DDoS IP protection
“DDoS IP protection for private networks. It defends your IP network infrastructure against large scale DDoS attacks”
The Serverius DDoS IP protection service protects network Layer 2 and Layer 3 BGP networks. It’s 100% API powered and AI-controlled to protect all your IP subnets in detail. Therefore it’s the best DDoS Layer 3 and 4 mitigation service without any IP limits, missing technology, or hidden cost afterward.
DDoS attack protection
Private BGP network DDoS protection protects any IP network environment against complex DDoS attacks, ensuring the continuity of your services.
Per /32 IP defense
100% API first!
No attack limits!
Control your DDoS defenses
Your network, your ASN, your IP subnets. Only you have the technical knowledge to configure your defenses. Therefore, Serverius offers an API-first DDoS protection service where you can design your own defense layer per IP subnet. This improves the success of the defense and will save you time in human communication about irrelevant matters. Additionally, it allows you to create automated adjustments to your DDoS attacks defense layer.
It includes more than 600 advanced settings. For example, you can create, change and remove:
- Detailed IP protection configurations (Zones) with pre-made protection templates (default configurations).
- IPv4 and IPV6 addresses in CIDR format. By announcing a /24 subnet (or larger) to the DDoS protection Service you can enable a /32 (or larger) to protect. As a result, only the /32 is filtered and all other IPs from the /24 are simply forwarded. This way, it will prevent false positives to non-attacked IPs.
- Advanced “Filters” to parse specific traffic. With advanced filters offer a more sophisticated and tailored approach to defending against DDoS attacks. They provide control, real-time adaptation, and accurate identification of malicious traffic, which is essential for maintaining the availability and performance of online services that are under DDoS attack:
- Setting protocols.
- Setting action (drop, deny, pass, rate-limit, etc).
- Based on Source IP subnets.
- Time to live.
- Packet length (1-1500) adjustment.
- Payload (Offset, Content, Depth).
- Protocol specs.
- Packet length settings.
- Attack notification by email, Signal, Telegram, SMS, etc.
- “Geo restriction” (restrict, block, or whitelist traffic from certain countries).
- Source IP allow/deny list.
- Advanced protocol settings (IP, TCP, UDP, DNS, ICMP, QUIC, HTTP, TLS). These are essential to effectively mitigate and block a wide range of DDoS attack vectors. By tailoring protection measures to specific types of attacks and targeted assets, the cloud service can better defend against DDoS attacks and ensure the availability and stability of the protected systems and services.
- Dynamic Block Management list (manage your zone’s dynamic block list here. Source IP addresses that are added to the dynamic block list when a specific defense policy is triggered).
- Advanced service graphs. Having advanced graphs showing attacks in the DDoS protection cloud service empowers security teams with critical information to combat and mitigate DDoS attacks efficiently. It enables them to respond quickly, make data-driven decisions, and continuously improve their defense capabilities to safeguard their online services and applications.
In-line & out-of-path
Default in-line or out-of-path DDoS protection
When using the DDoS IP Protection, IP subnets are out-of-path and marked as “protected”. When a DDoS attack starts toward an IP address, the system will automatically change the IP state to an in-line mode where all traffic will be routed through the scrubbing hardware to be cleaned. The in-line state will be active until the DDoS attack stops with an additional time frame that the administrator sets. No valid data traffic is blocked when there isn’t a DDoS attack.
When a DDoS attack is expected or for testing purposes, an administrator can also manually set his IP subnets in-line for a certain amount of time. After the time he set, the system will change the in-line automatically to out-of-path again. As an extra, permanent in-line can be purchased per subnet.
Tailor-made out-of-path detection for large IP networks
When using the Serverius DDoS protection service for external enterprise networks, you will probably will detect and re-route data traffic yourself. For example, re-route a /24 subnet and enable a single /32 subnet to be filtered. In such a situation, the Serverius NOC as a Service can offer you a fully managed, locally hosted in your infrastructure flow-analyzer like Wanguard. Serverius is an official Wanguard partner and offers 100% support and discounted Wanguard licenses.
Pay-as-you-use DDoS service
Our flexible pay-as-you-use monthly subscription model ensures you pay only for the protection you really using. Starting from 499,- per month. No long-term commitments or hidden fees; your can scale up and down monthly. Simply add the resources you need. Afterward, you can remove them the same way.
Yearly contracts, large resource volume users, and in addition to other Serverius services will benefit from “commitment discounts”. Please contact the firstname.lastname@example.org sales department for more information.
Service connection options
During a DDoS attack, the data traffic to your IPs needs to be routed to the Serverius IP network. Here, the traffic is cleaned, removing any malicious traffic that is part of the attack. The cleaned data traffic is then sent back to your own BGP/IP network, ensuring that your users can continue to access your online assets.
Many options are included in the service. You can use a single or redundant connection, dedicated or combined with other carrier services. Each option has its own set of benefits and drawbacks, and it’s important to choose the right one for your needs.
By BGP session at SpeedIX, NL-IX, or AMS-IX.
By Serverius its Internet connectivity service
When using the Serverius Internet connectivity service, any IP subnet that is announced under the Serverius ASN can be protected with just one mouse click in the client panel or API. Any Layer 2 network IP and BGP Layer 3 internet service will work.
By physical fiber connection: cross-connect
Direct/physical fiber connection at one of the Serverius Points of Presence (PoPs) in almost all Dutch data centers.
By GRE tunnel from your BGP network to Serverius
Redundant GRE tunnels where you can announce your private IPs under your own ASN. You can use GRE tunnels to multiple physical Serverius data centers.
By carrier VLAN to a Serverius PoP
GDPR-proof DDoS protection
When your data traffic is forwarded to an external DDoS protection service, the data traffic is inspected and therefore needs to comply with the General Data Protection Regulation (GDPR), because it deals with the processing of personal data. The GDPR is a European Union regulation that governs the protection and processing of personal data of individuals within the EU, regardless of where the data processing takes place. Here’s why a DDoS protection service must adhere to GDPR:
- Processing of Personal Data: DDoS protection services often collect and process data from their customers to effectively protect their websites or applications from DDoS attacks. This data may include IP addresses, personal data flows, Layer 7 information, email addresses, and other information that can be considered personal data under the GDPR.
- EU User Base: DDoS protection services typically serve customers from all over the world, including the EU. Since the GDPR applies to the personal data of EU citizens, even if the service provider is located outside the EU, they also must comply with the regulation if they process data from or to EU individuals.
- Data Controller or Processor: Depending on the specific service and the role they play, DDoS protection services may act as either a data controller or data processor. If they determine the purpose and means of data processing, they are a data controller. If they process data on behalf of their customers, they are a data processor. Both data controllers and processors have obligations under the GDPR, such as ensuring data security, obtaining valid consent, and facilitating data subject rights. Therefore a data processor agreement needs to be signed between the client and a European company (Serverius).
- Data Subject Rights: GDPR grants certain rights to individuals whose data is being processed, such as the right to access, rectify, erase, and restrict the processing of their personal data. DDoS protection services need to be prepared to handle these requests from their customers and the individuals whose data they process.
- Data Breach Notification: In the event of a data breach that poses a risk to the rights and freedoms of individuals, GDPR requires timely notification to both the supervisory authority and affected individuals. DDoS protection services must have appropriate security measures and incident response procedures in place to comply with this requirement.
- International Data Transfers: If a DDoS protection service transfers personal data outside the EU, it must comply with GDPR’s rules for international data transfers, such as using standard contractual clauses or other approved mechanisms. Non-European companies won’t apply to this and never will guarantee they will apply to this.
Bottom line, non-compliance with GDPR can lead to significant fines and reputational damage for the DDoS protection service. Therefore, it’s essential for such services to apply to the GDPR’s requirements to ensure they are operating lawfully and responsibly in handling personal data. Read more »