DDoS protection for TCP/UDP services

Our DDoS protection for TCP/UDP services works by filtering out all malicious traffic types and can be connected via an IPIP/GRE tunnel, by TCP proxying, or via physical connection.

We offer subscription plans customized for various services, differing in features, performance, and price. All of the plans, however, have certain common features making our service one of the most efficient protection solutions. Specifically, we have the Standard subscription plan suitable for small-scale web apps, Business plan for business applications, and Enterprise plan for the most critical systems.

Protecting TCP/UDP services from DDoS attacks will be equally beneficial for end customers who need to protect their gaming servers, business applications, VoIP services, etc., as well as service providers such as ISPs, hosting service providers, and datacenters.

NAT technology was invented in the 1990s to reduce the usage of public IP addresses on the Internet. These days, the technology is often used for other purposes, including for tunneling in anti-DDoS services. We do not use NAT for our tunnels (or elsewhere in our network).

When you use a tunnel for protection, you see actual IP addresses on your server. This helps to achieve maximum performance (NAT consumes lots of resources), while reducing latency, and avoiding NAT-related problems. Moreover, the number of TCP/UDP ports that can be protected is unlimited!

All of your server’s inbound traffic is cleaned up in three stages:

Edge routers. Over 100 edge routers all over the world are set up to discard traffic that should never reach your servers. This protective layer makes our clients resistant to 100+ Gbps attacks, with TCP and UDP amplification attempts entirely blocked at this stage.

Hardware filters. Most of the TCP/UDP flood is blocked at this layer. Thanks to the use of hardware-based filtering appliances, extremely high packet processing speeds are achieved. The filtering network is built in such a way that evenly distributes the load between a number of appliances.

Stateful filters. The fine-filtering layer is where the most complex and sophisticated attacks are blocked, including bot-based ones. For HTTP traffic, this layer includes our BanHammer HTTP filtering system.

Our infrastructure is built disaster-resilient from the ground up, so an event causing outage of one point-of-presence will not lead to a connection loss.

How it is achieved? Thanks to our Global Session system, all our filtering points all over the world “know” whenever a visitor has a connection to your server, and in case one point-of-presence becomes unavailable traffic will be automatically redirected to another location nearest to the client.

BanHammer is our system for filtering out HTTP floods, precisely tuned based on dozens of thousands real-world attacks that had targeted our clients’ websites.

Despite the name, there are no actual “bans” - we use intelligent filtering methods based on behavioral and signature analysis, enabling to minimize false positives while maximizing the percentage of flood traffic being filtered out.

How to order protection of TCP / UDP services from DDoS attacks