How to Protect Your VPS from DDoS Attacks: Practical Guide

DDoS attacks (Distributed Denial of Service) can take your server offline in minutes, leading to revenue loss, customer dissatisfaction, and reputation damage. In 2026, such attacks have become more sophisticated and accessible. Fortunately, modern protection methods have also evolved. This guide will show you how to protect your Hiddence VPS from the most common types of DDoS attacks.

What is a DDoS Attack?

A DDoS attack occurs when multiple computers (botnet) simultaneously send requests to your server, overwhelming its resources and making it unavailable to legitimate users.

Main Types of DDoS Attacks

• Volumetric Attacks (L3/L4): UDP flood, ICMP, SYN flood — overwhelm network bandwidth
• Application Layer Attacks (L7): HTTP flood, Slowloris — target application layer
• Protocol Attacks: Exploit vulnerabilities in network protocols

Built-in Hiddence Protection

All Hiddence VPS include basic Layer 3-4 DDoS protection (network level). This automatically filters most volumetric attacks. However, Layer 7 (application) attacks require additional configuration.

Step 1: Firewall Setup

The first line of defense is proper firewall configuration. UFW (Uncomplicated Firewall) is a simple and effective tool for Ubuntu/Debian.

# Install UFW
sudo apt update && sudo apt install ufw -y

# Allow SSH (IMPORTANT! Do this before enabling UFW)
sudo ufw allow 22/tcp

# Allow HTTP and HTTPS
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

# Enable UFW
sudo ufw enable

# Check status
sudo ufw status verbose

# Advanced protection rules:
# Limit SSH connections (brute force protection)
sudo ufw limit 22/tcp

# Block ICMP ping floods
sudo nano /etc/ufw/before.rules
# Add after *filter:
-A ufw-before-input -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j DROP

# Protection against SYN flood
sudo nano /etc/sysctl.conf
# Add:
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5

# Apply changes
sudo sysctl -p

Step 2: Install Fail2Ban

Fail2Ban automatically blocks IP addresses showing suspicious activity (multiple failed login attempts, port scanning).

# Install
sudo apt install fail2ban -y
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

# Configuration for SSH and HTTP protection
# Create local configuration
sudo nano /etc/fail2ban/jail.local

# Add:
[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 5
banaction = ufw

[sshd]
enabled = true
port = 22
logpath = /var/log/auth.log

[nginx-http-auth]
enabled = true
filter = nginx-http-auth
port = http,https
logpath = /var/log/nginx/error.log

[nginx-limit-req]
enabled = true
filter = nginx-limit-req
port = http,https
logpath = /var/log/nginx/error.log

# Restart Fail2Ban
sudo systemctl restart fail2ban

# Check status
sudo fail2ban-client status

Step 3: Nginx Protection

If you're using Nginx, configure rate limiting to protect against HTTP flood attacks.

sudo nano /etc/nginx/nginx.conf

# Add to http block:
http {
    # Request limit: 10 requests per second per IP
    limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;
    
    # Connection limit
    limit_conn_zone $binary_remote_addr zone=addr:10m;
    
    # Slowloris protection
    client_body_timeout 10s;
    client_header_timeout 10s;
    keepalive_timeout 5s 5s;
    send_timeout 10s;
    
    # Rest of configuration...
}

# In server block add:
server {
    location / {
        # Apply request limit
        limit_req zone=one burst=20 nodelay;
        
        # Connection limit: max 10 per IP
        limit_conn addr 10;
        
        # Your configuration...
    }
}

# Test configuration and reload
sudo nginx -t
sudo systemctl reload nginx

Step 4: Use CDN

For maximum protection, use a CDN service like Cloudflare. CDN acts as a proxy, hiding your server's real IP and absorbing most DDoS attacks. Benefits: hide real IP, automatic malicious traffic filtering, load distribution, free SSL/TLS, WAF for L7 protection.

• Register on cloudflare.com (free plan available)
• Add your domain and change NS records at your registrar
• Enable 'Proxy' mode (orange cloud) for DNS records
• Set SSL mode to 'Full (strict)' in SSL/TLS section
• Enable 'DDoS Protection' and 'Bot Fight Mode' in security settings

Step 5: Monitoring

Regular monitoring helps detect attacks early.

# Monitor active connections
watch -n 1 'ss -s'

# View top IPs by connection count
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

# View logs in real-time
sudo tail -f /var/log/nginx/access.log
sudo journalctl -u nginx -f

# Check blocked IPs in Fail2Ban
sudo fail2ban-client status sshd

Emergency Measures

If an attack is already underway, take the following measures:

• Identify the source: Use 'netstat' or logs to identify attacking IPs
• Temporary block: sudo ufw insert 1 deny from ATTACKING_IP
• Block entire subnets: sudo ufw deny from 123.45.0.0/16
• Limit rate limit: Temporarily lower Nginx limits to 1-5 req/s
• Contact support: Reach out to Hiddence support for advanced protection activation
• Enable 'Under Attack Mode' in Cloudflare (if using)

Best Practices

• Never publish your server's real IP if using CDN
• Regularly update the system: sudo apt update && sudo apt upgrade
• Use SSH keys instead of passwords for server access
• Change default SSH port (22) to non-standard
• Set up automatic backups for quick recovery
• Use separate IPs for critical services
• Enable logging and regularly check logs for suspicious activity
• Consider using geographic blocking if your service isn't global