Sign in Deploy →
KVM Slices Block Storage DDoS Protection Anycast Features Network About Docs
Sign in Deploy →
Home/Products/DDoS Protection

Enterprise DDoS filtering for $3 a month.

A 3.5 Tbps+ scrubbing fabric stands in front of your slice, always on and fully automatic. Attacks get filtered at the edge before they ever touch your server — no toggles, no panic, no per-incident invoice.

Add to a slice → How it works
3.5Tbps+
Total filtering capacity
700M+
Packets per second
99.9%
Uptime SLA
$3/mo
Per protected IP
How it works

Always on. Automatically.

Filtering isn't a button you flip mid-attack. Every protected IP sits behind a pooled scrubbing fabric — shared across all protected customers in that location — that inspects traffic 24/7/365. Junk packets are dropped at the edge; legitimate requests sail straight through to your slice.

  • No activation lag. Mitigation is permanent and instant — there's nothing to enable when an attack lands.
  • Edge scrubbing. Bad traffic is absorbed and dropped at the network border, far upstream of your server.
  • Pooled capacity. 3.5 Tbps+ and 700M+ pps stand behind every IP in the location, not just yours.
  • Backed by an SLA. 99.9% uptime, excluding application-layer floods that target your app logic itself.
root@las01 — mitigation
stallion ddos status Filter armed on 149.x.x.x Profile auto — L3/L4/L7 active Mitigating 14.2 Gbps / 8.1 Mpps Dropped: SYN flood, UDP frag Legit traffic: passed uptime load average: 0.07, 0.04, 0.01
— What it stops

From crude floods to clever ones.

Two layers of filtering, one flat price. The fabric profiles traffic continuously and drops the bad stuff — whether it's a brute-force pipe-filler or a low-and-slow application attack.

Layer 3 / 4 — volumetric

The pipe-filling attacks designed to drown your uplink in raw traffic. We absorb and drop them upstream:

  • Volumetric & reflective attacks
  • TCP & UDP floods
  • UDP fragmentation
  • NTP & DNS amplification
  • SYN floods

Layer 7 — application

The sneaky ones that mimic real users and exhaust your app instead of your bandwidth. We spot the patterns:

  • HTTP GET & POST floods
  • Slowloris & RUDY (slow attacks)
  • HOIC & LOIC toolkits
  • Connection-exhaustion patterns

Invalid-port & private-IP

Garbage aimed at ports you don't run, and spoofed packets claiming to come from private address space, get dropped on sight — before they waste a single cycle on your slice.

XORDDOS & botnets

Known malware families like XORDDOS and the herds of compromised hosts they conscript are recognised and filtered. A few advanced methods are armed on request via a support ticket.

— From the front lines

Attacks happen. Downtime doesn't.

★★★★★
We run a Minecraft community and got hit with a 200 Gbps attack out of nowhere. The server didn't blink — no lag, no kick storm, players never even noticed. For three bucks a month I genuinely don't know how they do it.
CK
Cole K.Minecraft network operator
★★★★★
Switched from a $1,000/mo scrubbing provider to a $3 BuyVM IP and have slept better ever since. The filtering is just always there — nothing to configure, nothing to babysit.
RM
Rina M.Game backend engineer
★★★★★
Opened a ticket for one of the advanced filters and support had it armed within the hour. SYN floods that used to take us offline are now just a line in the mitigation log.
DT
Devon T.Self-hosting enthusiast
— The math

Carrier-grade protection, vending-machine price.

The same class of filtering normally lives behind enterprise contracts and five-figure invoices. Attach it to any IP on an active VPS subscription instead.

Third-party scrubbing

$1,000+/mo

Route your traffic through an external provider, manage another vendor relationship, and pay a recurring premium for the privilege.

Dedicated hardware

$10,000+/mo

Buy, rack, and maintain your own mitigation appliances — then hope your single box outpaces the next botnet.

BuyVM filtering

$3/mo per IP

Always-on, 3.5 Tbps+, L3 through L7, backed by a 99.9% SLA. Add it to a slice at checkout and forget it exists.

Add protection →
— FAQ

Questions, answered.

Is DDoS protection free or paid?
It's a paid add-on: $3.00/mo per protected IP, on top of an active VPS subscription. There's no contract and no per-incident billing — the flat monthly fee covers always-on filtering no matter how many attacks land.
Which attacks are actually covered?
Both network and application layers. At L3/L4 that means volumetric and reflective attacks, TCP/UDP floods, UDP fragmentation, NTP and DNS amplification, and SYN floods. At L7 it covers HTTP GET/POST floods, Slowloris, RUDY, and HOIC/LOIC toolkits — plus invalid-port and private-IP garbage and known families like XORDDOS.
Will it block my legitimate traffic?
No. The fabric profiles traffic and drops attack patterns while letting real requests through — as the mitigation log shows, legit traffic passes even while gigabits of junk are being filtered. If a profile ever needs tuning for an unusual workload, support can adjust it.
What does the SLA cover?
We back the filtering with a 99.9% uptime SLA. The one exclusion is application-layer floods that exploit your own app's logic — those depend on how your software is written, so they sit outside a network-level guarantee. Everything volumetric and protocol-based is on us.
How do I enable the advanced filtering methods?
The core profile is on automatically the moment your protected IP is provisioned. A handful of more aggressive or specialised filters are armed on request — just open a support ticket from the client area telling us what you're seeing, and we'll switch them on for your IP.

Stop the next attack before it starts.

Add a protected IP to any slice for $3/mo and let 3.5 Tbps+ of always-on filtering do the worrying. No toggles, no surprise invoices, no downtime.

Add protection → Browse KVM slices