StormWall protection

Last update: October 23 2025

StormWall protection is a solution based on a partner product from StormWall.Services available:

• DDoS protection for networks — Acts at the network (L3) and transport (L4) layers.Protects against DDoS attacks that exploit weaknesses in TCP/IP protocols and are aimed at exhausting traffic bandwidth and disrupting network infrastructure;

• DDoS site protection — Acts at the application level (L7).Allows you to block attacks on applications and sites, optimizes site loading with HyperCache technology. Additionally to the service you can connect site protection with WAF to protect an application or site from targeted attacks.

DDoS protection for networks

Principle of operation

warning

The service protects only IP addresses that are assigned to equipment in the Selectel infrastructure.The service can be activated only for addresses from a public dedicated subnet or a  public subnet.It is not available for addresses from a shared subnet (/32) or public IP addresses.

If you have your own AS, after the service is ordered, a BGP session is raised to announce IP prefixes. StormWall accepts the announcements. If you do not have an AS, specify it in the ticket when ordering the service, we will select a connection option individually.

All incoming traffic is sent to StormWall filtering nodes, where it is analyzed and cleaned, and then redirected to the protected server in the Selectel infrastructure.

If the filtering node closest to you becomes unavailable, traffic is automatically redirected to the next closest node.

Cost

The cost of the service adds up:

• from the selected tariff of DDoS Protection service with the required bandwidth.The minimum bandwidth in the tariff is 50 Mbps;
• By default, one secure IP address is provided with the protection service; for each additional server in the pool, an additional secure address must be ordered;
• the cost of legitimate traffic volume in excess of that provided for in the tariff;
• the cost of a new subnet if it is needed to connect the service.

To see prices for DDoS protection service, please visit selectel.ru.

On the day of connection a one-time payment equal to the cost of the selected tariff is deducted.Then the payment is deducted automatically on the first day of each month.The invoice for payment of legitimate traffic bandwidth in excess of that provided for in the tariff is generated in the control panel within five working days after the end of the calendar month.

A single balance or a basic balance is used to pay for the service depending on the type of balance in the account.

Connect the service

1. If your server only has a public shared address or a public IP address or your servers are already under attack, order and configure a new subnet.
2. Order DDoS protection for your network.

1. Order and configure a new subnet

A new subnet is required if:

• your server only has a public shared address (/32);
• or your servers are under attack and the target IP address is already known to the attackers.

Order a subnet and configure the address from it on the server:

• For a dedicated server, use the Connect additional public IP addresses subsection of the dedicated server IP address instructions;
• For a cloud server, use the Configure access to and from the Internet via a public subnet subsection of the Configure access to and from the Internet instructions.

2. Order a service

1. Create a ticket. In the ticket specify:

   • service name — DDoS StormWall DDoS protection for networks;
   • service rate;
   • IP address;
   • presence or absence of its own AS and number, if AS is present;
   • the amount of legitimate traffic;
   • the date of connection;
   • email to register in the StormWall personal cabinet. The data for logging into the personal cabinet will be sent to this email;
   • If you need additional IP addresses, specify the number.By default, one protected IP address is provided with the protection service.If you need to protect more than one server in the pool, order an additional protected address for each of them.

2. We will notify you of the connection in a ticket.

Deactivate the service

Once the service is disabled, traffic will no longer pass through StormWall filtering nodes.

If you wish to disconnect the service before the end of the paid month, payment for the unused balance of the month will not be refunded.

To disable the service, create a ticket.

DDoS site protection

Principle of operation

All traffic to the protected address is sent to StormWall filtering nodes, where it is analyzed and cleaned, and then redirected to the protected server in the Selectel infrastructure.

Connecting the service will not protect against DDoS attacks if the attackers know the target IP address.Before connecting, it is necessary to remove from external resources all mentions of IP addresses you want to protect.If the addresses are already under attack, it is necessary to order a new subnet and configure it on your servers.

Cost

The cost of the service adds up:

• from the selected tariff of the DDoS Protection service;
• The cost of additional protected IPv4 addresses, if you need to protect more than one IP address.One protected address is included in the tariff price;
• the cost of legitimate traffic volume in excess of that provided for in the tariff;
• the cost of a new subnet if it is needed to connect the service.

To see prices for DDoS protection service, please visit selectel.ru.

On the day of connection a one-time payment equal to the cost of the selected tariff is deducted.Then the payment is deducted automatically on the first day of each month.The invoice for payment of legitimate traffic bandwidth in excess of that provided for in the tariff is generated in the control panel within five working days after the end of the calendar month.

A single balance or a basic balance is used to pay for the service depending on the type of balance in the account.

Connect the service

1. If the IP address of the domain is already known to attackers, order and configure a new subnet.
2. Order DDoS protection service.
3. Specify a protected address in the domain's A-record.
4. Make the settings on the server.

1. Order and configure a new subnet

A new subnet is required if your servers are under attack and the target IP address is already known to the attackers.

Order a subnet and configure the address from it on the server:

• For a dedicated server, use the Connect additional public IP addresses subsection of the dedicated server IP address instructions;
• For a cloud server, use the Create a public subnet subsection of the Public Subnets instruction.

2. Order a service

1. Create a ticket. In the ticket specify:

   • service name — DDoS StormWall DDoS protection;
   • service rate;
   • a domain that needs to be put under protection;
   • Domain IP address. You can specify multiple IP addresses and second-level domains;
   • the total volume of legitimate traffic on all web resources;
   • the date of connection;
   • email to register in the StormWall personal cabinet. The data for logging in to the personal cabinet will be sent to this email.

2. We will notify you of the connection in a ticket.

3. Specify a protected address in the A-record of the domain

1. Open your StormWall personal account.
2. Enter the login and password you received by email when ordering the service.
3. Open the DDoS Protection service page.
4. In the Objects block, click Add Object.
5. Enter the name of the domain.
6. Click Add. The added domain will appear in the Objects block.
7. Click on the line with the added domain.
8. Go to the Protection Object section.
9. Make the settings as instructed by the StormWall Documentation Protection Object.
10. In the Protection Object section, in the Assigned IP block, copy the IP address.This is the protected IP address that is assigned to you.
11. Open your domain registrar's control panel where your domain records are stored.
12. In the domain A record, change the value to the secure IP address that you copied in step 10. Do not change the value of the A-record intended for mail server or FTP server traffic.

4. Make settings on the server

To add StormWall outbound addresses to the trusted list, use the instructions in the On your server side of the instructions Activating the StormWall Documentation Service subsection.

Deactivate the service

Once the service is disabled, traffic will no longer pass through StormWall filtering nodes.

If you wish to disconnect the service before the end of the paid month, payment for the unused balance of the month will not be refunded.

1. Make sure that you have reconfigured traffic reception to an address from your subnet.The protected address issued when you connected the service will be deactivated along with the protection.
2. Open your domain registrar's control panel where your domain records are stored.
3. In the domain A record, change the value to an address from your subnet.
4. Create a ticket. In the ticket, specify that you want to disable the StormWall DDoS Protection service.