The Marketing vs the Reality
Search for "DDoS protected VPS hosting" and you will find hundreds of providers claiming protection. The language is consistent: "DDoS protection included," "up to 1 Tbps protection," "attacked? We have you covered." What most providers do not explain is what their protection actually does when an attack hits.
For the majority of VPS hosting providers, "DDoS protection" means one thing: null routing. When attack traffic against a customer's IP address exceeds a threshold, the IP is null-routed at the network edge. Traffic to that IP is dropped. The attack stops reaching your infrastructure. The customer's VPS is also completely unreachable until the null route is lifted.
This is not useless protection. Null routing protects the rest of your customers from being collateral damage when one IP is attacked. It keeps your transit links from saturating. It is a legitimate and necessary tool. But it is not what most customers imagine when they read "DDoS protection included."
From your customer's perspective: null routing means their VPS goes offline during an attack, just more cleanly than if you did nothing. The protection is for your network, not for them.
The Three Tiers of VPS DDoS Protection
VPS hosting DDoS protection exists on a spectrum. Understanding where a provider sits on this spectrum tells you what their customers actually experience during an attack.
Tier 1: Null routing (most common)
When attack traffic exceeds a threshold (commonly 1-10 Gbps), the targeted IP is null-routed at the upstream router. All traffic to that IP is dropped, including legitimate traffic. The customer's VPS goes offline. The null route is typically held for 30-60 minutes after the attack subsides before the IP is restored. Most budget and mid-range VPS providers operate at this tier.
Tier 2: Scrubbing center integration (premium)
Traffic is rerouted through a scrubbing center (either operated by the provider or contracted from a third party) when an attack is detected. The scrubbing center filters attack packets and forwards clean traffic to the VPS. The customer's service may degrade during attack onset but typically remains reachable. Providers at this tier are genuinely differentiating on protection quality. Cost is significantly higher than basic null-routing providers.
Tier 3: Per-server detection + scrubbing (best-in-class)
Scrubbing handles the volumetric traffic, but each VPS also has per-server detection monitoring exactly what traffic reaches it after scrubbing. The operator knows which VPS is being targeted before null routing or scrubbing kicks in, classifies the attack type, captures forensic PCAP data, and can respond with targeted mitigation that keeps the VPS online. Customers can be shown their own incident history with packet-level evidence. This is what Flowtriq enables for VPS providers.
What Customers Actually Need
Different VPS customers have different protection requirements. Understanding this helps VPS providers market their protection honestly and match customers to appropriate service tiers.
Game server customers
Game server operators (Minecraft, FiveM, ARK, Rust, CS2, Valheim) are among the most DDoS-targeted VPS customers. They face UDP floods, TCP SYN floods, and protocol-specific amplification attacks designed to disconnect players. For them, availability is the metric: attack duration measured in seconds matters because a 30-second outage triggers player disconnect storms and support tickets. They need sub-second detection and mitigation that keeps the game server accessible, not null routing that takes it offline. Null routing is seen as a failure by game server customers even though it stops the attack from affecting other customers.
Web hosting and SaaS customers
Website operators and SaaS businesses care about uptime SLAs. A HTTP flood that takes their site offline for 30 minutes while null routing takes effect is a failure. They also need attack reports for incident communication with their own customers and for cybersecurity insurance claims. Per-server detection with PCAP evidence is increasingly required for insurance submissions.
Crypto and fintech customers
Trading infrastructure, exchange APIs, and blockchain nodes are high-value DDoS targets. Attack timing correlates with market events: outages cost real money and may have contractual implications. This segment needs guaranteed availability and forensic evidence. They will pay premium prices for genuine protection.
Developer and startup customers
Budget VPS customers running small projects generally accept null routing as adequate protection. They want to know their host will not go down from attacks targeting other customers on shared infrastructure. Basic null routing satisfies this requirement.
How to Evaluate a "DDoS Protected" VPS Provider
When evaluating DDoS protection claims from a VPS provider, ask these specific questions:
- "What happens to my VPS during an attack?" The honest answer for most providers is "it gets null-routed." A provider with scrubbing should say "traffic is cleaned and your VPS stays accessible." If they cannot answer this clearly, you have your answer.
- "What is your detection threshold?" Providers with null routing typically have thresholds of 1-20 Gbps. Below that threshold, attack traffic reaches your VPS and your OS absorbs it. If your attacker is smart enough to stay below the threshold, "DDoS protection" does nothing.
- "How long are null routes held?" A 60-minute null route means 60 minutes of downtime after an attack ends. Some providers hold null routes for hours. Ask for the specific policy.
- "Can I see per-VPS attack data?" If the provider cannot give you per-VPS traffic metrics, attack classification, and incident history, they are doing network-level protection only. You have no visibility into what your VPS actually experienced.
- "Do you provide PCAP data for incidents?" Packet captures are required for insurance claims, law enforcement reports, and ISP abuse submissions. If the provider cannot supply PCAPs, post-incident forensics are impossible.
- "What is your scrubbing capacity?" "Up to 1 Tbps protection" usually means null routing happens before 1 Tbps of attack traffic reaches your network. It does not mean 1 Tbps of traffic is actively scrubbed and forwarded clean.
What DDoS Protection Looks Like on Individual VPSes
Consider two attack scenarios on the same VPS provider: one with null-routing only, one with per-server detection added.
Attack scenario: 45,000 PPS UDP flood against a game server VPS, lasting 8 minutes.
With null routing only: The attack stays below the 10 Gbps null-route trigger (UDP floods at this PPS rate are typically under 3 Gbps). The flood reaches the VPS directly for 8 minutes. Players disconnect within seconds. The game server OS absorbs 45,000 PPS, CPU spikes, the game process crashes or becomes unresponsive. The operator opens a support ticket. The support team has no data on what happened. The operator may never know it was a DDoS attack rather than a hardware problem.
With per-server detection (Flowtriq): Alert fires at second 2. The operator receives a Slack notification: UDP Flood detected, confidence 94%, peak 47,230 PPS, 340 unique source IPs across 18 ASNs, top source countries CN/RU/BR. Flowtriq automatically applies a firewall rule dropping traffic from the attack source pattern. The game server stays accessible. A 60-second PCAP is available. The operator can show their customer a complete incident report. Total player impact: minimal.
The difference is not about attack size. It is about whether you have visibility and tools to respond before the attack fully impacts the customer's service.
Protection Comparison: What VPS Providers Typically Offer
| Capability | Null Routing Only | Scrubbing Center | Scrubbing + Flowtriq |
|---|---|---|---|
| Protects provider network | Yes | Yes | Yes |
| VPS stays accessible during attack | No | Usually | Yes |
| Below-threshold attack detection | No | No | Yes (1-second) |
| Per-VPS attack classification | No | Partial | Full (8 families) |
| PCAP forensics per incident | No | No | Yes (auto, 60s) |
| Customer-visible incident reports | No | Summary only | Full per-VPS history |
| Real-time customer alerts | No | Slack/Discord/SMS/etc. | |
| Targeted mitigation (not null-route) | No | At scrubbing layer | Per-VPS firewall rules |
What VPS Providers Need to Offer Genuine Protection
For VPS hosting providers that want to compete on protection quality rather than just marketing language, the infrastructure requirements are well-defined.
Layer 1: Upstream scrubbing. For volumetric attacks that saturate transit links, you need scrubbing capacity that exceeds your inbound bandwidth. Options include in-house scrubbing appliances (Corero SmartWall, Radware DefensePro), contract scrubbing services (Path.net, Voxility, OVH VAC, Hetzner DDoS protection), or CDN-based scrubbing (Cloudflare Magic Transit). This layer prevents large attacks from disrupting your network and other customers. Cost scales with scrubbing capacity.
Layer 2: Per-VPS detection. Scrubbing center integration solves the network-level problem but leaves a visibility gap at the individual VM level. Installing Flowtriq on each hypervisor node (or in privileged containers with network namespace visibility) gives you per-second traffic data for every VPS, automatic attack classification, PCAP capture, and instant alerting. This is the layer that turns "your IP was attacked and null-routed" into "here is your incident report with packet-level evidence."
Layer 3: Customer visibility. Giving customers access to their own attack history, incident reports, and PCAP downloads transforms DDoS protection from a defensive cost center into a differentiated product feature. Customers pay premium prices for visibility. Flowtriq's API and webhook system enable this integration with your billing and customer portal.
The Economics of Better Protection
VPS providers often treat DDoS protection as a cost center. The economics are more favorable when you consider the revenue side.
Churn reduction: Customers who experience repeated DDoS attacks without visibility or effective mitigation churn. Game server operators churn fastest, since their business depends on uptime. A single month of customer retention across 100 servers paying $20/month is $2,000 in retained revenue. Flowtriq's cost for 100 nodes is $999/month.
Premium tier pricing: "DDoS protected" with per-server detection, PCAP forensics, and customer dashboards commands a meaningful premium over basic null-routing hosting. Customers in game hosting, fintech, and SaaS pay 2-5x the base price for genuine protection with evidence. One premium customer segment upgrades can cover the detection infrastructure cost entirely.
Support cost reduction: Without detection visibility, every attack generates a support ticket that your team must investigate without data. With per-server detection, the ticket comes with a full incident report. Support resolution time drops from 30 minutes to 5 minutes per incident. For providers with high attack rates, this is a significant operational saving.
SLA compliance: Per-server detection gives you the data to defend your uptime SLAs. If a customer claims downtime and you have per-second traffic data showing a 90-second attack window, you have the evidence to demonstrate your infrastructure performed correctly and the attack was external.
Add per-VPS detection to your hosting infrastructure
Flowtriq gives VPS hosting providers per-server detection, PCAP forensics, and customer-visible incident reports. $9.99/node/month with a 7-day free trial.
Start Free Trial →Frequently Asked Questions
What does "DDoS protected VPS" mean?
It depends on the provider, and the definition varies significantly. Most VPS providers that advertise DDoS protection mean they will null-route (drop all traffic to) your IP address when attack traffic exceeds a threshold, typically 1-20 Gbps. This protects the provider's network but takes your VPS offline for the duration plus a hold period of 30-60+ minutes. Premium providers offer active scrubbing, where attack traffic is filtered and legitimate traffic continues to reach your VPS. Best-in-class providers add per-VPS detection with attack classification, PCAP forensics, and instant alerting at the server level.
How can I tell if a VPS provider has real DDoS protection?
Ask specifically: "What happens to my VPS when an attack hits?" If the answer mentions null routing, your IP going offline, or a "hold period," you have null routing. Ask for their detection threshold: if it is a bandwidth figure like "up to 500 Gbps," that is a null-route trigger, not a scrubbing capacity. Ask if they provide per-VPS attack reports and PCAP data. Ask how long null routes are held. A provider with genuine scrubbing will be able to explain how traffic is cleaned and forwarded to your VPS without it going offline. A provider with per-server detection will be able to show you sample incident reports with attack classification and packet-level data.
Can I add per-server DDoS detection to an existing VPS?
Yes. If you are a VPS operator, you can install Flowtriq on your host nodes and gain per-VPS detection regardless of what upstream protection your provider offers. If you have root access to a Linux VPS, you can install Flowtriq directly on the VPS itself for detection at the VM level. Flowtriq installs in under 5 minutes via a single package manager command and does not require any changes to your network infrastructure or upstream provider configuration.
What DDoS attacks are most common against VPS hosting?
UDP floods are the most common attack type against VPS hosting, particularly for game servers. SYN floods are common against web servers and API endpoints. DNS amplification and NTP amplification attacks use exposed resolvers to generate large volumes of UDP traffic. HTTP floods target web applications directly. ICMP floods are less common but occasionally used. The attack type distribution varies significantly by customer segment: game server VPSes attract UDP floods almost exclusively; web hosting VPSes see a mix of HTTP floods and volumetric attacks. Per-server detection with attack classification lets you understand what your customer base actually faces.
Is there a VPS provider that includes Flowtriq in their offering?
VPS providers can integrate Flowtriq into their hosting infrastructure and offer per-VPS detection as a service to their customers. If you are a hosting provider interested in offering Flowtriq-powered DDoS detection as part of your VPS plans, Flowtriq's API and multi-tenant workspace support enables per-customer visibility, white-label alert channels, and customer-facing incident reports. Contact us to discuss hosting provider pricing and integration options.
See what is actually hitting your VPS infrastructure
Per-server DDoS detection, automatic PCAP capture, attack classification, and instant multi-channel alerts. $9.99/node/month with a 7-day free trial, no credit card required.
Start your free trial →