StormWall protection

Last update: November 28 2025

StormWall protection - a solution based on a partner product from StormWall. Services available:

• DDoS protection for networks - Acts at the network (L3) and transport (L4) layers. It protects against DDoS attacks that exploit weaknesses in TCP/IP protocols and are aimed at exhausting traffic bandwidth and disrupting network infrastructure;

• DDoS site protection - Acts at the application level (L7). It allows you to block attacks on applications and sites, optimizes site loading using HyperCache technology. Additionally to the service you can connect site protection with WAF to protect an application or site from targeted attacks.

DDoS protection for networks

Principle of operation

If you have your own AS (autonomous system) with a prefix of /24 or higher, a BGP session is raised. StormWall accepts announcements.

If you don't have AS, specify it in the ticket when ordering the service, we will find a connection option on a case-by-case basis.

All incoming traffic is sent to StormWall filtering nodes, where it is analyzed and cleaned, and then redirected to the protected server.

All nodes in the StormWall network operate independently of the others. If the filtering node closest to you becomes unavailable, traffic is automatically redirected to the next closest node.

Cost

The cost of the service adds up:

• from the selected DDoS Protection service tariff with the required bandwidth. The minimum bandwidth in the tariff is 50 Mbps;
• the cost of additional protected IPv4 addresses. By default, one secure IP address is provided with the protection service; for each additional server in the pool, an additional secure address must be ordered;
• the cost of legitimate traffic volume in excess of that provided for in the tariff;
• the cost of a new subnet if it is needed to connect the service.

To see prices for DDoS protection service, please visit selectel.ru.

On the day of connection, a one-time payment equal to the cost of the selected tariff is debited. Then the payment is deducted automatically on the first day of each month. The invoice for payment of legitimate traffic bandwidth in excess of the one provided for in the tariff is generated in the control panel within five working days after the end of the calendar month.

A single balance or a basic balance is used to pay for the service depending on the type of balance in the account.

Connect the service

1. If your server in the Selectel infrastructure has only a public shared address or a public IP address, or your servers are already under attack, order and configure a new subnet.
2. Order DDoS protection for your network.

1. Order and configure a new subnet

A new subnet is required if:

• your server only has a public shared address (/32);
• or your servers are under attack and the target IP address is already known to the attackers.

Order a subnet and configure the address from it on the server:

• For a dedicated server, use the Connect additional public IP addresses subsection of the dedicated server IP address instructions;
• For a cloud server, use the Configure access to and from the Internet via a public subnet subsection of the Configure access to and from the Internet instructions.

2. Order a service

1. Create a ticket. In the ticket specify:

   • service name - DDoS StormWall DDoS protection for networks;
   • service rate;
   • The presence or absence of its own AS;
   • If you do not have your own AS, specify IP addresses from the /32 or /24 subnet to be protected;
   • if your IP addresses are outside the Selectel infrastructure;
   • services that run on the specified IP addresses;
   • the amount of legitimate traffic;
   • the date of connection;
   • email to register in the StormWall personal account. The login details will be sent to this email;
   • If additional IP addresses are required, specify the number. By default, one protected IP address is provided with the protection service. If you need to protect more than one server in the pool, order an additional protected address for each of them.

2. We will notify you of the connection in a ticket.

Deactivate the service

Once the service is disabled, traffic will no longer pass through StormWall filtering nodes.

If you wish to disconnect the service before the end of the paid month, payment for the unused balance of the month will not be refunded.

To disable the service, create a ticket.

DDoS site protection

Working principle

You receive a secure address to which you need to redirect your traffic. All traffic to the protected address is sent to StormWall filtering nodes, where it is analyzed and cleaned, and then redirected to the protected server in the Selectel infrastructure.

Connecting the service will not protect against DDoS attacks if the attackers know the target IP address. Before connecting, you should remove all references to IP addresses you want to protect from external resources. If the addresses are already under attack, you should order a new subnet and configure it on your servers.

Cost

The cost of the service adds up:

• from the selected tariff of the DDoS Protection service;
• the cost of additional protected IPv4 addresses if more than one IP address needs to be protected. One protected address is included in the tariff price;
• the cost of legitimate traffic volume in excess of that provided for in the tariff;
• the cost of a new subnet if it is needed to connect the service.

To see the prices for DDoS protection service, please visit selectel.ru.

On the day of connection, a one-time payment equal to the cost of the selected tariff is debited. Then the payment is deducted automatically on the first day of each month. The invoice for payment of legitimate traffic bandwidth in excess of the one provided for in the tariff is generated in the control panel within five working days after the end of the calendar month.

A single balance or a basic balance is used to pay for the service depending on the type of balance in the account.

Connect the service

1. If the IP address of the domain is already known to attackers, order and configure a new subnet.
2. Order DDoS protection service.
3. Specify a protected address in the domain's A-record.
4. Make the settings on the server.
5. Optional: make additional settings.

1. Order and configure a new subnet

A new subnet is required if your servers are under attack and the target IP address is already known to the attackers.

Order a subnet and configure the address from it on the server:

• For a dedicated server, use the Connect additional public IP addresses subsection of the dedicated server IP address instructions;
• For a cloud server, use the Create a public subnet subsection of the Public Subnets instruction.

2. Order a service

1. Create a ticket. In the ticket specify:

   • service name - DDoS StormWall DDoS protection;
   • service rate;
   • a domain that needs to be put under protection;
   • Domain IP address. You can specify multiple IP addresses and second-level domains;
   • the total volume of legitimate traffic on all web resources;
   • the date of connection;
   • email to register in the StormWall personal account. The login details will be sent to this email.

2. We will notify you of the connection in a ticket.

3. Specify a protected address in the A-record of the domain

1. Open your StormWall personal account.
2. Enter the login and password you received by email when ordering the service.
3. Open the DDoS Protection service page.
4. In the Objects block, click Add Object.
5. Enter the name of the domain.
6. Click Add. The added domain will appear in the Objects block.
7. Click on the line with the added domain.
8. Go to the Protection Object section.
9. In the Assigned IP block, copy the IP address. This is the secure IP address that is assigned to you.
10. Open your domain registrar's control panel where your domain records are stored.
11. In the domain A record, change the value to the secure IP address that you copied in step 9. Do not change the value of an A-record intended for mail server or FTP server traffic. DNS records are distributed for 24 hours.

4. Make settings on the server

To add StormWall outgoing addresses to the trusted list, use the instructions in the On your server side of the instructions Activating the StormWall Documentation Service subsection.

5. Optional: make additional settings

You can configure balancing, caching, redirects, and issue an SSL certificate following the StormWall Documentation Protection Object instructions.

Deactivate the service

Once the service is disabled, traffic will no longer pass through StormWall filtering nodes.

If you wish to disconnect the service before the end of the paid month, payment for the unused balance of the month will not be refunded.

1. Make sure that you have reconfigured traffic reception to an address from your subnet. The protected address issued when the service was activated will be deactivated along with the protection.
2. Open your domain registrar's control panel where your domain records are stored.
3. In the domain A record, change the value to an address from your subnet.
4. Create a ticket. In the ticket, specify that you want to disable the StormWall DDoS Protection service.