How to confiure DDos Protection Premium
AntiDDoS Protection Documentation
DDoS Protection Profiles
TCP Validation
Validates legitimate TCP connections through handshake verification to prevent SYN flood attacks. - Options: Disabled | Enabled | TCP Enabled + Full Strict - Applied to: Common TCP service ports
TCP Validation Symmetric
Verifies that network routes are symmetric (traffic returns through the same path). - Applied to: All TCP traffic when enabled
UDP Validation
Specifically protects against UDP flood attacks by validating incoming UDP traffic. - Applied to: Common UDP service ports
FiveM Protection
Specialized protection for FiveM servers (GTA V modification). - Options: Disabled | Layer 7 Protect | UDP + Layer7 Protect | WhiteList - Applied to: FiveM default ports (30120, 30110)
FiveM TxAdmin Protection
Additional protection for FiveM TxAdmin administration panel. - Applied to: TxAdmin default port (40120)
Minecraft Java Protection
Optimized protection against Minecraft Java Edition specific attacks. - Applied to: Minecraft default port (25565)
TLS Validation
Validates TLS/SSL connections to prevent attacks on HTTPS services. - Applied to: HTTPS port (443)
RDP Protection
Specific protection for Remote Desktop Protocol (Windows, port 3389). - Applied to: RDP default port (3389)
DDoS-Protection-Routing
Specialized routing system to mitigate DDoS attacks at network level. - Important: If disabled, Edge ACL Rules stop working - Applied to: All traffic
Symmetric Routing
Forces all traffic to use symmetric routes for incoming and outgoing traffic. - Applied to: All traffic when enabled
Note: AntiDDoS profiles are executed on the common ports of each profile or application automatically.
Edge ACL Rules - Advanced Access Control
What are they?
Firewall rules applied at the network edge, allowing granular control over which traffic is allowed, blocked, or rate-limited.
Evaluation Order (Priority)
- Accept → Allows traffic immediately, bypasses ALL AntiDDoS filters
- Drop → Blocks traffic immediately
- Rate limit (global/bytes) → Global limit in bytes per second and accepts traffic
- Rate limit (global/packets) → Global limit in packets per second and accepts traffic
- Rate limit (per IP/bytes) → Per individual IP limit in bytes/sec and accepts traffic
- Rate limit (per IP/packets) → Per individual IP limit in packets/sec and accepts traffic
- Filter → Accepts traffic but continues processing through all AntiDDoS profiles
Once a rule matches, processing stops.
Key Difference: Accept vs Filter
- Accept: Traffic passes directly without any additional AntiDDoS inspection
- Filter: Traffic is accepted but still goes through TCP Validation, UDP Validation, and other active profiles
Rule Components
Source Type: - All Traffic (0.0.0.0/0) - All Internet traffic - Country - Traffic from specific countries - Custom Prefix List - Custom IP range list
Protocol Settings: - Protocol: TCP, UDP, ICMP, Any - Source Port - Source port (0 = all) - Destination Port - Destination port (0 = all) - Packet Length - Packet size (0 = all) - TCP Flags - TCP flag combinations (TCP protocol only)
Configuration Recommendations
Best Practice Strategy
For optimal protection, we recommend:
- Block all traffic by default - Create a DROP rule for All Traffic (0.0.0.0/0)
- Use Filter action for required ports - Add specific ports your service needs with the Filter action
- Benefit from generic filters - This allows traffic to pass through our AntiDDoS profiles for optimal protection
Why use Filter instead of Accept?
- Filter action: Allows legitimate traffic while still applying all AntiDDoS protections
- Accept action: Bypasses all protections, leaving services vulnerable
- Using Filter ensures you benefit from our continuously updated generic filters and protection profiles
Example Configuration
- Rule: DROP - All Traffic (0.0.0.0/0) - All Protocols
- Rule: FILTER - All Traffic - TCP Port 80 (HTTP)
- Rule: FILTER - All Traffic - TCP Port 443 (HTTPS)
- Rule: FILTER - All Traffic - UDP Port 25565 (Minecraft)
This configuration blocks all unwanted traffic while allowing necessary ports through our protection filters.
Important Information
Timing and Limitations
- Propagation time: Rules take up to 5 minutes to activate
- Requirement: Only available with AntiDDoS Premium Always
- Dependency: Edge ACL requires DDoS-Protection-Routing enabled
System Behavior
- Rate Limiting: Per XDP filter, not truly global (traffic distributed via AnyCast)
- Without stateful firewall: Must manually allow DNS servers and common source ports (80, 443, 8080)
- With stateful firewall: Outgoing traffic is automatically authorized
Default Backbone Protection
Automatically blocked ports (independent of Edge ACL): - DNS (port 53) - Except recognized public DNS servers - NTP (123) - SSDP (1900) - CharGen (19) - QOTD (17) - Memcached (11211)
Note: These blocks prevent amplification attacks at backbone level and cannot be modified via Edge ACL.
Support
For configuration assistance, contact our technical support team.