¡Únete a Nuestra Comunidad en Discord!

Haz clic en el botón de abajo para unirte a nuestra nueva comunidad de Discord.

Unirse a Discord
Documentation / Network & Security / How to confiure DDos Protection Premium

How to confiure DDos Protection Premium

AntiDDoS Protection Documentation

DDoS Protection Profiles

TCP Validation

Validates legitimate TCP connections through handshake verification to prevent SYN flood attacks. - Options: Disabled | Enabled | TCP Enabled + Full Strict - Applied to: Common TCP service ports

TCP Validation Symmetric

Verifies that network routes are symmetric (traffic returns through the same path). - Applied to: All TCP traffic when enabled

UDP Validation

Specifically protects against UDP flood attacks by validating incoming UDP traffic. - Applied to: Common UDP service ports

FiveM Protection

Specialized protection for FiveM servers (GTA V modification). - Options: Disabled | Layer 7 Protect | UDP + Layer7 Protect | WhiteList - Applied to: FiveM default ports (30120, 30110)

FiveM TxAdmin Protection

Additional protection for FiveM TxAdmin administration panel. - Applied to: TxAdmin default port (40120)

Minecraft Java Protection

Optimized protection against Minecraft Java Edition specific attacks. - Applied to: Minecraft default port (25565)

TLS Validation

Validates TLS/SSL connections to prevent attacks on HTTPS services. - Applied to: HTTPS port (443)

RDP Protection

Specific protection for Remote Desktop Protocol (Windows, port 3389). - Applied to: RDP default port (3389)

DDoS-Protection-Routing

Specialized routing system to mitigate DDoS attacks at network level. - Important: If disabled, Edge ACL Rules stop working - Applied to: All traffic

Symmetric Routing

Forces all traffic to use symmetric routes for incoming and outgoing traffic. - Applied to: All traffic when enabled

Note: AntiDDoS profiles are executed on the common ports of each profile or application automatically.

Edge ACL Rules - Advanced Access Control

What are they?

Firewall rules applied at the network edge, allowing granular control over which traffic is allowed, blocked, or rate-limited.

Evaluation Order (Priority)

  1. Accept → Allows traffic immediately, bypasses ALL AntiDDoS filters
  2. Drop → Blocks traffic immediately
  3. Rate limit (global/bytes) → Global limit in bytes per second and accepts traffic
  4. Rate limit (global/packets) → Global limit in packets per second and accepts traffic
  5. Rate limit (per IP/bytes) → Per individual IP limit in bytes/sec and accepts traffic
  6. Rate limit (per IP/packets) → Per individual IP limit in packets/sec and accepts traffic
  7. Filter → Accepts traffic but continues processing through all AntiDDoS profiles

Once a rule matches, processing stops.

Key Difference: Accept vs Filter

  • Accept: Traffic passes directly without any additional AntiDDoS inspection
  • Filter: Traffic is accepted but still goes through TCP Validation, UDP Validation, and other active profiles

Rule Components

Source Type: - All Traffic (0.0.0.0/0) - All Internet traffic - Country - Traffic from specific countries - Custom Prefix List - Custom IP range list

Protocol Settings: - Protocol: TCP, UDP, ICMP, Any - Source Port - Source port (0 = all) - Destination Port - Destination port (0 = all) - Packet Length - Packet size (0 = all) - TCP Flags - TCP flag combinations (TCP protocol only)

Configuration Recommendations

Best Practice Strategy

For optimal protection, we recommend:

  1. Block all traffic by default - Create a DROP rule for All Traffic (0.0.0.0/0)
  2. Use Filter action for required ports - Add specific ports your service needs with the Filter action
  3. Benefit from generic filters - This allows traffic to pass through our AntiDDoS profiles for optimal protection

Why use Filter instead of Accept?

  • Filter action: Allows legitimate traffic while still applying all AntiDDoS protections
  • Accept action: Bypasses all protections, leaving services vulnerable
  • Using Filter ensures you benefit from our continuously updated generic filters and protection profiles

Example Configuration

  • Rule: DROP - All Traffic (0.0.0.0/0) - All Protocols
  • Rule: FILTER - All Traffic - TCP Port 80 (HTTP)
  • Rule: FILTER - All Traffic - TCP Port 443 (HTTPS)
  • Rule: FILTER - All Traffic - UDP Port 25565 (Minecraft)

This configuration blocks all unwanted traffic while allowing necessary ports through our protection filters.

Important Information

Timing and Limitations

  • Propagation time: Rules take up to 5 minutes to activate
  • Requirement: Only available with AntiDDoS Premium Always
  • Dependency: Edge ACL requires DDoS-Protection-Routing enabled

System Behavior

  • Rate Limiting: Per XDP filter, not truly global (traffic distributed via AnyCast)
  • Without stateful firewall: Must manually allow DNS servers and common source ports (80, 443, 8080)
  • With stateful firewall: Outgoing traffic is automatically authorized

Default Backbone Protection

Automatically blocked ports (independent of Edge ACL): - DNS (port 53) - Except recognized public DNS servers - NTP (123) - SSDP (1900) - CharGen (19) - QOTD (17) - Memcached (11211)

Note: These blocks prevent amplification attacks at backbone level and cannot be modified via Edge ACL.

Support

For configuration assistance, contact our technical support team.

Was this article helpful?