The VPS Provider DDoS Problem
DDoS attacks on VPS infrastructure hit providers harder than they hit the targeted customer. An attack on a single VPS can saturate the physical host's uplink, degrade neighbors on the same hypervisor, spike support ticket volume, and put SLA commitments at risk across multiple accounts simultaneously. The attacked customer gets downtime; the provider gets the liability.
The shared-infrastructure nature of VPS hosting means that DDoS protection is not optional, and "we provide basic scrubbing" is not sufficient. The providers that retain customers through attacks are the ones with fast detection, per-server forensics, and mitigation that does not take down the entire physical host to stop one tenant's attack.
The requirements for VPS providers are specific:
- Per-VPS visibility: You need to know which specific tenant is being targeted, not just that aggregate traffic is elevated on a host.
- Fast detection: Detection in under 5 seconds means you can respond before the attack degrades neighbors. Detection in 60 seconds means neighbors are already affected.
- Forensic data: When a customer disputes a DDoS claim or requests an incident report, you need packet-level evidence, not just "traffic was high."
- Scalable economics: A tool that costs $500/server/month is not viable for a VPS provider charging $20/month per instance. Pricing needs to scale with the business model.
The "DDoS Protected VPS" Problem
Many VPS providers market their infrastructure as "DDoS protected" without being specific about what that means. The protection is typically a shared scrubbing layer at the data center transit boundary: it activates after traffic crosses a threshold, drops the attacked IP's traffic in bulk for a scrubbing window, then restores connectivity. The customer experiences this as their VPS going offline for 30-120 seconds during the nullroute window, often with no notification and no incident data afterward.
This "protection" model protects the provider's network, not the customer's uptime. The customer gets an SLA breach. For VPS providers that want to genuinely differentiate on DDoS protection rather than just claiming it, the answer is per-server detection with fast, targeted mitigation that keeps the attacked VPS online throughout the incident.
The Tools
Flowtriq
Flowtriq runs a lightweight agent on each VPS that monitors network traffic at the host level. Each VPS gets independent detection: its own baseline, its own alert stream, and its own incident history. When a VPS is attacked, Flowtriq detects it within one second, classifies the attack type (UDP flood, SYN flood, DNS amplification, NTP amplification, ICMP flood, HTTP flood, multi-vector), and triggers alerts through your configured channels.
For VPS providers, the per-server model is particularly valuable. Attack data is scoped to the specific VPS, so you can immediately identify which tenant is targeted without correlating aggregate data across physical hosts. The PCAP capture feature provides packet-level forensics for every incident, giving you evidence for customer support tickets, SLA disputes, and abuse reports.
Flowtriq's firewall rules engine applies targeted mitigation at the VPS level: rate-limit inbound UDP from amplification reflection sources, apply protocol-specific thresholds, trigger webhooks to your orchestration platform. The mitigation keeps the attacked VPS online for legitimate traffic rather than nullrouting the IP and taking the customer fully offline.
At $9.99/node/month, the economics work for VPS providers. A provider with 200 VPS instances pays $1,998/month for per-server detection on every node, which is significantly less than enterprise DDoS appliances and includes capabilities (per-server classification, PCAP, modern alerting) that appliances typically do not provide at the individual VPS level.
Corero SmartWall
Corero SmartWall is an inline hardware DDoS mitigation platform that sits at the data center transit boundary. It processes traffic at line rate and applies L3/L4 filtering before attack traffic reaches any VPS on the physical infrastructure. For large VPS providers running their own colocation data centers, SmartWall provides network-wide protection that handles volumetric attacks before they affect any tenant.
SmartWall's strength is high-throughput volumetric mitigation: it can absorb hundreds of gigabits per second of attack traffic at the network edge without impacting any individual server. This is the right tool for preventing transit saturation across the entire hosting environment.
Path.net
Path.net provides a DDoS-resistant transit network using anycast BGP. VPS providers using Path.net as their upstream transit get volumetric scrubbing built into the network path. Attack traffic is absorbed at Path.net's network before it reaches the provider's edge, preventing transit saturation without requiring any on-premises hardware.
Path.net requires BGP peering capability and works best for providers managing their own ASN and IP address space. It provides network-level protection but no per-server visibility or application-layer forensics.
Cloudflare Spectrum
Cloudflare Spectrum is Cloudflare's application proxy for TCP and UDP traffic. It routes your VPS traffic through Cloudflare's network, absorbing DDoS attacks at the Cloudflare edge. It supports non-HTTP protocols including SSH, game servers, and custom application ports. The pricing model charges per gigabyte of proxied traffic, which makes it economical for low-traffic applications but expensive during attack events that generate large traffic volumes.
For VPS providers, Spectrum's per-GB pricing can become unpredictable during large attacks. A 10 Gbps attack running for 30 minutes generates roughly 2.25 TB of traffic, which could result in a significant unexpected charge depending on your Cloudflare plan and pricing tier.
Provider-built-in scrubbing (OVH, Hetzner, Leaseweb, etc.)
Most large VPS providers (OVH, Hetzner, Leaseweb, DigitalOcean) include some level of DDoS scrubbing built into their network. This typically activates automatically when traffic to an IP exceeds a volumetric threshold, routes traffic through a scrubbing center, and restores connectivity after the scrubbing window ends. No configuration is required and there is no additional charge.
The limitations are significant: scrubbing typically triggers a 15-30 second nullroute period before the scrubbing path activates, detection thresholds are coarse, there is no per-server visibility or attack classification for the customer, no PCAP capture, and SLA obligations around protection quality are rarely defined or enforced. The scrubbing protects the provider's transit, not the customer's application uptime.
Feature Comparison
| Capability | Flowtriq | Corero | Path.net | CF Spectrum | Provider scrubbing |
|---|---|---|---|---|---|
| Detection latency | 1 second | Wire-rate | Network-level | Near real-time | 30-120 sec |
| Per-VPS visibility | Yes | No | No | No | No |
| Attack classification | 8 families + score | L3/L4 types | No | No | No |
| PCAP forensics | Automatic | No | No | No | No |
| Keeps VPS online during attack | Yes (targeted) | Yes (line-rate) | Depends on config | Proxy-dependent | No (nullroute) |
| Added latency to customers | Zero | Sub-ms | Minimal (anycast) | Proxy overhead | Scrubbing path |
| Pricing model | $9.99/node/mo | $30K-$200K+ CAPEX | Bandwidth-based | ~$0.10/GB | Included |
| Modern alert channels | 7 channels | Email/webhook | Email/webhook | None | |
| Requires BGP/infra | No | Yes (DC) | Yes (BGP/ASN) | No | No |
When to Choose Each
Choose network-layer tools (Corero, Path.net) when:
- You manage colocation or BGP infrastructure and need hardware-speed volumetric protection at transit scale
- Preventing transit saturation is your primary concern for the entire hosting environment
- Budget for CAPEX hardware is available and you have network engineers on staff
Choose Flowtriq when:
- You need per-VPS detection with exact attack classification to support customers and meet SLA obligations
- You want PCAP forensics captured automatically for every incident to resolve support disputes with evidence
- You need targeted mitigation that keeps attacked VPSes online, not nullroute that bills the customer with downtime
- You want Discord/Slack/PagerDuty alerts with attack type within seconds of detection, not hours after a customer complaint
- You need predictable, per-server pricing that scales with your node count without per-GB surprises
Frequently Asked Questions
Can I add Flowtriq to any VPS?
Yes. Flowtriq's agent runs on any Linux VPS with a network interface. It requires no BGP capability, no special network hardware, and no changes to your hosting provider's infrastructure. Install with pip install ftagent, run sudo ftagent --setup with your API key, and the agent starts monitoring within seconds. It works on any cloud provider (DigitalOcean, Vultr, Linode, Hetzner, OVH, AWS EC2, etc.) and any bare-metal or colocation server running Linux.
How does Flowtriq compare to OVH or Hetzner's built-in DDoS protection?
OVH and Hetzner's built-in scrubbing operates at their network edge and activates on volumetric thresholds. When it activates, it typically triggers a 15-30 second nullroute period before the scrubbing path is active, your VPS IP is inaccessible to legitimate traffic during that window, and you receive no per-server data about what type of attack occurred or how long it lasted. Flowtriq complements these provider-level protections: the provider's network handles large volumetric floods at the transit edge, while Flowtriq gives you per-VPS detection in one second, attack classification, PCAP forensics, and targeted mitigation that keeps the VPS online for legitimate traffic.
Does Flowtriq protect against all attack types targeting VPS infrastructure?
Flowtriq classifies and mitigates eight attack families: UDP flood, SYN flood, DNS amplification, NTP amplification, ICMP flood, HTTP flood, TCP ACK flood, and multi-vector combinations. This covers the vast majority of attacks targeting VPS infrastructure. For extremely high-bandwidth volumetric attacks (100+ Gbps) that would saturate the hosting provider's transit links before reaching the VPS, network-layer solutions at the transit boundary are needed. For everything that reaches the server level, Flowtriq provides the detection and mitigation layer.
What Linux distributions does the Flowtriq agent support?
The Flowtriq agent runs on Ubuntu 18.04+, Debian 9+, CentOS 7+, AlmaLinux 8+, Rocky Linux 8+, and Fedora 30+. Python 3.7 or higher is required. The agent installs via pip and requires root privileges for packet capture. It has been tested on KVM, Xen, VMware, and container-based VPS environments. Full installation documentation is available in the Flowtriq dashboard after signing up.
Per-VPS DDoS detection that scales with your hosting business
$9.99/node/month. Install on any Linux VPS in 2 minutes. Per-server attack classification, automatic PCAP, and 7 alert channels. No bandwidth charges, no per-alert fees. 7-day free trial.
Start Free Trial →