Understanding HolyCloud anti-DDoS

DDoS (Distributed Denial of Service) attacks aim to saturate your bandwidth or resources until the service is unavailable. HolyCloud applies multi-layer mitigation on the datacenter network, upstream of your VPS, dedicated server, or hosting IP.

Prerequisites

• No mandatory configuration for base protection on eligible offers
• Understand the difference between legitimate traffic and abnormal spikes (monitoring, logs)
• Contact support during an ongoing attack with timestamp and impacted IP

Overview: mitigation layers

Internet → [Edge scrubbing / filtering] → [HolyCloud network] → Your server

| Layer | Role |

|--------|------|

| Detection | Flow analysis (volume, signatures, geographic spread) |

| Filtering | Block or limit malicious packets (UDP flood, SYN flood, DNS/NTP reflection) |

| Scrubbing | Separate « clean » traffic from attack traffic before routing to your IP |

| Rate limiting | Cap traffic to protect the rest of the network |

Mitigation is automatic for many common signatures; enterprise offers may include advanced settings or dedicated BGP announcement.

What happens during an attack?

1. Traffic to your public IP spikes sharply.
2. Datacenter anti-DDoS systems identify the pattern (e.g. millions of UDP packets to a game port).
3. Attack traffic is absorbed or filtered; legitimate traffic (HTTP/TLS, SSH from known IPs) is allowed when possible.
4. You may see temporary latency or a short outage if the attack exceeds thresholds — support may apply additional measures.

You generally do not install anything on the VPS for base network protection: it acts before your virtual NIC.

GRE and advanced routing (concept)

For clients with external protection or a dedicated scrubbing cluster, filtered traffic may be returned to your server via a GRE tunnel (Generic Routing Encapsulation):

[Scrubbing center] --GRE tunnel--> [Your HolyCloud server IP]

Principles:

• The tunnel encapsulates already cleaned packets.
• Your server sees legitimate traffic on an OS-configured tunnel interface (Linux ip tunnel, etc.).
• GRE configuration is provisioned by HolyCloud on request (specific offers) — do not create a tunnel without support agreement.

This avoids exposing the server's « raw » IP directly to the Internet during a large attack.

Null route (blackholing): basics

When volume exceeds scrubbing capacity or threatens neighboring network, the operator may announce a null route (blackhole) toward the attacked IP:

• All traffic to that IP is dropped as close as possible to the attack source.
• Effect: your service becomes unreachable on that IP, but the rest of the datacenter stays protected.
• Null route is temporary; lifted when the attack subsides or after analysis.

This is not a server failure: it is a last resort measure to protect shared infrastructure.

Client best practices

• Do not publish unnecessary IPs; use a CDN for static web if targeted often.
• Close unused ports (OS firewall + HolyCloud panel).
• Disable reflection services (open DNS, NTP, public SNMP).
• On game/voice VPS, expect UDP attacks — choose an offer with suitable mitigation.

Report an attack to support

Provide:

• Public IP concerned
• Start time (timezone)
• Service type (web, game, mail)
• Traffic captures or graphs if available

# useful examples from a Linux VPS during an incident
ss -s
netstat -an | head
journalctl -u nginx --since "10 min ago"

Quick FAQ

| Question | Short answer |

|----------|----------------|

| Does anti-DDoS replace a WAF? | No — WAF filters HTTP application layer; anti-DDoS targets the network |

| Can I be null-routed without notice? | Yes, at critical threshold — support informs afterward |

| Is GRE on all plans? | No, reserved for advanced scenarios |

Need help?

For an additional protected IP, an incident report, or an offer with enhanced mitigation, contact HolyCloud support from your client area.