Evolution Host Logo

Evolution Host
Invent the Future

How to protect your VPS from DDoS attacks

Practical, proven steps to keep your virtual server online under fire

Last updated: October 3, 2025

Get a DDoS protected VPS

Introduction

Distributed Denial of Service (DDoS) attacks attempt to overwhelm your server or its network so real users can’t connect. If you run game servers, ecommerce shops, APIs, or community sites on a VPS, you’re a target. The good news: with the right mix of provider-side mitigation and host-level hardening, you can withstand most attacks and recover quickly from the rest.

This guide walks you through the essentials — from understanding attack types to implementing concrete firewall rules, rate limits, and monitoring — so you can confidently convert your VPS into a DDoS protected VPS.

What is a DDoS attack?

A DDoS uses many sources (compromised devices, botnets, or spoofed hosts) to flood your service or exhaust its resources. Attacks typically fall into three buckets:

Quick checklist

Why VPS are targeted

Provider-level protection

The most effective defense begins before traffic reaches your VPS:

If uptime matters, prefer a provider that offers always-on mitigation rather than “on-demand.” You can also front web apps with a reputable CDN/WAF for application-layer protection and caching.

Get a DDoS protected VPS

Using Remote DDoS protection to secure the VPS

When your current VPS host doesn’t include robust mitigation—or you want a single shield for multi-cloud/multi-region workloads—the most effective approach is to place your services behind a remote DDoS protection provider. Remote DDoS protection from Evolution Host absorbs and scrubs malicious traffic on their global edge, then forwards only clean traffic to your server.

How Evolution Host protects your VPS remotely

Get Remote DDoS Protection

Protecting specific gameservers

DDoS patterns differ by engine. Query floods, malformed handshakes, spoofed UDP, and reflection/amplification all show up differently for FiveM, Rust, Minecraft, and friends. With an Evolution Host DDoS-protected VPS, you can attach per-game protection profiles to the exact IP/port your server uses. Each profile applies tuned L3/L4/L7 filters, protocol sanity checks, and rate thresholds designed for that engine—so you block attacks without blocking players.

How per-game profiles help

Popular engines & recommended setup

FiveM / RedM

Minecraft (Vanilla, Paper/Spigot)

Rust

Palworld

Source engine (CS2/CS:GO, TF2, Garry’s Mod, HL2DM)

TeamSpeak 3 / Mumble (voice)

EvoShield DDoS Protection Panel Preview

EvoShield Panel Preview

With an abundance of other gameserver protection profiles available to choose from, your gameserver will be secure - regardless of the particular gameserver or application you are running.

Expose only what you must

Minimize your attack surface:

Firewall essentials (Linux)

Start with a deny-by-default policy and explicit allows. Whether you use ufw, nftables, or iptables, aim for these basics:

Example: UFW (Ubuntu)

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw limit ssh                      # throttles repeated SSH attempts
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
# Example game port
sudo ufw allow 30120/udp
sudo ufw enable

Example: nftables (advanced)

table inet filter {
	chain input {
		type filter hook input priority 0;
		ct state established,related accept
		iif lo accept
		icmp type echo-request limit rate 10/second accept
		ct state invalid drop
		# Rate-limit new TCP connections per source
		ip saddr . tcp dport { 22,80,443 } ct state new limit rate 50/second accept
		tcp flags & (syn|ack) == syn limit rate 200/second accept
		tcp dport { 22,80,443 } accept
		udp dport { 30120 } accept
		drop
	}
}

Kernel hardening (sysctl)

Harden TCP/IP behavior to handle spikes gracefully:

# /etc/sysctl.d/60-ddos.conf
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_rfc1337 = 1
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.tcp_synack_retries = 3
net.ipv4.tcp_syn_retries = 3
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.core.somaxconn = 4096
net.core.netdev_max_backlog = 32768
net.netfilter.nf_conntrack_max = 262144

Apply with sudo sysctl --system. Tune values to your workload and memory limits.

Rate limiting & abuse controls

Example: Nginx basic limiting

http {
	limit_req_zone $binary_remote_addr zone=req_per_ip:10m rate=10r/s;
	server {
		location / {
			limit_req zone=req_per_ip burst=20 nodelay;
		}
	}
}

Put a shield in front (reverse proxy/CDN)

Front your site or API with a CDN/WAF. Benefits include:

For TCP/UDP services (games, VoIP), use a provider that supports proxied TCP/UDP or a specialized game DDoS shield.

Monitoring, visibility, and alerts

Incident response playbook

  1. Detect: alerts trigger; confirm increased loss/latency or 5xx spikes.
  2. Mitigate: enable/verify provider scrubbing; activate WAF rules and strict rate limits.
  3. Harden live: tighten firewall, drop nonessential ports, enable maintenance mode for web.
  4. Communicate: status page updates; set expectations for users/customers.
  5. Stabilize: monitor until metrics return to baseline.
  6. Postmortem: document attack vectors and permanently improve controls.

Special notes for game & voice servers

Choosing a DDoS-protected VPS provider

Look for:

Evolution Host VPS provide purpose-built mitigation for latency-sensitive workloads and game servers while keeping management simple.

Will a firewall alone stop DDoS?

No. A local firewall helps at L4/L7, but volumetric attacks can saturate your link upstream. You still need provider-side scrubbing and/or a CDN/WAF in front.

Should I hide my origin IP?

Yes, for web apps behind a CDN/WAF. Restrict origin access to trusted proxy IP ranges (and your VPN) so attackers can’t bypass the edge.

What’s a safe baseline for SSH?

Use key-based auth, move SSH off port 22, enable fail2ban, and allowlist your admin IPs/VPN. Consider port knocking or WireGuard for admin access.

Do I need a CDN/WAF if my site is small?

It’s still helpful. Even low-traffic sites get hit by opportunistic HTTP floods and bot scans. A lightweight CDN/WAF can absorb spikes and filter junk cheaply.

How do I protect game servers (TCP/UDP) that can’t sit behind a normal CDN?

Use a provider that offers proxied TCP/UDP or game-aware mitigation at L3/L4. Lock down port ranges, enable per-IP connection caps, and keep the server binary updated.

What rate limits should I start with for web?

Begin around 5–10 requests/second per IP with short bursts (e.g., +20) for general pages, then tighten on expensive endpoints (logins/search) and add CAPTCHA/challenges.

Will SYN cookies impact performance?

Minimal impact for most workloads, and they greatly improve resilience to SYN floods. Pair with sane tcp_max_syn_backlog and conntrack limits.

Should I use GRE tunnels or BGP Anycast for mitigation?

GRE is useful to receive scrubbed traffic from a mitigation provider. BGP Anycast is ideal when available, distributing load across multiple scrubbing POPs.

How do I know I’m under attack?

Watch for sudden jumps in pps/bps, new-connection rates, 5xx spikes, and latency/loss. Set alerts based on baselines and enable flow logs if your provider supports them.

Can rate limiting block legitimate traffic?

Yes, if set too aggressively. Start conservative, monitor, and exempt trusted IPs or authenticated sessions. Prefer sliding windows over hard caps.

How much does effective DDoS protection cost?

Basic CDN/WAF tiers can be low-cost. Always-on, high-capacity network scrubbing for TCP/UDP services costs more but is essential for mission-critical uptime.

How can I safely test my defenses?

Use staging and synthetic load tools for application stress tests. For network-layer testing, work with your provider’s approved test facilities—never launch unlawful traffic.

Sources & further reading

Final Thoughts

Defending a VPS against DDoS is about layers: capable edge mitigation, minimal exposure, strong host hardening, and good observability. Put these pieces in place today so the first time you see a flood, it’s a routine drill — not a crisis.

Get a DDoS protected VPS