How to Protect Your VPS from DDoS Attacks (Practical Guide & Checklist)

Q: What’s a safe baseline for SSH?

Use key-based auth, move SSH off port 22, enable fail2ban, and allowlist your admin IPs/VPN. Consider port knocking or WireGuard for admin access.

Q: How do I know I’m under attack?

Watch for sudden jumps in packets-per-second and bits-per-second, new-connection rates, 5xx spikes, and latency/loss. Set alerts based on baselines and enable flow logs if your provider supports them.

Introduction

Distributed Denial of Service (DDoS) attacks attempt to overwhelm your server or its network so real users can’t connect. If you run game servers, ecommerce shops, APIs, or community sites on a VPS, you’re a target. The good news: with the right mix of provider-side mitigation and host-level hardening, you can withstand most attacks and recover quickly from the rest.

This guide walks you through the essentials — from understanding attack types to implementing concrete firewall rules, rate limits, and monitoring — so you can confidently convert your VPS into a DDoS protected VPS.

What is a DDoS attack?

A DDoS uses many sources (compromised devices, botnets, or spoofed hosts) to flood your service or exhaust its resources. Attacks typically fall into three buckets:

Volumetric (e.g., UDP floods, amplification) — saturate bandwidth.
Protocol (e.g., SYN/ACK, UDP fragments) — exploit network/transport quirks.
Application (e.g., HTTP floods) — overwhelm your app or web server.

Quick checklist

Choose a provider with always-on DDoS mitigation and Anycast scrubbing.
Put HTTP(S) behind a reverse proxy/CDN (WAF, bot filters, caching).
Lock down services with firewalls, rate limiting, and allowlists.
Harden the kernel: conntrack limits, SYN protection, sane sysctl defaults.
Enable automatic banning (e.g., fail2ban) and per-IP throttles.
Set up monitoring & alerting (traffic, CPU, latency) and an incident playbook.

Why VPS are targeted

Predictable IPs and ports (SSH, game ports, web).
Public visibility (search engines, server lists, social media).
Attackers test/boast, or extort with “pay to stop” threats.

Provider-level protection

The most effective defense begins before traffic reaches your VPS:

Network scrubbing & Anycast: malicious packets are filtered at the edge, away from your VM.
Automated detection: anomaly-based triggers for L3/L4 floods and known attack signatures.
Clean-pipe delivery: only scrubbed traffic reaches your NIC.

If uptime matters, prefer a provider that offers always-on mitigation rather than “on-demand.” You can also front web apps with a reputable CDN/WAF for application-layer protection and caching.

Get a DDoS protected VPS

Using Remote DDoS protection to secure the VPS

When your current VPS host doesn’t include robust mitigation—or you want a single shield for multi-cloud/multi-region workloads—the most effective approach is to place your services behind a remote DDoS protection provider. Remote DDoS protection from Evolution Host absorbs and scrubs malicious traffic on their global edge, then forwards only clean traffic to your server.

How Evolution Host protects your VPS remotely

Always-on edge scrubbing: Volumetric and protocol floods are mitigated at the network level before they reach your VPS.
Game-aware filtering for TCP/UDP: Purpose-built profiles for latency-sensitive workloads (game/voice servers).
Multiple delivery options:
- Configurable protection directly inside your VPS — for effortless setup.
- Remote TCP/UDP reverse proxy — for game/voice ports, keeps latency low.
- Remote DDoS protection — protect your websites, applications and gameservers while continuing to use your current VPS hosting provider.
Origin IP isolation: Your true server IP stays private; only the provider can reach it.

Get Remote DDoS Protection

Protecting specific gameservers

DDoS patterns differ by engine. Query floods, malformed handshakes, spoofed UDP, and reflection/amplification all show up differently for FiveM, Rust, Minecraft, and friends. With an Evolution Host DDoS-protected VPS, you can attach per-game protection profiles to the exact IP/port your server uses. Each profile applies tuned L3/L4/L7 filters, protocol sanity checks, and rate thresholds designed for that engine—so you block attacks without blocking players.

How per-game profiles help

Protocol-aware filtering – Allows only the handshake and packet shapes your engine expects; drops malformed or over-sized bursts.
Smart rate limits – PPS/RPS caps aligned to normal player behavior (e.g., query rates for Source, status pings for Minecraft).
Port-scoped mitigation – Apply the profile only to the ports you host (no blanket filtering that adds latency elsewhere).
Origin IP isolation – Only Evolution Host’s scrubbing egress can reach your VPS; attackers can’t bypass the shield.

Popular engines & recommended setup

FiveM / RedM

Typical ports: UDP 30120 (game), plus associated query/FXServer ports if used.
Apply profile: Assign the FiveM profile to your protected IP:port in the panel.
Tips: Keep resources updated; cap simultaneous connects per IP; hide origin IP (allow only EVH egress to origin).

Minecraft (Vanilla, Paper/Spigot)

Typical ports: TCP 25565 (Java). Bedrock uses UDP 19132.
Apply profile: Use the Minecraft profile (separate Java/Bedrock presets if available).
Tips: Enable connection throttles in your proxy (Velocity/BungeeCord); hide origin; add basic join-rate limits.

Rust

Typical ports: UDP 28015 (game), UDP 28016 (RCON/web query).
Apply profile: Use the Rust profile to throttle abnormal UDP bursts and query spam.
Tips: Restrict RCON to VPN or EVH egress; avoid wide port ranges.

Palworld

Typical ports: UDP (commonly 8211 by default; verify your config).
Apply profile: Use the Palworld or Generic UDP Game profile.
Tips: Fix a single UDP port; cap concurrent connects per IP; keep binaries updated.

Source engine (CS2/CS:GO, TF2, Garry’s Mod, HL2DM)

Typical ports: UDP 27015 (game), additional in 27015–27050 depending on setup.
Apply profile: Use the correct profiles for your game tuned for A2S query floods and spoofed UDP.
Tips: Expose only the necessary ports; consider lowering query rates via server cvars where supported.

TeamSpeak 3 / Mumble (voice)

Typical ports: UDP 9987 (TS3 voice), TCP 10011 (query), TCP 30033 (file).
Apply profile: Use the TeamSpeak and Mumble profiles which mitigate even complex floods without adding jitter.
Tips: Restrict query/file ports; prioritize the voice UDP traffic.

EvoShield DDoS Protection Panel Preview

With an abundance of other gameserver protection profiles available to choose from, your gameserver will be secure - regardless of the particular gameserver or application you are running.

Expose only what you must

Minimize your attack surface:

Bind services to 127.0.0.1 or private interfaces when possible.
Use a reverse proxy for HTTP(S); terminate TLS and apply WAF policies there.
Move admin panels behind VPN/Zero Trust or restrict by IP.

Firewall essentials (Linux)

Start with a deny-by-default policy and explicit allows. Whether you use ufw, nftables, or iptables, aim for these basics:

Allow only required ports (e.g., 80/443, game port, SSH via a nonstandard port if possible).
Drop invalid packets; limit new connections per IP.
Rate-limit ICMP and SYN; disable source routing and redirects.

Example: UFW (Ubuntu)

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw limit ssh                      # throttles repeated SSH attempts
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
# Example game port
sudo ufw allow 30120/udp
sudo ufw enable

Example: nftables (advanced)

table inet filter {
	chain input {
		type filter hook input priority 0;
		ct state established,related accept
		iif lo accept
		icmp type echo-request limit rate 10/second accept
		ct state invalid drop
		# Rate-limit new TCP connections per source
		ip saddr . tcp dport { 22,80,443 } ct state new limit rate 50/second accept
		tcp flags & (syn|ack) == syn limit rate 200/second accept
		tcp dport { 22,80,443 } accept
		udp dport { 30120 } accept
		drop
	}
}

Kernel hardening (sysctl)

Harden TCP/IP behavior to handle spikes gracefully:

# /etc/sysctl.d/60-ddos.conf
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_rfc1337 = 1
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.tcp_synack_retries = 3
net.ipv4.tcp_syn_retries = 3
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.core.somaxconn = 4096
net.core.netdev_max_backlog = 32768
net.netfilter.nf_conntrack_max = 262144

Apply with sudo sysctl --system. Tune values to your workload and memory limits.

Rate limiting & abuse controls

fail2ban: ban abusive IPs based on logs (SSH, Nginx, etc.).
Web rate limits: use Nginx/Apache to throttle per-IP requests and expensive endpoints.
Game servers: if supported, enable built-in flood protection and per-IP connection caps.

Example: Nginx basic limiting

http {
	limit_req_zone $binary_remote_addr zone=req_per_ip:10m rate=10r/s;
	server {
		location / {
			limit_req zone=req_per_ip burst=20 nodelay;
		}
	}
}

Put a shield in front (reverse proxy/CDN)

Front your site or API with a CDN/WAF. Benefits include:

Global Anycast absorption of volumetric attacks.
Layer 7 protections (bot management, challenge pages).
Caching that reduces origin load during spikes.

For TCP/UDP services (games, VoIP), use a provider that supports proxied TCP/UDP or a specialized game DDoS shield.

Monitoring, visibility, and alerts

Baseline normal traffic (pps, bps, requests per second) and set alert thresholds.
Watch CPU, memory, conntrack count, open file descriptors.
Collect logs centrally; enable flow logs if your provider supports them.

Incident response playbook

Detect: alerts trigger; confirm increased loss/latency or 5xx spikes.
Mitigate: enable/verify provider scrubbing; activate WAF rules and strict rate limits.
Harden live: tighten firewall, drop nonessential ports, enable maintenance mode for web.
Communicate: status page updates; set expectations for users/customers.
Stabilize: monitor until metrics return to baseline.
Postmortem: document attack vectors and permanently improve controls.

Special notes for game & voice servers

Prefer providers with game-specific L3/L4 profiles for your engine/ports.
Use static maps of open ports; avoid broad ranges.
Keep your server binary updated for latest protocol hardening.

Choosing a DDoS-protected VPS provider

Look for:

Always-on mitigation with published capacity and attack reporting.
Anycast network with multiple scrubbing POPs.
Transparent controls: bypass lists, TCP/UDP proxying, per-service rules.
Real human support during incidents.

Evolution Host VPS provide purpose-built mitigation for latency-sensitive workloads and game servers while keeping management simple.

Will a firewall alone stop DDoS?

No. A local firewall helps at L4/L7, but volumetric attacks can saturate your link upstream. You still need provider-side scrubbing and/or a CDN/WAF in front.

Should I hide my origin IP?

Yes, for web apps behind a CDN/WAF. Restrict origin access to trusted proxy IP ranges (and your VPN) so attackers can’t bypass the edge.

What’s a safe baseline for SSH?

Use key-based auth, move SSH off port 22, enable fail2ban, and allowlist your admin IPs/VPN. Consider port knocking or WireGuard for admin access.

Do I need a CDN/WAF if my site is small?

It’s still helpful. Even low-traffic sites get hit by opportunistic HTTP floods and bot scans. A lightweight CDN/WAF can absorb spikes and filter junk cheaply.

How do I protect game servers (TCP/UDP) that can’t sit behind a normal CDN?

Use a provider that offers proxied TCP/UDP or game-aware mitigation at L3/L4. Lock down port ranges, enable per-IP connection caps, and keep the server binary updated.

What rate limits should I start with for web?

Begin around 5–10 requests/second per IP with short bursts (e.g., +20) for general pages, then tighten on expensive endpoints (logins/search) and add CAPTCHA/challenges.

Will SYN cookies impact performance?

Minimal impact for most workloads, and they greatly improve resilience to SYN floods. Pair with sane tcp_max_syn_backlog and conntrack limits.

Should I use GRE tunnels or BGP Anycast for mitigation?

GRE is useful to receive scrubbed traffic from a mitigation provider. BGP Anycast is ideal when available, distributing load across multiple scrubbing POPs.

How do I know I’m under attack?

Watch for sudden jumps in pps/bps, new-connection rates, 5xx spikes, and latency/loss. Set alerts based on baselines and enable flow logs if your provider supports them.

Can rate limiting block legitimate traffic?

Yes, if set too aggressively. Start conservative, monitor, and exempt trusted IPs or authenticated sessions. Prefer sliding windows over hard caps.

How much does effective DDoS protection cost?

Basic CDN/WAF tiers can be low-cost. Always-on, high-capacity network scrubbing for TCP/UDP services costs more but is essential for mission-critical uptime.

How can I safely test my defenses?

Use staging and synthetic load tools for application stress tests. For network-layer testing, work with your provider’s approved test facilities—never launch unlawful traffic.

Sources & further reading

Final Thoughts

Defending a VPS against DDoS is about layers: capable edge mitigation, minimal exposure, strong host hardening, and good observability. Put these pieces in place today so the first time you see a flood, it’s a routine drill — not a crisis.