

• from the selected DDoS-Guard L3-L4 Protection plan with the required throughput — 10, 20, 50, or 100 Mbps;
• cost of additional protected IPv4 addresses. The first protected address is free, and you must order an additional protected address for each additional server in the pool;
• the cost of a new subnet, if it is required to connect the service.

You can view the DDoS-Guard L3-L4 Protection service plan prices on selectel.ru.

The service is billed monthly; when ordering the service, the payment for the first month is deducted from the balance, and subsequent payments are deducted automatically at the beginning of each following period.

Depending on the type of balance in your account, a unified balance or master balance is used to pay for the service.

Order the service

1. If your server only has a shared public address or a public IP address, or your servers are already under attack, order and configure a new subnet.
2. Order DDoS-Guard L3-L4 Protection.
3. If you need to protect more than one server in the pool, order additional protected IP addresses.
4. Configure the protected IP address on the server.
5. If you are connecting protection for a cloud server, add the protected IP address as an allowed IP address on the port.

1. Order and configure a new subnet

A new subnet is required if:

• your server only has a shared public address (/32);
• or your servers are under attack and the target IP address is already known to attackers.

Order a subnet and configure an address from it on your server:

• for a dedicated server, use the Connect additional public IP addresses section of the Dedicated Server Public Networks and Subnets guide;
• for a cloud server, use the Configure internet access via a public subnet section of the Configure internet access guide.

2. Order the service

If you need to protect equipment in different pools, connect a separate protection service for each pool.

Before connecting the service, top up your balance with the required amount.

1. In the control panel, on the top menu, click Products and select DDoS Protection.

2. Go to the DDoS Protection section.

3. Click Order services.

4. In the row for the DDoS-Guard DDoS Protection (L3-L4) service with the required throughput (10, 20, 50, 100 Mbps), click Pay.

5. Verify the details and click Pay for service.

6. We will create a ticket to connect the service.

7. In this ticket, send us:

   • IP address to be protected;
   • the email for registration in the DDoS-Guard control panel. Credentials for the control panel will be sent to this email.

8. We will notify you about the connection in the ticket.

3. Order additional protected IP addresses

One protected IP address is provided with the protection service. If you need to protect more than one server in the pool, order an additional protected address for each of them.

1. In the control panel, on the top menu, click Products and select DDoS Protection.
2. Go to the DDoS Protection section.
3. Click Order services.
4. In the row for the DDoS-Guard DDoS Protection (L3-L4) — additional IP address service, click Pay.
5. Click Pay for service.

4. Configure the protected IP address on the server

Ubuntu

1. Connect to the server via SSH or a KVM console.

2. Open the netplan utility configuration file using the vi text editor:

   vi /etc/netplan/50-cloud-init.yaml

   or

   vi /etc/netplan/01-netcfg.yaml

3. Append the additional address details to the end of the file:

   <eth_name>:0:
       addresses: [<ip_address>/32]

   Specify:

   • <eth_name> — the name of the network interface to which the additional address should be added;
   • <ip_address> — the protected IP address you received in the ticket.

4. Press the ESC key.

5. Exit the vi text editor and save your changes:

   :wq

6. Apply the configuration:

   netplan apply

7. Optional: reboot the server.

8. Set all server applications to work with the protected IP address.

Debian

1. Connect to the server via SSH or a KVM console.

2. Open the network interfaces configuration file using the vi text editor:

   vi /etc/network/interfaces/

3. Append the address details to the end of the content:

   auto <eth_name>:0
   iface <eth_name>:0 inet static
   address <ip_address>/32
   mtu 1500

   Specify:

   • <eth_name> — the name of the network interface to which the additional address should be added;
   • <ip_address> — the protected IP address you received in the ticket.

4. Press the ESC key.

5. Exit the vi text editor and save your changes:

   :wq

6. Restart the network:

   service networking restart

7. Optional: reboot the server.

8. Set all server applications to work with the protected IP address.

CentOS

1. Connect to the server via SSH or a KVM console.

2. Output information about the network interfaces:

   ip address

3. Open the network interface configuration file using the vi text editor:

   vi /etc/sysconfig/network-scripts/ifcfg-<eth_name>:0

   Specify <eth_name> — the name of the network interface to which the additional address should be added.

4. Add the additional address details to the file:

   DEVICE=<eth_name>:0
   ONBOOT=yes
   BOOTPROTO=static
   IPADDR=<ip_address>
   NETMASK=255.255.255.255

   Specify:

   • <eth_name> — the name of the network interface to which the additional address should be added;
   • <ip_address> — the protected IP address you received in the ticket.

5. Press the ESC key.

6. Exit the vi text editor and save your changes:

   :wq

7. Restart the network:

   service network restart

8. Set all server applications to work with the protected IP address.

Windows

1. Connect to the server via RDP or a KVM console.
2. Go to Ethernet → Change adapter settings.
3. Open the connection settings and right-click the required device.
4. Select Properties → in the list, double-click Internet Protocol Version 4 (TCP/IPv4).
5. Ensure that Use the following IP address is selected.
6. Click Advanced.
7. Click Add.
8. In the IP address field, enter the protected IP address that you received in the ticket.
9. Click Add.
10. Click OK.
11. Set all server applications to work with the protected IP address.

5. Add the protected IP address as an allowed IP address on the cloud server port

If you are connecting protection for a cloud server and traffic filtering (port security) is enabled in its public subnet, add the protected address as an allowed IP address on the port where you configured the protected address.

1. Check the traffic filtering (port security) status on the server network:

   1.1. In the control panel, on the top menu, click Products and select Cloud Servers.

   1.2. Go to the Network section → Public networks tab.

   1.3. View the public subnet card for the IP address you configured on the server. If the subnet is marked with , traffic filtering (port security) is enabled on the network.

2. If traffic filtering is disabled in the subnet, no additional configuration is required. If filtering is enabled, add the protected IP address as an allowed IP address on the cloud server port:

   Control panel

   2.1. In the control panel, on the top menu, click Products and select Cloud Servers.

   2.2. Open the server page → Ports tab.

   2.3. In the row for the port where you assigned the protected address, in the Security groups field, click .

   2.4. Click Add IP/MAC pair.

   2.5. Enter the protected IP address that you received in the ticket.

   2.6. Optional: enter the MAC address corresponding to the IP address, or leave it as the default port MAC address.

   2.7. Click Save.

   OpenStack CLI

   2.1. Open OpenStack CLI.

   2.2. Add the allowed address:

   openstack port set \
     --allowed-address ip-address=<ip_address>[,mac-address=<mac_address>] \
     <port>

   Specify:

   • <ip_address> — the protected IP address you received in the ticket;
   • optional: ,mac-address=<mac_address> — the MAC address corresponding to the IP address. The <mac_address> parameter is the MAC address value. If you do not specify a MAC address, the default port MAC address will be used;
   • <port> — the ID of the port to which you assigned the protected IP address. You can view the list of ports with the command openstack port list.

View statistics

1. Go to the DDoS-Guard control panel. Credentials for the control panel can be found in the service connection ticket.
2. Open the IP transit tab. This displays statistics on total traffic before filter scrubbing. The charts are built based on five-minute traffic samples, so traffic spikes may appear smoothed out.

Disable the service

1. Ensure you have reconfigured traffic reception to use an address from your subnet. The protected address you received when ordering the service will be disabled along with the protection.

2. In the control panel, on the top menu, click Products and select DDoS Protection.

3. Go to the DDoS Protection section.

4. In the service menu, select Disable monthly payment. The service will remain active until the end of the paid period.

5. We will deactivate the service after the end of the paid period.

DDoS-Guard Website Protection and Acceleration

How it works

After ordering the service, you receive a protected address to which you must redirect your traffic. All traffic to the protected address is sent to DDoS-Guard filtering nodes, where it is analyzed and scrubbed, and then forwarded to the protected server in the Selectel infrastructure.

The protection works with HTTP and HTTPS requests only on ports 80 and 443; requests to other ports are not processed.

Connecting the service will not protect against a DDoS attack if the target IP address is known to attackers. Before connecting, remove mentions of all IP addresses you want to protect from external resources. If the IP addresses are already under attack, you must order a new subnet and configure it on your servers.

Pricing

The following plans are available for order: Normal, Medium, Premium, and Enterprise. Their main differences are:

• number of protected domains;
• number of servers for load balancing;
• number of rules for restricting access by IP addresses. For any plan, you can purchase an additional package of rules via a ticket;
• possibility of flexible filtering rule configuration.

The filtering bandwidth and traffic volume, including legitimate traffic, are unlimited.

You can view a detailed comparison of plans and their pricing on selectel.ru.

The service is billed monthly; when ordering the service, the payment for the first month is deducted from the balance, and subsequent payments are deducted automatically at the beginning of each following period.

Depending on the type of balance in your account, a unified balance or master balance is used to pay for the service.

Order the service

The minimum connection time is 1-2 days. If you require urgent protection connection, create a ticket, specify the domain and IP address to be protected, and the email for registration in the DDoS-Guard control panel. After creating the ticket, call us.

1. If the domain IP address is already known to attackers, order and configure a new subnet.
2. Order the DDoS-Guard Website Protection and Acceleration service.
3. Specify the protected address in the domain A record.
4. Optional: restrict connection to the server by IP addresses.
5. Optional: configure additional protection.

1. Order and configure a new subnet

A new subnet is required if your servers are under attack and the target IP address is already known to attackers.

Order a subnet and configure an address from it on your server:

• for a dedicated server, use the Connect additional public IP addresses section of the Dedicated Server Public Networks and Subnets guide;
• for a cloud server, use the Create public subnet section of the Public subnets guide.

2. Order the service

Before connecting the service, top up your balance with the required amount.

1. In the control panel, on the top menu, click Products and select DDoS Protection.

2. Go to the DDoS Protection section.

3. Click Order services.

4. In the row for the required plan DDoS-Guard. Website protection and acceleration (Normal, Medium, Premium, Enterprise), click Pay.

5. Verify the details and click Pay for service.

6. We will create a ticket to connect the service and confirm the connection date.

7. In this ticket, send us:

   • the domain to be protected;
   • Domain IP address. You can specify multiple IP addresses if they point to the same domain and load balancing is required between them;
   • the email for registration in the DDoS-Guard control panel.

8. We will notify you when the service is connected.

3. Specify the protected IP address in the domain A record

1. Go to the DDoS-Guard control panel.
2. Enter the username and password that you received via email when ordering the service.
3. Open the Website protection and acceleration service page.
4. Open the Domains tab.
5. Save the protected IP address specified in the Protected IP field.
6. Go to the control panel of the domain registrar where your domain records are stored.
7. In the domain A record, change the value to the protected IP address you copied in step 5. Do not change the A record value intended for mail server or FTP server traffic.
8. If AAAA records are specified for the domain, delete them. DDoS-Guard does not work with IPv6 addresses, and they may be attacked, bypassing the protection.
9. If you want to protect subdomains, add an A record for each one with the protected IP address. You can protect an unlimited number of subdomains.

4. Optional: restrict connection to the server by IP addresses

You can restrict connections to your server from all IP addresses except for trusted DDoS-Guard IP addresses. For more information on configuring this, see the Firewall configuration subsection of the Configuring L7 level protection guide in the DDoS-Guard documentation.

5. Optional: configure additional protection

You can configure additional protection in the DDoS-Guard control panel. For example, configure traffic filtering rules, enable geo-blocking, or choose other options. A full list of options is available in the Website protection section of the DDoS-Guard documentation.

To configure additional protection:

1. Log in to the control panel. To log in, use the username and password that you received via email when ordering the service.
2. Perform the configuration according to the necessary instructions in the Website protection section of the DDoS-Guard documentation.

View statistics

1. Go to the control panel. To log in, use the username and password that you received via email when ordering the service.
2. View statistics by following the L7 attacks and attack reports article in the DDoS-Guard documentation.

Disable the service

1. Ensure you have reconfigured traffic reception to use an address from your subnet. The protected address you received when ordering the service will be disabled along with the protection.
2. Open the control panel of the domain registrar where your domain records are stored.
3. In the domain A record, change the value to an address from your subnet.
4. In the control panel, on the top menu, click Products and select DDoS Protection.
5. Go to the DDoS Protection section.
6. In the service menu, select Disable monthly payment. The service will function until the end of the paid period.
7. We will deactivate the service after the end of the paid period.