DDoS Protection

We protect our network very effectively against DDoS attacks by using detection software and pre-filters. The protection automatically detects and filters the "bad traffic" and protects IP addresses against DDoS attacks.

If you want to protect a website (HTTP or HTTPS) from DDoS attacks, we also recommend using Layer 7 Protection for greater efficiency. A DDoS attack can be detected and filtered much faster using Layer 7 Protection. When using SSL, it makes sense to store the certificate in the firewall software.

During an attack, the server remains accessible and you can use the services normally. Non-relevant ports are blocked as long as the attack continues, for example icmp for pinging.

Information on Layer 7 DDoS Protection

There are different types of DDoS (Distributed Denial of Service) attacks. Basically, a DDoS is a "denial of service" that is intentionally caused by a large number of requests and thus leads to an overload of the data network or the server. DDoS attacks can target different layers (see ISO/OSI layer model). Compared to the past, current DDoS attacks often target the top layer (layer 7). Layer 7 is the application layer and is used to provide functions for the applications and is responsible for data input and output. Layer 7 attacks specifically target the protocols belonging to Layer 7, such as Telnet, FTP, NNTP, HTTP or SMTP. Compared to other DDoS attacks, Layer 7 attacks require far less bandwidth and packets to cause disruption to services. A low-level protocol attack such as SYN flood requires a huge number of packets to carry out an effective DDoS attack, whereas a Layer 7 attack only requires a limited number of packets to implement a large DDoS attack. The most common of the layer 7 attacks is HTTP flooding. Here, an HTTP request is sent to the affected server using significant resources and, although the number of packets is limited, they fully utilise all server resources and lead to a denial of service. Layer 7 protection is activated by us at your request, and we also store the certificate in the firewall software.

What happens during an attack

• ICMP / IGMP (among others PING) is discarded
• UDP source port 19, 69, 111, 123, 137, 161, 389, 520, 1434, 1900, 9987, 11211 are limited (10Mbit)
• TCP / UDP question segments (packets larger than 1500 byte) are discarded
• UDP destination port 9000 to 9999 is strictly filtered against Teamspeak3 packets
• UDP destination port 27000 to 29000 is strictly filtered against Source Engine packets
• UDP Destination Port 53 is strictly filtered against DNS packets and forces TCP Truncation
• When HTTP Layer7 Mitigation is active, all TCP traffic on ports 80 and 443 is routed through a reverse proxy.
• If HTTP Layer7 Mitigation is active, Cloudflare must be deactivated, otherwise a DNS resolution loop will occur.
• All traffic (except TCP / UDP) and is blocked
• All other traffic (TCP / UDP) is strictly validated:
• TCP connections are only possible if a TCP SYN or SYN-ACK packet was previously sent and accepted; the filters behave like a kind of asynchronous stateful firewall for server applications. The establishment of a first connection (SYN or SYN-ACK) may take considerably longer or be interrupted for the first time, web presences may load somewhat slower.
• UDP connections are only possible if they are carried out by a "valid client", spoofing is prevented by an intelligent comparison of all connection parameters.

For our customers with IP network

For customers with IP networks, we can activate an API that you can use to control the basic functions of DDoS Protection. With the API, you naturally also have the option of giving your customers access via your own interface.

Port for the operation of game servers

The following ports have been implemented specifically for the operation of game servers:

• 2300-2400: DayZ and Arma 3, as well as Arma 3 Query
• 5761-5794: Atlas
• 7000-8999: Generic Games
• 9000-9999: Teamspeak3
• 12800-13100: Hurtworld
• 19132: Minecraft Pocket Edition
• 22000-22020: Rage-MP / MTA
• 22126: Rage-MP / MTA
• 23000-23200: Battlefield
• 27000-28000: All Source Engine / Query Games like Counter Strike 1.6, Counter Strike Source, Counter Strike GO, The Ship, Garrys Mod, Nuclear Dawn, Call of Duty Modern Warfare 3, Starbound, Space Engineers, 7 Days to Die, Rust, Quake Live, ARK: Survival Developed, Valheim, Mordhau
• 30000-32000: FiveM GTA-MP
• 36123-36128: Stormworks

Each L3 / L4 attack is checked by filter algorithms. Any deviation from the normal flow of an application tends to be treated as an attack.

These include:

Flood attacks (TCP, UDP, ICMP, DNS amplification) TCP vulnerability attacks / TCP stack attacks (SYN, FIN, RST, SYN ACK, URG-PSH, TCP flags) Fragmentation Attacks (Teardrop, Targa3, Jolt2, Nestea) At layer-7 level, we provide dedicated filters for HTTP GET flood and HTTPS. DNS filtering is also implemented at layer-7.