Selectel Protection

Last update: October 02 2025

Selectel protection is enabled by default for products:

• Dedicated servers
• Equipment placement
• A-DC
• Cloud servers
• Managed Kubernetes
• Cloud databases

For VMware-based Cloud and Fault Tolerant Load Balancer products, a comprehensive protection solution — DDoS-Guard L3-L4 Protection — is automatically enabled.

Protection against DDoS attacks

What types of attacks Selectel's defenses reflect

Protection is provided on  network and transport (L3, L4) layers and protects services from types of attacks:

• UDP-based reflection attacks (DNS, NTP, memcache, etc.);
• attacks using fragmented IP traffic;
• TCP SYN/RST/PSH flood;
• different types of UDP floods;
• different types of ICMP floods.

What types of attacks Selectel's defenses do not reflect

Selectel protection does not protect against application-level (L7) DDoS attacks, nor against attacks that require simultaneous analysis of traffic in both directions to detect:

• attacks with valid TCP connections;
• attacks with valid HTTP and HTTPS requests;
• attacks on bottlenecks or vulnerabilities of the attacked service.

To increase the security of the service, you can connect additional security.

Principle of operation

Selectel protection is automatically enabled for all IP addresses in the Selectel standalone system.Client IP addresses (PI and announced as part of the BGP Connection service) that are routed within the Selectel network are also protected.

When Selectel protection works, only incoming traffic is analyzed, with no restrictions.

Depending on the type of attack detected, filters are dynamically configured on edge routers to block unwanted traffic.If the level of any traffic exceeds a predetermined threshold, the filter imposes a restriction on its passage through the network.In this case, the traffic is not blocked completely, but only the part of it that is related to the DDoS attack is excluded.

Cost

Selectel protection is provided free of charge.

Limitations

If an attack negatively impacts the network infrastructure for a long period of time, incoming traffic can be blocked using blackhole (RTBH).

If a blocking decision is made, we will create a ticket and send it to you.To remove the blocking, reply in the ticket.Automatically, the blocking is removed after eight hours.