Skip to content

Overview & Information

Layer 4 DDoS Protection

AS203446 offers permanently active Layer 4 DDoS protection. This protects, for example, against the following attacks:

  • IPv4 and IPv6
  • UDP floods
  • TCP floods
  • GRE floods
  • Other protocol floods
  • ICMP floods
  • Resource exhaustion attacks
  • Amplification floods
  • Zero Day Attack Prevention (Identifies attacks that cannot be filtered by typical countermeasures or when the system determines that this type of mitigation is more cost-effective in terms of hardware and computer resource utilization)

Portranges

The DDoS Protection has defined different portranges for different applications, these must be used with the corresponding application.

  • 2300 - 2400: Arma 2/3/Reforger & DayZ
  • 7000 - 8999: Other games (games not listed here)
  • 9000 - 9999: Teamspeak 3
  • 12800 - 13100: Hurtworld
  • 19132: Minecraft Pocket Edition
  • 22000 - 22020: Rage-MP
  • 27000 - 28000: All Source games (CS:GO, Garry's Mod, etc.)
  • 30000 - 32000: FiveM
  • 1194: OpenVPN
  • 51820: Wireguard
  • 34100 - 34200: Factorio

Known restrictions / Expected behavior

Random Ports

The TCP reset is performed by default for ports that are not listed above.

GRE tunnels

GRE tunnels are blocked via IPv4.

TCP authentication

Clients attempting to establish a TCP session after a TCP attack has been detected must retransmit their first connection. This is known as "TCP authentication". Clients that were connected before the attack began are not affected.

UDP authentication

UDP connections are also validated and authenticated when a UDP attack is in progress. However, in 99% of cases this has no effect on the clients, which may be forced to retransmit their first UDP connections. Again, only the clients that connect after an attack has started are affected.

Rate limits

  • TCP traffic (only applies if a TCP attack is in progress)
  • UDP traffic (only applies if a UDP attack is in progress)

Layer 7 DDoS Protection

Currently AS203446 DDoS Protection does not offer Layer 7 protection.

This includes the following:

  • Layer 7 http(s) attacks/floods
  • Game/protocol-based real application traffic (e.g. Minecraft bots, PCAP replay are not included in this example. The system offers protection against PCAP replay)