DDoS Protection
What are DDoS attacks?
Having a dedicated IP that comes with purchasing a VPS or Dedicated Server is very good for multiple reasons. However, malicious actors may launch DDoS (Distributed Denial of Service) attacks against your IP. Typically, these attacks use thousands of compromised systems across the internet. The attacker instructs all the systems they control, to send large numbers of requests to your IP at the same time, and can overwhelm even powerful servers with high-bandwidth connections. Often this scenario results in the server becoming unreachable, unresponsive, or even crashing and losing data.
To prevent this from happening, we provide you with a free DDoS filter that is always active, constantly monitoring our network and your connection, and is ready to mitigate attacks.
How does DDoS protection work?
A filter is a separate device that monitors network traffic. It does not record or censor your traffic (we are always focused on privacy), but instead monitors the flow of packets for patterns that look more like attacks and less like normal traffic. For example, if the sensor detects that suddenly 90% of the bandwidth is taken up by incoming TCP SYN packets to open a connection, from just a few IPs, and not followed by the normal flow of TCP packets, then the sensor identifies the situation as a SYN flood attack. The goal of this attack is usually to exhaust the target system's ability to receive new connections and render it unresponsive. In this case, the filter takes action and blocks most of the SYN packets coming from these IPs.
By default, when the sensor no longer detects an abnormal packet flow, it stops blocking packets and resumes normal operation, allowing everything to pass through unrestricted.
Block diagram
+-------------+ +--------+ (
| Your server | <======| Filter |==========> ( Internet
+-------------+ +--------+ | (
Λ V
| +--------+
+-----| Sensor |
+--------+
Controllable DDoS protection features
IP selectivity
All configurable and queryable aspects of the DDoS filter work per protected IP. If you have multiple VPSes or Dedicated Servers, or if you have multiple IPs for a dedicated server, DDoS protection behavior can be configured for them independently.
Filter mode and status
The DDoS filter has a mode, which describes how it's configured to operate, and a status that describes what it's doing at a given time.
In terms of activity, the filter can be in status "active" or "inactive". This indicates whether it is currently filtering packets or not.
The filter can be configured in one of the following 3 modes:
- "sensor" : normally filtering is in status "inactive", but the sensor is scanning the traffic for possible incoming attacks. If it detects an attack, the filter will switch to "active".
- "always on" : filtering is always active, regardless of traffic.
- "always off" : filtering is never active, regardless of traffic.
For security reasons, the "always off" mode cannot be selected via the API, and must be requested via support ticket.
By default for all IPs, the mode is set to "sensor" and the status will be "inactive".
Layer 7 filtering
DDoS attacks can be low-level, such as sending a flood of simple packets, but they can also use high-level protocols in the OSI model. For example attackers can open multiple normal TCP connections, and then send malicious HTTP requests over those normal-looking connections. In order to detect and block attacks at a higher OSI level, the filter can inspect connections and track higher-level protocol connections in order to detect malicious patterns.
The "layer7_filter" option in the filter controls whether this behavior is enabled or disabled. By default "layer7_filter" is disabled.
Layer 7 TLS encryption and decryption
The same type of high-level attacks can also be performed over encrypted connections. In these cases, HTTP requests made over TLS typically can't be inspected for malicious patterns.
To filter encrypted connections the filter will accept the encrypted TLS connections itself, and open a new corresponding connection to your server, so that it can filter the encrypted content.
This behavior is controlled by the "layer7_tls" options, and is also disabled by default.
Since accepting a TLS connection typically involves serving a certificate, the filter will generate one itself. and serve it when accepting all TLS connections while it is in status "active". However, if you enable "layer7_tls", it is likely that you want your normal users to continue to see your TLS certificate, not the one generated by the filter. In this scenario, to continue serving your own certificate to your clients while filtering an attack, you will need to install your certificate into the DDoS filter, via the API at https://ddosapi.flokinet.is.
Controlling the filter
The filter can be controlled via a REST API (or a Web UI), accessible and documented at https://ddosapi.flokinet.is.
Authentication
You can only control and inspect the filter for the dedicated IPs assigned to your VPSes, Dedicated Servers or colocated devices. You can generate DDoS Control access tokens from the dedicated page, linked from your WHMCS user interface after you log in. Any of your generated tokens can be used for any of your IPs at https://ddosapi.flokinet.is. You can revoke access tokens at any time from the same interface where they were generated.