Skip to main content
DDoS Guard L3-L4
Last update:

DDoS Guard L3-L4

DDoS GuarD L3-L4 protection is a solution based on a partner product from DDoS-Guard.

The service protects against DDoS attacks at the network and transport layer (L3-L4):

  • for bandwidth exhaustion and disruption of network infrastructure;
  • on the weaknesses of TCP/IP protocols.

The service only protects IP addresses assigned to equipment in the Selectel infrastructure. The service does not protect against application layer attacks (L7), for this purpose select a different type of protection.

The service protects only IP addresses assigned to equipment in the Selectel infrastructure. The service cannot be activated for addresses from a shared subnet (/32) or public IP addresses, only for addresses from the public dedicated subnet or public subnet.

If you need to protect equipment in different pools, connect a separate protection service for each pool.

Principle of operation

After ordering the service, a secure IPv4 address is assigned to your server, services are reassigned to receive traffic through the secure address.

Incoming traffic passes through filtering nodes in different parts of the world, where it is analyzed and cleaned. Each incoming packet is filtered. The cleaned traffic is sent to the server.

Connecting the service will not protect against DDoS attacks if the attackers know the target IP address. Before connecting, you should remove all references to the IP addresses you want to protect from external resources. If the addresses are already under attack, you should order a new subnet and configure it on your servers.

Cost

The cost of the service is made up of:

  • of the selected service tariff DDoS Guard protection against DDoS L3-L4;
  • the cost of additional secure IPv4 addresses. The first secure address is free of charge, each additional server in the pool requires an additional secure address;
  • the cost of a new subnet if it is needed to connect the service.

The following is used to pay for the service depending on the type of balance in the account single balance or basic balance. The service is paid monthly, when ordering the service the payment for the first month is deducted from the balance, further payments are deducted automatically at the beginning of each following period. The start of commercial use of the service is agreed individually.

Connect DDoS Guard L3-L4

  1. If your server only has a public shared address or public IP address, or your servers are already under attack, order and configure a new subnet.
  2. Order DDoS Guard DDoS Protection service (L3-L4).
  3. If you need to protect more than one server in a pool, order additional secure IP addresses.
  4. Configure a secure IP address on the server.

Order and configure a new subnet

A new subnet is required if your server only has a public shared address (/32), or your servers are already under attack, i.e. the target IP address is already known to the attackers.

Order a subnet and configure the address from it on the server:

Order a service

If you need to protect your equipment in different poolahs For each pool, activate a separate protection service.

  1. В control panels go to Network servicesDDoS protection.

  2. Click Order services.

  3. Select a service DDoS Guard DDoS protection (L3-L4) with the necessary bandwidth.

  4. Click Pay.

  5. Click Pay for the service.

  6. We will send you a ticket with the details. When the protection is connected, in the same ticket we will send:

    • a secure IP address that will need to be serverize;
    • login details to the partner's personal account, where you can view statistics.

Order additional secure IP addresses

One secure IP address is provided with the protection service. If you need to protect more than one server in the pool, you need an additional protected address for each server.

  1. В control panels go to Network servicesDDoS protection.
  2. Click Order services.
  3. Select a service DDoS Guard DDoS protection (L3-L4) — additional IP address.
  4. Click Pay.
  5. Click Pay for the service.

Configure a secure IP address on the server

  1. Connect to the server via SSH or through KVM console.

  2. Open the utility configuration file netplan word processor vi:

    vi /etc/netplan/50-cloud-init.yaml

    or

    vi /etc/netplan/01-netcfg.yaml
  3. Add the optional address data after the file contents:

    <eth_name>:0:
    addresses: [<ip_address>/32]

    Specify:

    • <eth_name> — the name of the network interface to which you want to add an additional address;
    • <ip_address> — the secure IP address you received in the ticket.
  4. Press the key ESC.

  5. Exit the text editor vi with the changes intact:

    :wq
  6. Apply the configuration:

    netplan apply
  7. Optional: reboot the server.

  8. Configure all server applications to work with a secure IP address.

View statistics

  1. Go to partner account. The data for logging in to the cabinet can be found in the service connection ticket.
  2. Open the tab IP transit. This displays statistics on total traffic, before filter cleaning. The graphs are based on five-minute traffic measurements, so the peaks can be smoothed out.

Disable DDoS Guard L3-L4

  1. Make sure that you have reconfigured traffic reception to an address from your subnet. The protected address issued when the service was activated will be deactivated along with the protection.
  2. В control panels go to Network servicesDDoS protection.
  3. Against the desired service, press the menu Deactivate monthly payment. The service will run until the end of the paid period and will be disconnected.