L3/4 included on every plan
Every plan — VPS or dedicated — gets the same mitigation. There is no premium tier with better scrubbing; the floor is the ceiling.
SP·00 — MITIGATION
DDoS protection that ships with every plan
Every VPS and dedicated server sits behind always-on L3/4 mitigation with 1.5 Tbps of upstream scrubbing capacity. Not a tier, not an upsell — the floor. The only optional piece is the L7 shield at $10.50/mo.
1.5 TbpsUpstream scrubbing
L3/4Included on every plan
24/7Always-on detection
$10.50L7 DDoS shield · per month
How mitigation works
Three stages, all automatic. The design goal is that you learn about most attacks from a graph, not an outage.
- 01
Detect
Edge routers export flow telemetry continuously and hold a baseline per destination IP. When traffic departs from its profile, diversion triggers automatically — no ticket, no phone call.
- 02
Scrub
Suspect traffic is steered into upstream scrubbing centres rated at 1.5 Tbps aggregate. Floods, spoofed SYNs and reflection junk are dropped there, far from your uplink.
- 03
Return
Clean traffic re-enters over the same route and reaches your server unchanged. When the attack subsides, diversion ends on its own.
L7 shield add-on
HTTP request floods and slow-read attacks look legitimate at L3/4. The shield terminates and inspects HTTP, drops the junk, and costs $10.50/mo. Add it at deploy on any plan.
Always-on, not on-demand
Detection never sleeps and never waits for a human. Most attacks today are short and automated; mitigation that needs a support ticket is mitigation that arrives late.
No traffic penalty
Mitigation does not meter your bandwidth. Unmetered stays unmetered during an attack, and we do not bill you for the junk we drop.
What is covered — and what is not
Exact scope, stated plainly. A mitigation page without a “not covered” column is a marketing page.
| Vector | Layer | Status |
|---|---|---|
| Volumetric floodsICMP, GRE and raw packet floods aimed at the pipe | L3 | Included |
| SYN / ACK / RST floodsSpoofed TCP state-exhaustion attacks | L4 | Included |
| UDP floods & fragmentationHigh-pps UDP junk and fragmented-packet attacks | L3/4 | Included |
| Amplification & reflectionDNS, NTP, memcached, SSDP, CLDAP reflectors | L3/4 | Included |
| HTTP request floodsWell-formed GET/POST floods, slow-read, cache-busting | L7 | With L7 shield · $10.50/mo |
| Bugs in your applicationExploits and logic abuse — anything mitigation cannot tell from a user | L7+ | Not covered |
| Sustained floods above 1.5 TbpsBeyond aggregate scrubbing capacity | — | Upstream null-route possible |
Coverage reviewed 2026-06-10. If the scope changes, this table changes — we would rather you read the limits here than discover them mid-attack. Null-routes above 1.5 Tbps sustained are an upstream carrier decision, not ours, and they are rare; we list them because pretending otherwise would be dishonest.
DDoS questions, short answers
Is DDoS protection included, or a paid extra?
What happens when an attack starts?
Diversion is automatic: flow telemetry flags the anomaly, scrubbing engages, and clean traffic keeps flowing to your server. There is nothing to enable and nobody to call. Most attacks come and go without visible effect on your service.
Do I need the L7 shield?
If you expose a website or an HTTP API, probably. L3/4 mitigation stops floods aimed at the pipe and the TCP stack; it does not read HTTP. A flood of well-formed GET requests sails through unless something terminates and inspects the protocol — that is what the shield does, for $10.50/mo. If your service speaks anything other than HTTP, skip it.
Does mitigation add latency?
In steady state, none — traffic takes the normal path. While scrubbing is engaged, the detour adds a few milliseconds, which we consider a fair trade against being offline. The detour ends on its own when the attack does.
Deploy behind the scrubbers
Every server lands behind 1.5 Tbps of mitigation the minute it boots. No setup, no surcharge.