VPS Documentation

DDoS Protection

Every IPv4 address on your VPS comes with DDoS protection that can be configured independently. The dashboard lets you set Layer 4 and Layer 7 protection modes per IP address.

Protection Layers

DDoS protection is split into two layers, each targeting a different type of attack. For a primer on what these layers mean, see Understanding the Network Stack.

Layer 4

Layer 4 protection operates at the transport level (TCP/UDP). It filters volumetric and protocol-based attacks before they reach your server. Two modes are available:

  • Dynamic — protection activates automatically when an attack is detected. Traffic flows normally during regular operation with minimal overhead.
  • Permanent — protection is always active, continuously filtering traffic regardless of whether an attack is in progress. This adds slightly more latency but provides immediate mitigation without any detection delay.

Layer 7

Layer 7 protection operates at the application level (HTTP/HTTPS). It filters attacks that target web services, such as HTTP floods.

  • On — application-layer filtering is active
  • Off — application-layer filtering is disabled

Layer 4 and Layer 7 are configured independently. You can, for example, set Layer 4 to permanent while keeping Layer 7 off.

Configuring DDoS Protection

  1. Open your VPS in the dashboard
  2. Go to the Network tab
  3. Find the DDoS Protection section

The section shows a table with each IPv4 address and its current Layer 4 and Layer 7 settings.

To change the settings for an IP address:

  1. Click the row for the IP you want to configure
  2. Select the desired Layer 4 mode (Dynamic or Permanent)
  3. Select the desired Layer 7 mode (Off or On)
  4. Click Save

Changes are applied at the provider level and take effect shortly after saving.

Choosing the Right Configuration

Scenario Layer 4 Layer 7
General-purpose server (default) Dynamic Off
Web server exposed to the internet Dynamic On
High-value target or frequent attacks Permanent On
Non-HTTP services only (databases, game servers) Permanent Off

For most servers, Dynamic Layer 4 protection is a good default — it keeps latency low during normal operation while still reacting to attacks. Enable Layer 7 if your server runs web applications that are publicly accessible.

Permissions

Changing DDoS settings requires collaborator access or higher. Read-only users can see the current configuration but cannot modify it.

Troubleshooting

"DDoS update failed" — the provider could not apply the new settings. Wait a moment and try again. If the issue persists, contact support.

High latency after enabling permanent Layer 4 — permanent mode filters all traffic continuously, which can add a small amount of latency. If latency is a concern and attacks are infrequent, switch to dynamic mode.

Layer 7 blocking legitimate traffic — application-layer filtering may occasionally affect non-standard HTTP requests. If you experience false positives, try disabling Layer 7 and relying on Layer 4 protection alone.