"DDoS protection included" appears on virtually every VPS plan now, and most of the time it means very different things at different providers. Some providers throw the term around to mean basic upstream filtering. Others mean serious anycast scrubbing. The difference between them is the difference between "your site stays up during a 5 Gbps amateur attack" and "your site stays up during a 100 Gbps reflected amplification attack." This guide explains the three layers DDoS attacks operate at, what mitigation actually does at each layer, and what real DDoS protection looks like for a VPS in 2026.
TL;DR: L3 attacks flood your network pipe with garbage packets. L4 attacks abuse TCP/UDP protocols to exhaust connection state. L7 attacks generate "real-looking" HTTP requests at high volume to overwhelm your application. Mitigation looks different at each layer. OliveVPS includes 10 Gbps L3/L4 protection on every plan, with optional L7 for higher-tier customers.
What we'll cover
What a DDoS attack actually is
DDoS = Distributed Denial of Service. The "distributed" part is key — the attacker is sending traffic from many sources simultaneously. Sources can be:
- Botnets of compromised devices (IoT cameras, routers, servers)
- Reflection/amplification through misconfigured public servers
- Stresser/booter services (commercial DDoS-for-hire)
- Real human attackers using cloud infrastructure
The goal is to overwhelm something — your network pipe, your TCP stack, your application server, your database. The defender's job is to stop the attack traffic before it reaches whatever it's targeting, while letting legitimate traffic through.
Attacks are categorized by the OSI layer they target. The vast majority of attacks fall into three layers: 3 (network), 4 (transport), and 7 (application).
Layer 3: Volumetric / network-layer attacks
L3 attacks flood your network connection with raw garbage. The goal isn't to do anything clever — it's just to send so many packets per second (or so many bits per second) that your upstream link becomes saturated and legitimate traffic can't get through.
Common L3 attack types:
- UDP flood — generic UDP packets at high rate, often spoofed source IPs
- ICMP flood ("ping flood") — high-rate ICMP echo requests
- DNS amplification — attacker sends small DNS queries spoofed from your IP, recursive DNS servers send big responses to you. Amplification factor of 50-100x.
- NTP amplification — same idea with NTP servers, amplification of 200-500x
- Memcached amplification — historically the worst, amplification of 50,000x. Mostly mitigated now.
- SSDP / SNMP / chargen reflection — variations on the same theme
Volumes for modern L3 attacks range from a few Gbps (amateur) to 1+ Tbps (the largest documented attacks have hit 3+ Tbps). For a VPS with a 1 Gbps network port, anything over 1 Gbps saturates the pipe — it doesn't matter how powerful your CPU is.
Mitigation: scrubbing. Traffic is routed through specialized hardware that examines packets at line rate, drops obviously-malicious patterns (spoofed sources, malformed packets, signature-matched attack tools), and forwards clean traffic to your VPS. Quality varies wildly:
- Basic ACLs / null routing: "We'll null-route your IP if it gets attacked." Your site goes down to stop the attack from affecting other customers. Common at budget providers.
- Per-customer scrubbing on attack: Mid-tier. When attack detected, traffic for your IP gets routed through scrubbing infrastructure, takes 30-300 seconds to engage.
- Always-on scrubbing: Traffic is always routed through scrubbing infrastructure. Zero engagement time. Standard at premium providers.
- Anycast scrubbing: Multiple scrubbing centers globally announce the same IP via BGP anycast. Attack traffic gets distributed across centers. Most resilient against the largest attacks.
Layer 4: Protocol attacks
L4 attacks exploit how TCP and UDP work to exhaust state on your VPS. Volume matters less than the specific abuse pattern.
Common L4 attacks:
- SYN flood — attacker sends TCP SYN packets at high rate, never completes the handshake. Your VPS allocates state for each, eventually exhausting connection tables.
- SYN-ACK reflection — variant where attacker spoofs your IP as source, half-open SYNs come back to you
- ACK flood / RST flood — high rate of ACK or RST packets, force the kernel to look up nonexistent connections
- UDP flood with valid-looking ports — overwhelm whatever's listening (DNS server, game server)
- Connection exhaustion — open lots of TCP connections and leave them idle, eat through file descriptor limits
L4 mitigation involves:
- SYN cookies (kernel-level, free, every modern Linux has it)
- Rate limiting on incomplete connections
- Connection tracking with smart eviction
- SYN flood protection in scrubbing layer (drops obvious flood signatures)
L3+L4 protection together is what most providers mean when they say "DDoS protection included." The capacity (in Gbps or Mpps) and engagement time vary widely.
Layer 7: Application-layer attacks
L7 attacks send what look like legitimate HTTP requests, but at volumes designed to overwhelm your application server, database, or backend services. Because the requests look real, simple packet-filtering can't tell attack from traffic.
Common L7 attacks:
- HTTP flood — high rate of GET or POST requests, possibly randomized URLs to bypass caching
- Slowloris — open many connections and send headers very slowly, tying up server worker slots
- R-U-Dead-Yet (RUDY) — variant on slowloris with slow POST bodies
- SSL renegotiation flood — exploit TLS renegotiation costs
- Cache-bypass attacks — hit URLs designed to bypass CDN caching (random query strings)
- API hammering — target expensive endpoints (search, complex queries)
- Login brute force as DoS — high-rate POST to login endpoints, exhaust application resources
L7 mitigation is fundamentally different from L3/L4 — it requires actual HTTP/HTTPS understanding. Common approaches:
- WAF (Web Application Firewall): Inspects HTTP requests, blocks known bad patterns, rate-limits per IP
- JavaScript / browser challenges: Requires a real browser to pass — bots and crude HTTP clients fail
- CAPTCHA: Human verification when traffic looks suspicious
- Bot management: Behavioral analysis of request patterns
- Geographic / IP reputation filtering: Block traffic from regions you don't serve, or known-bad IPs
L7 protection is harder, more expensive, and usually a separate layer. Cloudflare, Sucuri, AWS Shield Advanced, and similar provide L7 protection. Most VPS providers' "included DDoS protection" is L3/L4 only — L7 is your responsibility (typically via Cloudflare in front).
How mitigation actually works
For L3/L4 mitigation in a VPS context, here's what happens during an attack:
- Detection. Network monitoring sees traffic spike, packet rate spike, or specific attack signatures. Modern detection is sub-second.
- Diversion. Traffic for the targeted IP is routed through scrubbing centers via BGP. On always-on systems, this is the steady-state path; on on-demand systems it engages now.
- Filtering. Scrubbing hardware examines every packet, drops attack traffic based on signatures, behavioral analysis, source reputation, and rate limits.
- Forwarding. Clean traffic is forwarded to your VPS over a "GRE tunnel" or similar — you see normal traffic, attack traffic is invisible.
- Reverse path. Outbound traffic from your VPS goes back through the scrubbing tunnel or via direct path depending on configuration.
Mitigation has bounds. A scrubbing system rated for "10 Gbps" can handle attacks up to 10 Gbps; a 50 Gbps attack would saturate it. Most VPS provider DDoS protection is rated in tens of Gbps. Major scrubbing providers (Cloudflare Magic Transit, Akamai Prolexic, Google Project Shield) operate at terabit scale.
10 Gbps DDoS protection, standard on every plan
Always-on L3/L4 scrubbing. No upgrade tier required. If you get hit, mitigation engages automatically — you usually don't even notice. Add Cloudflare in front for L7 coverage.
See VPS Plans →What VPS DDoS protection covers
What you typically get with "DDoS protection included" on a reputable VPS provider:
- L3/L4 scrubbing capacity in the 5-50 Gbps range
- Always-on or near-always-on protection
- Common attack types automatically mitigated (UDP/ICMP/SYN floods, common amplification)
- No additional cost
What you typically don't get without paying extra (or using an external service like Cloudflare):
- L7 protection — application-layer HTTP flood mitigation
- WAF rules
- Bot management
- Capacity above the included tier (e.g. terabit-scale protection)
- Custom mitigation rules tuned for your application
- SLAs on mitigation effectiveness
For most VPS workloads, included L3/L4 + Cloudflare in front for L7 is a good combination — covers nearly everything you'd realistically face for low cost.
What to do if you're getting attacked
If you suspect you're under attack:
- Open a support ticket immediately. Don't wait. Most providers' DDoS response is faster when they're already aware.
- Check what type of attack. Run
iftop,nethogs,tcpdumpto see what traffic is hitting you. Volume + source variety + protocol gives you a quick picture. - Don't change your IP yet. Many people's first instinct is to swap IPs. Don't — the attacker probably has your domain, will find the new IP via DNS in seconds. Mitigate first.
- Put Cloudflare in front for L7 attacks. If the attack is HTTP-based, switching DNS to Cloudflare with proxy enabled can mitigate within minutes (Cloudflare Free covers basic L7).
- Disable anything non-essential. Reduce attack surface — temporarily disable open services that don't need to be public.
- Check application logs. Sometimes "DDoS" turns out to be one badly-written cron job hitting your API in a loop. Rule out the boring explanations.
For OliveVPS customers specifically: open a ticket, we'll engage scrubbing if it's not already filtering. Our average response on DDoS tickets is under 10 minutes.
FAQ
Will OliveVPS null-route my IP during a big attack?
Only as an absolute last resort, and only on attacks above our scrubbing capacity (10+ Gbps continuous). For attacks within capacity, we mitigate without affecting your service. Some budget providers null-route at much lower thresholds — read the fine print.
Does the included DDoS protection cover game server attacks?
Yes. Game-server-targeted L3/L4 attacks (UDP floods on game ports specifically) are covered. We have specific mitigation tuning for common game server protocols (Source engine, Minecraft, FiveM). For Layer 7 game attacks (less common) or attacks above our included capacity, talk to us about uplifted protection plans.
Is Cloudflare DDoS protection enough on its own?
For HTTP/HTTPS workloads, Cloudflare Free gives meaningful L3-L7 protection — they have far more capacity than any individual VPS provider. The catch: Cloudflare only protects what's proxied through them (web traffic on standard ports). Attacks on your VPS IP directly (bypassing Cloudflare) require provider-side L3/L4. The combination of both is what you want.
What's the biggest DDoS attack OliveVPS has mitigated?
Mid-double-digit Gbps sustained, with peaks higher. Our scrubbing infrastructure scales beyond what any individual customer's traffic can absorb. The vast majority of attacks our customers face are under 5 Gbps and are handled invisibly.
Can I get an SLA on DDoS protection?
Standard included DDoS protection is best-effort with no specific SLA. For customers who need SLA-backed mitigation, we offer enterprise plans with higher protection tiers and contractual mitigation commitments. Contact us if your workload needs this.