DDoS Guard L3-L4
DDoS GuarD L3-L4 protection is a solution based on a partner product from DDoS-Guard.
The service protects against DDoS attacks at the network and transport layer (L3-L4):
- for bandwidth exhaustion and disruption of network infrastructure;
- on the weaknesses of TCP/IP protocols.
The service only protects IP addresses assigned to equipment in the Selectel infrastructure. The service does not protect against application layer attacks (L7), for this purpose select a different type of protection.
The service protects only IP addresses assigned to equipment in the Selectel infrastructure. The service cannot be activated for addresses from a shared subnet (/32
) or public IP addresses, only for addresses from the public dedicated subnet or public subnet.
If you need to protect equipment in different pools, connect a separate protection service for each pool.
Principle of operation
After ordering the service, a secure IPv4 address is assigned to your server, services are reassigned to receive traffic through the secure address.
Incoming traffic passes through filtering nodes in different parts of the world, where it is analyzed and cleaned. Each incoming packet is filtered. The cleaned traffic is sent to the server.
Connecting the service will not protect against DDoS attacks if the attackers know the target IP address. Before connecting, you should remove all references to the IP addresses you want to protect from external resources. If the addresses are already under attack, you should order a new subnet and configure it on your servers.
Cost
The cost of the service is made up of:
- of the selected service tariff DDoS Guard protection against DDoS L3-L4;
- the cost of additional secure IPv4 addresses. The first secure address is free of charge, each additional server in the pool requires an additional secure address;
- the cost of a new subnet if it is needed to connect the service.
The following is used to pay for the service depending on the type of balance in the account single balance or basic balance. The service is paid monthly, when ordering the service the payment for the first month is deducted from the balance, further payments are deducted automatically at the beginning of each following period. The start of commercial use of the service is agreed individually.
Connect DDoS Guard L3-L4
- If your server only has a public shared address or public IP address, or your servers are already under attack, order and configure a new subnet.
- Order DDoS Guard DDoS Protection service (L3-L4).
- If you need to protect more than one server in a pool, order additional secure IP addresses.
- Configure a secure IP address on the server.
Order and configure a new subnet
A new subnet is required if your server only has a public shared address (/32
), or your servers are already under attack, i.e. the target IP address is already known to the attackers.
Order a subnet and configure the address from it on the server:
- for a dedicated server-- public dedicated subnet;
- for the cloud server-- public subnet.
Order a service
If you need to protect your equipment in different poolahs For each pool, activate a separate protection service.
-
В control panels go to Network services → DDoS protection.
-
Click Order services.
-
Select a service DDoS Guard DDoS protection (L3-L4) with the necessary bandwidth.
-
Click Pay.
-
Click Pay for the service.
-
We will send you a ticket with the details. When the protection is connected, in the same ticket we will send:
- a secure IP address that will need to be serverize;
- login details to the partner's personal account, where you can view statistics.
Order additional secure IP addresses
One secure IP address is provided with the protection service. If you need to protect more than one server in the pool, you need an additional protected address for each server.
- В control panels go to Network services → DDoS protection.
- Click Order services.
- Select a service DDoS Guard DDoS protection (L3-L4) — additional IP address.
- Click Pay.
- Click Pay for the service.
Configure a secure IP address on the server
Ubuntu
Debian
CentOS
Windows
-
Connect to the server via SSH or through KVM console.
-
Open the utility configuration file
netplan
word processorvi
:vi /etc/netplan/50-cloud-init.yaml
or
vi /etc/netplan/01-netcfg.yaml
-
Add the optional address data after the file contents:
<eth_name>:0:
addresses: [<ip_address>/32]Specify:
<eth_name>
— the name of the network interface to which you want to add an additional address;<ip_address>
— the secure IP address you received in the ticket.
-
Press the key
ESC
. -
Exit the text editor
vi
with the changes intact::wq
-
Apply the configuration:
netplan apply
-
Optional: reboot the server.
-
Configure all server applications to work with a secure IP address.
-
Connect to the server via SSH or through KVM console.
-
Open the network interfaces configuration file with a text editor
vi
:vi /etc/network/interfaces/
-
Add the additional address data after the content:
auto <eth_name>:0
iface <eth_name>:0 inet static
address <ip_address>/32
mtu 1500Specify:
<eth_name>
— the name of the network interface to which you want to add an additional address;<ip_address>
— the secure IP address you received in the ticket.
-
Press the key
ESC
. -
Exit the text editor
vi
with the changes intact::wq
-
Restart the network:
service networking restart
-
Optional: reboot the server.
-
Configure all server applications to work with a secure IP address.
-
Connect to the server via SSH or through KVM console.
-
Output information about the network interfaces:
ip address
-
Open the configuration file of the network interface with a text editor
vi
:vi /etc/sysconfig/network-scripts/ifcfg-<eth_name>:0
Specify
<eth_name>
— the name of the network interface to which you want to add an additional address. -
Add the additional address data to the file:
DEVICE=<eth_name>:0
ONBOOT=yes
BOOTPROTO=static
IPADDR=<ip_address>
NETMASK=255.255.255.255Specify:
<eth_name>
— the name of the network interface to which you want to add an additional address;<ip_address>
— the secure IP address you received in the ticket.
-
Press the key
ESC
. -
Exit the text editor
vi
with the changes intact::wq
-
Restart the network:
service network restart
-
Configure all server applications to work with a secure IP address.
- Connect to the server via RDP or through KVM console.
- Go to settings Ethernet → Change adapter settings.
- Open the connection settings and right-click on the desired device.
- Select an item Properties → in the list, double-click on Internet Protocol Version 4 (TCP/IPv4).
- Make sure that the option Use the following IP address.
- Click Advanced.
- Click Add.
- In the field IP address enter the secure IP address you received in the ticket.
- Click Add.
- Click OK.
- Configure all server applications to work with a secure IP address.
View statistics
- Go to partner account. The data for logging in to the cabinet can be found in the service connection ticket.
- Open the tab IP transit. This displays statistics on total traffic, before filter cleaning. The graphs are based on five-minute traffic measurements, so the peaks can be smoothed out.
Disable DDoS Guard L3-L4
- Make sure that you have reconfigured traffic reception to an address from your subnet. The protected address issued when the service was activated will be deactivated along with the protection.
- В control panels go to Network services → DDoS protection.
- Against the desired service, press the menu → Deactivate monthly payment. The service will run until the end of the paid period and will be disconnected.