DDoS Protection for VPS & Dedicated: What to Look For

Distributed Denial of Service (DDoS) attacks remain one of the most significant threats to online infrastructure in 2025. Attack volumes now routinely exceed 3 Tbps, with sophisticated multi-vector campaigns targeting not only bandwidth but also application layers (L7), state exhaustion (L4), and DNS infrastructure. For businesses hosting critical workloads on VPS or dedicated servers, DDoS protection is not optional.

This article explores the different types of DDoS attacks, explains how mitigation works, and provides a checklist of features you should demand from your VPS or dedicated hosting provider. We also cover real-world case studies and practical best practices for sysadmins.

🔹 Understanding DDoS Attack Types

1. Volumetric Attacks (Layer 3/4)

Floods your network pipe with massive traffic (UDP floods, amplification via NTP, DNS, CLDAP).
Goal: saturate bandwidth, making your server unreachable.
Scale: up to terabits per second (Tbps).

2. Protocol Attacks (Layer 4)

Target weaknesses in TCP/UDP stack (SYN floods, ACK floods, fragmented packet floods).
Goal: exhaust server or firewall resources (connection tables, state tracking).

3. Application Layer Attacks (Layer 7)

Simulate normal user requests (HTTP GET/POST floods, WordPress XML-RPC abuse).
Harder to detect — looks like legitimate traffic.
Goal: overwhelm application CPU/DB rather than bandwidth.

4. DNS Attacks

Target authoritative DNS servers with floods.
Without DNS availability, websites and apps are unreachable even if servers are healthy.

🔹 Layers of DDoS Mitigation

1. Network-Level Mitigation

Scrubbing centers: Traffic is rerouted through large-scale filtering farms.
BGP blackholing: Drops traffic to attacked IP, last resort.
Anycast networks: Distributes attack traffic globally across many POPs.

2. Transport-Level Mitigation

Rate limiting: Controls new connections per IP.
SYN cookies: Prevents state table exhaustion.
Connection tracking offloading: Moves state handling from server to edge firewall.

3. Application-Level Mitigation

Web application firewalls (WAFs) filter malicious HTTP requests.
CAPTCHA/challenge-response for bots.
Behavioral analytics to distinguish humans vs bots.

4. DNS Protection

Anycast DNS with multiple global POPs.
DNS query rate limiting.
Secondary DNS providers for redundancy.

🔹 What to Look for in a Provider

Always-On vs On-Demand Mitigation – Always-on: Traffic constantly passes through scrubbing. Lower risk of downtime. – On-demand: Mitigation triggered after attack detected. Cheaper but riskier.
Mitigation Capacity – Ensure provider advertises Tbps-level protection. – Example: 3 Tbps scrubbing vs 500 Gbps is a massive difference.
Latency Impact – Good providers keep added latency <5 ms globally. – Poor setups add 30–50 ms, hurting performance.
L7 Protection – Many providers stop at volumetric filtering. – Ask specifically about HTTP floods and bot filtering.
Granular Filtering – Ability to filter by ASN, country, or protocol. – Essential for targeted mitigation without dropping all traffic.
Logs and Visibility – Real-time dashboards of attack traffic. – Historical reports for compliance.
Integration with VPS/Dedicated – Does mitigation apply at network edge (before traffic reaches your NIC)? – Or is it a software firewall on your server (ineffective at scale)?

🔹 Example Configurations

iptables for Basic Rate Limiting

sudo iptables -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above 50 -j DROP
sudo iptables -A INPUT -p tcp --syn --dport 443 -m connlimit --connlimit-above 50 -j DROP

Nginx Rate Limiting for HTTP Floods

limit_req_zone $binary_remote_addr zone=req_limit:10m rate=10r/s;

server {
    location / {
        limit_req zone=req_limit burst=20 nodelay;
    }
}

Note: These only help for small-scale floods. Real DDoS mitigation must happen upstream at provider level.

🔹 Case Studies

Case 1: VPS Without DDoS Protection

UDP flood peaked at 60 Gbps.
Provider null-routed IP for 24h.
Business lost $15,000 in downtime.

Case 2: Dedicated with Always-On DDoS Mitigation

HTTP GET flood ~5M requests/sec.
Provider’s L7 filter identified botnet, dropped traffic within 30s.
No downtime, 3% latency increase.

🔹 Best Practices for Sysadmins

Choose providers with Tbps-scale scrubbing.
Deploy CDN/WAF layers (Cloudflare, Fastly, Akamai).
Segment services: Run APIs, admin panels, and public sites on separate IPs.
Enable rate limiting at Nginx/iptables level for small attacks.
Have incident response runbooks for attack handling.
Monitor traffic baselines with Zabbix/Prometheus to detect anomalies quickly.

✅ Conclusion

DDoS attacks in 2025 are more frequent, larger, and more sophisticated than ever. The choice of VPS or dedicated server provider must include strong DDoS protection. Key features to demand:

Always-on scrubbing with multi-Tbps capacity.
Low added latency (<5 ms).
Layer 7 (application-level) protection.
Real-time monitoring and reports.
Integration with CDN/WAF layers for end-to-end security.

At WeHaveServers.com, all VPS and dedicated plans in Romania/EU come with always-on DDoS protection up to multi-Tbps scale, ensuring customer workloads remain online even under sustained attack.

❓ FAQ

Do all VPS providers include DDoS protection?

No. Many budget VPS providers null-route attacked IPs. Enterprise-grade providers include scrubbing.

Does DDoS protection affect latency?

Yes, but minimal with good providers (1–5 ms). Poor setups may add noticeable delay.

Can software firewalls stop DDoS?

Not at scale. iptables/Nginx help for small floods but collapse under 10 Gbps+ attacks.

What’s the difference between volumetric and L7 protection?

Volumetric filters bandwidth floods; L7 protects against application-layer floods like HTTP GET storms.

Is Cloudflare enough for DDoS protection?

Cloudflare is excellent for websites but not for raw TCP/UDP services. VPS/dedicated providers must still offer network-level mitigation.