Understanding Anti-DDoS Protection for Hosting

Written by · Published on · Updated on

Everything about DDoS attacks and your host's Anti-DDoS protection. L3, L4, L7 levels explained simply.

See VPS plans Request a quote

A DDoS (Distributed Denial of Service) attack consists in overwhelming your server with requests to make it unreachable. According to Cloudflare, more than 30% of sites have suffered at least one DDoS attack in the past year.

Your host's Anti-DDoS protection filters these attacks before they reach your server. By-Hoster includes L3/L4/L7 Anti-DDoS protection on all offers.

In 2026, DDoS attacks have become commonplace: "DDoS-as-a-Service" kits available for a few euros on forums, massive IoT botnets (Mirai and its variants), attack capabilities exceeding the terabit per second. Any online site or server can be targeted, by chance or deliberately. This guide explains the real workings of a DDoS attack, common types, mitigation methods, and how to verify that the protection advertised by your host is serious.

The 3 DDoS attack levels

  • L3 (Network Layer): network attacks (ICMP flood, IP fragmentation). Massive volume (Tbps possible)
  • L4 (Transport Layer): TCP/UDP attacks (SYN flood, UDP flood). Saturate the connection table
  • L7 (Application Layer): HTTP/HTTPS attacks (slowloris, HTTP flood). Mimic legitimate traffic, harder to filter

Common DDoS attack types in 2026

Beyond OSI layers, DDoS attacks are classified by technique. Knowing the main ones helps understand what a serious Anti-DDoS must filter.

  • SYN flood: the attacker massively sends TCP SYN packets without ever completing the 3-way handshake, saturating the server's connection table. Mitigation: SYN cookies, per-IP rate limiting.
  • UDP flood: massive UDP packet sending on random ports. The server tries to reply "port unreachable", saturating bandwidth. Mitigation: UDP rate limiting, blackhole of unused ports.
  • DNS / NTP / Memcached amplification: the attacker queries a DNS/NTP/Memcached server with a spoofed source IP (your IP), the server responds with a 50-50000x larger payload. Record capacity observed: 2.5 Tbps via Memcached.
  • HTTP flood (L7): thousands of bots send seemingly legitimate GET/POST requests but on expensive URLs (search, cart, login). Mitigation: JavaScript challenge, CAPTCHA, bot fingerprinting.
  • Slowloris: opening thousands of nearly-empty HTTP connections kept alive very slowly. Saturates Apache/Nginx workers without much bandwidth. Mitigation: aggressive timeouts, mod_qos.
  • Ransom DDoS (RDoS): extortion of the type "pay X bitcoins or we launch a Y Gbps attack". In 2026, several groups (REvil, Lapsus$) have relaunched this practice.

How By-Hoster Anti-DDoS works

Our upstream filtering infrastructure (multi-Tbps capacity) analyzes traffic in real time and blocks malicious packets before they reach your server. Automatic L3/L4 filtering and customizable L7 application rules.

  • Upstream filtering (BGP scrubbing): traffic destined for our IP ranges passes through filtering collectors before reaching our DC-FR_NA(01) datacenter in Nouvelle-Aquitaine. Malicious packets are eliminated at source.
  • Automatic detection: baseline algorithms (learning normal traffic) + known signatures (DDoS kits) + heuristics (packet rate per source IP). Mitigation triggered in a few seconds.
  • L3/L4 filtering: handled automatically, transparent to the customer. Blocks SYN floods, UDP floods, reflection amplifications (DNS, NTP, Memcached, SSDP), abusive fragmentation.
  • L7 mitigation: configurable application rules (per-URL rate limit, JS challenge, user-agent blocking, geoblocking). The customer can adjust via the panel or technical support.
  • No service interruption: legitimate users notice nothing (perhaps +5-20 ms latency during active mitigation). Your site remains accessible.

What to do during an ongoing DDoS attack?

Even with serious upstream Anti-DDoS, certain actions on your side improve resilience. Here's the checklist to run through when an attack is detected (abnormal latency, 503 errors, monitoring alerts):

  • Confirm the attack: tail -f /var/log/nginx/access.log | awk '{print $1}' | sort | uniq -c | sort -rn | head -20 lists the IPs hitting most. If you see 50+ foreign IPs with hundreds of requests/second each, it's probably an attack.
  • Contact host support immediately: serious support activates enhanced mitigation within minutes. Give them the attacked IP, logs and start time.
  • Enable an "under attack" mode: Cloudflare offers a JS Challenge mode that forces all visitors to pass a browser challenge. Blocks 99% of bots, slightly degrades human UX.
  • Rate-limit at the application level: in Nginx, add limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s; then limit_req zone=one burst=20; in the location block.
  • Temporary geoblocking: if the attack comes mainly from a country where you have no legitimate traffic, block that country with iptables + GeoIP or via Cloudflare in a few clicks.
  • Document for later: keep logs, IPs, patterns. A DDoS attack is often followed by other attempts, and your logs help refine mitigation rules.

Myths and misconceptions about Anti-DDoS

  • "My site is too small to be attacked": false. Opportunistic attacks target entire IP ranges, your IP neighbor is enough for you to be hit by side effect. RDoS targets random SMBs to get a "moderate" ransom.
  • "Free Cloudflare is enough for everything": Cloudflare only protects HTTP/HTTPS traffic going through their network. If someone knows your origin IP (via historical DNS leak, SSL certificate, mail header), they bypass Cloudflare and attack directly. Protection at the host level remains indispensable.
  • "Anti-DDoS slows down my site": in normal conditions (no attack), a well-done Anti-DDoS adds < 1 ms latency. During active mitigation, up to 5-20 ms. It's invisible vs an unmitigated attack that makes the site inaccessible.
  • "I need a firewall on my VPS to block DDoS": false for volumetric attacks (L3/L4). If your 1 Gbps link is saturated by 100 Gbps of attack, your firewall is useless: traffic is already in your interface. Filtering must be upstream. Firewall remains useful for targeted L7 attacks.
  • "If I have Anti-DDoS, I don't need fail2ban anymore": false. Anti-DDoS = distributed volumetric. fail2ban = targeted bruteforce/scan. Both are complementary, not substitutes.

How to verify that a host's advertised protection is serious?

Many hosts advertise "Anti-DDoS included" without details. Here are the criteria to distinguish real protection from empty marketing:

  • Advertised filtering capacity: a serious Anti-DDoS announces its capacity (Gbps or Tbps). If the docs remain vague, ask support for mitigation capacity per IP and global.
  • L3/L4/L7 levels: a pro Anti-DDoS filters all 3 levels. If the offer only mentions "network filtering" without L7, you're vulnerable to HTTP floods.
  • Always-on vs trigger-based: "always-on" is better (immediate mitigation). "Trigger-based" implies a few seconds/minutes of downtime before protection activates.
  • Included vs paid option: an Anti-DDoS billed extra is a negative signal. Serious hosts include it (the cost is marginal vs the filtering infra).
  • Post-attack communication: ask to see a typical post-mortem report. A serious host provides after an attack: date, duration, volume, attack type, main source IPs.

Frequently asked questions

Yes, any site can be a victim, often by chance (being part of an attacked IP range) or in a targeted manner (competitor, disgruntled former user). That's why Anti-DDoS should be included, not a paid option.

Our filtering capacity is multi-Tbps, well above typical attacks (1-50 Gbps). Worldwide record attacks (3 Tbps) remain within our mitigation capabilities.

Very little. "DDoS-as-a-Service" services (booter, stresser) are available for €5 to €50/month on underground forums, providing 10-100 Gbps of attack on demand. That's exactly why attacks have become commonplace: the cost/damage ratio is dramatically favorable to the attacker.

Cloudflare is excellent at L7 and for HTTP/HTTPS traffic, but requires that your origin IP is never exposed. In practice, the IP often leaks (old DNS records, historical SSL certificates, email headers). Anti-DDoS protection at the host level remains complementary and indispensable to block attacks bypassing Cloudflare directly on the IP.

A DoS (Denial of Service) comes from a single source (one attacker, one IP). Easy to block (firewall). A DDoS (Distributed DoS) comes from thousands of distributed sources (botnet of infected machines). Impossible to block server-side, requires upstream filtering at the host or via a specialized service.

Yes, if compromised. A poorly secured server (weak passwords, exposed services, unpatched packages) can be recruited into a botnet and participate in attacks. Consequences: your IP blacklisted, your host may suspend the account. Measures: SSH by keys, fail2ban, UFW, auto updates, outgoing bandwidth monitoring.

Blackhole is the ultimate measure: the host announces your IP as "non-routable" via BGP, dropping all destination traffic. Your site becomes inaccessible, but the host's infrastructure is preserved. A blackhole typically lasts 1-4h, the time for the attack to calm down. This measure is only used as a last resort for massive attacks that no mitigation can absorb.

See also