DDoS Guard L3-L4

Last update: April 01 2024

DDoS Guard L3-L4

DDoS GuarD L3-L4 protection is a solution based on a partner product from DDoS-Guard.

The service protects against DDoS attacks at the network and transport layer (L3-L4):

• for bandwidth exhaustion and disruption of network infrastructure;
• on the weaknesses of TCP/IP protocols.

The service protects only IP addresses assigned to equipment in the Selectel infrastructure. The service does not protect against application-level attacks (L7), for this select another type of protection.

The service protects only IP addresses assigned to equipment in the Selectel infrastructure. The service cannot be activated for addresses from a shared subnet (/32) or public IP addresses, only for addresses from public dedicated subnet or public subnet.

If you need to protect equipment in different pools, connect a separate protection service for each pool.

Working principle⁠

After ordering the service, a secure IPv4 address is assigned to your server, services are reassigned to receive traffic through the secure address.

Incoming traffic passes through filtering nodes in different parts of the world, where it is analyzed and cleaned. Every incoming packet is filtered. The cleaned traffic is routed to the server.

Connecting the service will not protect against a DDoS attack if the attackers know the target IP address. Before connecting, you must remove any mention of IP addresses you want to protect from external resources. If addresses are already under attack, you need to order a new subnet and configure it on your servers.

Cost⁠

The cost of the service is made up of:

• of the selected service tariff DDoS Guard DDoS Protection L3-L4;
• the cost of additional secure IPv4 addresses. The first secure address is free of charge, each additional server in the pool requires an additional secure address;
• the cost of a new subnet if it is needed to connect the service.

The united-balance or basic-balance is used to pay for the service depending on the balance type in the account. The service is paid monthly, when ordering the service the payment for the first month is deducted from the balance, further payments are deducted automatically at the beginning of each following period. The commencement of commercial use of the service is agreed upon on an individual basis.

Connect DDoS Guard L3-L4⁠

1. If your server only has a public shared address or public IP address, or your servers are already under attack, order and configure a new subnet.
2. Order DDoS Guard DDoS Protection (L3-L4).
3. If you need to protect more than one server in the pool, order additional protected IP addresses.
4. Configure a secure IP address on the server.

1. Order and configure a new subnet⁠

A new subnet is required if your server has only a public shared address (/32), or your servers are already under attack, i.e. the target IP address is already known to the attackers.

Order a subnet and configure the address from it on the server:

• For a dedicated server, public dedicated subnet;
• for the cloud server, public subnet.

2. Order the service⁠

If you need to protect equipment in different pools, connect a separate protection service for each pool.

1. In Control Panel, go to Network Services → DDDoS Protection.

2. Click Service Order.

3. Choose the DDoS Guard DDoS Protection (L3-L4) service with the bandwidth you need.

4. Click Pay.

5. Click Pay for Service.

6. We will send you a ticket with the details. When the defense is connected, in the same ticket we will send:

   • secure IP address to be configured on the server;
   • login data to the partner's personal cabinet, where you can view statistics.

3. Order additional secure IP addresses⁠

One secure IP address is provided with the protection service. If you need to protect more than one server in a pool, you need an additional protected address for each one.

1. In Control Panel, go to Network Services → DDDoS Protection.
2. Click Service Order.
3. Select DDoS Guard DDoS Protection (L3-L4) — additional IP address.
4. Click Pay.
5. Click Pay for Service.

4. Configure a secure IP address on the server⁠

Ubuntu

1. Connect to the server via SSH or via KVM-console.

2. Open the netplan utility configuration file with the vi text editor:

   vi /etc/netplan/50-cloud-init.yaml

   or

   vi /etc/netplan/01-netcfg.yaml

3. Add the optional address data after the file contents:

   <eth_name>:0:
       addresses: [<ip_address>/32]

   Specify:

   • <eth_name> is the name of the network interface to which you want to add the additional address;
   • <ip_address> is the secure IP address that was received in the ticket.

4. Press the ESC key.

5. Exit the vi text editor with the changes saved:

   :wq

6. Apply the configuration:

   netplan apply

7. Optional: reboot the server.

8. Configure all server applications to work with a secure IP address.

Debian

1. Connect to the server via SSH or via KVM-console.

2. Open the network interfaces configuration file with the vi text editor:

   vi /etc/network/interfaces/

3. Add the additional address data after the content:

   auto <eth_name>:0
   iface <eth_name>:0 inet static
   address <ip_address>/32
   mtu 1500

   Specify:

   • <eth_name> is the name of the network interface to which you want to add the additional address;
   • <ip_address> is the secure IP address that was received in the ticket.

4. Press the ESC key.

5. Exit the vi text editor with the changes saved:

   :wq

6. Restart the network:

   service networking restart

7. Optional: reboot the server.

8. Configure all server applications to work with a secure IP address.

CentOS

1. Connect to the server via SSH or via KVM-console.

2. Output information about the network interfaces:

   ip address

3. Open the network interface configuration file with the vi text editor:

   vi /etc/sysconfig/network-scripts/ifcfg-<eth_name>:0

   Specify <eth_name> — the name of the network interface to which you want to add the additional address.

4. Add the additional address data to the file:

   DEVICE=<eth_name>:0
   ONBOOT=yes
   BOOTPROTO=static
   IPADDR=<ip_address>
   NETMASK=255.255.255.255.255

   Specify:

   • <eth_name> is the name of the network interface to which you want to add the additional address;
   • <ip_address> is the secure IP address that was received in the ticket.

5. Press the ESC key.

6. Exit the vi text editor with the changes saved:

   :wq

7. Restart the network:

   service network restart

8. Configure all server applications to work with a secure IP address.

Windows

1. Connect to the server via RDP or via KVM-console.
2. Go to Ethernet settings → Change adapter settings.
3. Open the connection settings and right-click on the desired device.
4. Select Properties → double-click Internet Protocol Version 4 (TCP/IPv4) in the list.
5. Make sure the Use the following IP address option is selected.
6. Press Advanced.
7. Press Add.
8. In the IP address field, enter the secure IP address you received in the ticket.
9. Press Add.
10. Press OK.
11. Configure all server applications to work with a secure IP address.

View statistics⁠

1. Go to partner's personal account. The data for logging in to the cabinet can be found in the service connection ticket.
2. Open the IP transit tab. This displays statistics on total traffic, before filters are cleaned. The graphs are based on five-minute traffic measurements, so peaks can be smoothed out.

Disable DDoS Guard L3-L4⁠

1. Make sure you reconfigure to accept traffic to an address on your subnet. The protected address issued when the service was activated will be deactivated along with the protection.
2. In Control Panel, go to Network Services → DDDoS Protection.
3. Opposite the desired service, press the menu → Disable monthly payment. The service will run until the end of the paid period and will be disconnected.