How hosting providers can offer DDoS
protection as a value-add

Back to Blog

The Collateral Damage Problem

Every hosting provider has dealt with the same scenario: a DDoS attack targets one customer's IP, but the traffic saturates a shared uplink and degrades service for dozens or hundreds of other customers. The standard playbook is to null-route the target IP. The attack stops, but so does the targeted customer's entire business. They file a support ticket, then they start looking for a new provider.

Null-routing is a blunt instrument. It protects your infrastructure at the expense of the customer you are supposed to be serving. It generates support tickets from the targeted customer ("why is my server offline?") and from the neighbors who experienced collateral slowdowns before the null-route was applied. It erodes trust. And it happens again the next time that customer, or any customer, gets hit.

The underlying issue is that most hosting providers treat DDoS as a reactive, infrastructure-level problem. Someone in the NOC notices elevated traffic, identifies the target, and applies a null-route. The whole process takes 5 to 15 minutes, during which every customer sharing that uplink suffers. For providers hosting game servers, SaaS applications, or e-commerce platforms, those minutes translate directly into lost revenue for customers and lost trust in your platform.

The Market Opportunity

DDoS attacks are not slowing down. Cloudflare reported 47.1 million DDoS attacks in 2025, a 121% year-over-year increase. The attacks are getting more frequent, more distributed, and easier to launch. Every hosting customer with a public IP is a potential target, and they know it.

This creates a straightforward business opportunity. Customers will pay more for hosting that includes DDoS protection. In surveys, DDoS protection consistently ranks among the top three factors businesses consider when choosing a hosting provider, alongside uptime guarantees and support quality. A hosting provider that can credibly offer "your server stays online during attacks" has a meaningful competitive advantage over one that cannot.

DDoS protection is also one of the highest-margin value-adds available to hosting providers. Unlike bandwidth or storage, which have real marginal costs, software-based DDoS detection scales efficiently across your existing infrastructure. The detection cost per node is small relative to what customers will pay for the peace of mind and the operational visibility.

Hosting providers that offer DDoS protection typically see 15-25% higher customer retention rates. Customers who have survived an attack with your protection in place rarely switch providers. The switching cost is psychological as much as technical: they trust your platform because they have seen it work under fire.

What Customers Actually Want

Hosting customers do not just want a checkbox that says "DDoS protection included." They want three specific things:

• Visibility: A dashboard showing real-time traffic patterns, detected attacks, and what was blocked. Customers want to see that the protection is working, not just trust that it exists. This is especially important for customers who need to report security posture to their own clients or auditors.
• Alerting: Real-time notifications when an attack is detected and mitigated. Email, Slack, Discord, PagerDuty, webhooks. Customers want to know what is happening to their infrastructure without having to check a dashboard constantly.
• Evidence: PCAP captures, incident reports, and historical analytics. When a customer's client asks "were we affected by that attack last Tuesday?", they need concrete data to answer the question. Packet captures and incident timelines turn a vague "we handled it" into a documented, defensible response.

These three capabilities transform DDoS protection from an invisible backend feature into a tangible service that customers perceive value in every day, not just during attacks. They also make it significantly harder for customers to switch to a competitor who offers cheaper hosting but no visibility into security events.

Architecture Options

There are three primary approaches to adding DDoS protection to a hosting platform. Each has different cost structures, capacity profiles, and operational requirements.

Option 1: Upstream Scrubbing

Partner with a cloud scrubbing provider like Cloudflare Magic Transit, OVH VAC, or Path.net. All inbound traffic passes through their scrubbing centers before reaching your network. Clean traffic is forwarded; attack traffic is dropped.

• Pros: Massive capacity (multiple Tbps), handles volumetric attacks that would overwhelm any on-premise solution, minimal infrastructure changes on your side.
• Cons: High recurring cost (often per-Gbps of clean traffic), adds latency to all traffic (not just attack traffic), dependency on a third party for your core service availability.

Upstream scrubbing makes sense if your customers regularly face attacks exceeding 100 Gbps. For most hosting providers, the cost per Gbps makes this approach viable only for premium tiers or enterprise customers.

Option 2: On-Premise Appliances

Deploy hardware appliances like Arbor TMS or Corero SmartWall at your network edge. These devices inspect traffic in-line and drop attack packets before they reach customer servers.

• Pros: No latency penalty for clean traffic, full control over detection and mitigation logic, no dependency on external providers.
• Cons: Significant CAPEX (six figures per appliance), requires specialized staff to operate and tune, capacity is limited by hardware specs (typically 10-40 Gbps per unit), and you need redundant units at every edge location.

On-premise appliances work well for large hosting providers with dedicated network engineering teams. For mid-size providers, the CAPEX and staffing requirements are often prohibitive.

Option 3: Software-Based Detection with FlowSpec/RTBH

Deploy lightweight detection agents on customer servers or aggregate flow data (NetFlow/sFlow) from your routers. When an attack is detected, the system automatically pushes mitigation rules via BGP FlowSpec (surgical filtering) or RTBH (full blackhole) to your upstream routers.

• Pros: Low cost per node, scales linearly with your infrastructure, no dedicated hardware, detection happens at the source (the customer's server) so you get per-customer granularity. FlowSpec rules are surgical and do not impact legitimate traffic.
• Cons: Requires FlowSpec-capable routers for surgical mitigation (most modern routers support it), maximum mitigation capacity is limited by your uplink bandwidth (for attacks exceeding your pipe, you still need upstream scrubbing as a final tier).

This is the approach most hosting providers should start with. It covers the vast majority of attacks (sub-10 Gbps, which account for over 90% of all DDoS incidents), costs a fraction of the alternatives, and can be deployed incrementally, starting with your most-attacked customer segment.

Pricing Models That Work

Hosting providers have four viable models for pricing DDoS protection:

Included in Premium Tier

Differentiate your hosting tiers by including DDoS protection in your mid-range and premium plans. Your basic plan offers no protection. Your professional plan includes detection and alerting. Your enterprise plan includes full auto-mitigation with dashboards and PCAP access. This drives upsells from basic to premium without requiring customers to purchase a separate add-on.

Per-IP Add-On

Charge $5-$15 per month per protected IP address. This works well for customers running multiple services on a single server who want protection on specific IPs (their production web server, their game server) but not on everything. Simple to understand, easy to bill.

Per-Server Add-On

Charge $10-$20 per month per protected server. This is the simplest model and aligns directly with per-node detection costs. If your detection platform costs you $8-$10 per node, charging $15-$20 gives you 33-50% margin on the service while keeping the price low enough that most customers opt in.

Enterprise Custom Plans

For large customers with 50+ servers, offer custom pricing with volume discounts, dedicated support, and SLA guarantees. These deals are negotiated individually and typically include monthly security reviews, custom escalation policies, and priority NOC response.

Model              Your Cost/Unit*    Customer Price    Margin
-------------------------------------------------------------------
Premium tier       $8-10/server       $15-25/server     40-60%
Per-IP add-on      $8-10/server       $5-15/IP          varies
Per-server add-on  $8-10/server       $15-20/server     33-50%
Enterprise         $8-10/server       negotiated        50-70%

* Based on Flowtriq annual billing at $7.99/node/month

Implementation with Flowtriq

Flowtriq is purpose-built for this use case. Here is how hosting providers deploy it across their customer base:

• Agent deployment as part of provisioning: When you provision a new server, install the Flowtriq agent as part of your standard setup script. A single command (pip install ftagent --break-system-packages && sudo ftagent --setup) installs the lightweight detection daemon. Integrate this into your Ansible playbooks, Terraform modules, or custom provisioning system so every new server is protected from minute one.
• White-label dashboard under your brand: Flowtriq supports full white-labeling. Your customers see your logo, your colors, and your domain when they access their DDoS protection dashboard. They never see the Flowtriq brand. This makes the service feel native to your platform rather than bolted on from a third party.
• Per-customer workspaces: Each customer gets an isolated workspace with their own nodes, incidents, analytics, and team members. A game server hosting customer sees only their traffic data. An e-commerce customer sees only theirs. Your NOC team has access to all workspaces through a single login with a workspace switcher.
• Automated alerting and incident reports: Configure notification channels per customer. Some want Slack alerts. Others want email. Enterprise customers want PagerDuty integration. Each workspace has independent notification settings. Incident reports with PCAP evidence are generated automatically for every detected attack.
• Auto-mitigation via FlowSpec/RTBH: Flowtriq's auto-mitigation engine pushes FlowSpec rules to your edge routers when attacks are detected. Surgical filtering stops attack traffic without affecting legitimate connections to the target or any other customer. For attacks too large to filter, RTBH blackholes the target IP as a last resort. This entire chain runs automatically, reducing NOC workload from "investigate and respond to every attack" to "review auto-mitigated incidents during business hours."
• API integration with billing: Use Flowtriq's API to sync node counts with your billing system. When a customer adds a server and the agent registers a new node, your billing system automatically adds the DDoS protection line item. When a server is decommissioned, the node is removed and billing adjusts.

Operational Benefits for the Hosting Provider

Adding DDoS protection is not just a revenue play. It directly reduces your operational costs and improves platform stability:

• Fewer null-routes: When attacks are mitigated surgically via FlowSpec, you no longer need to null-route customer IPs. Fewer null-routes means fewer angry customers, fewer support tickets, and fewer churn events triggered by "my server was taken offline without warning."
• Faster incident detection: Per-node detection agents identify attacks within seconds, not the 5-15 minutes it takes a NOC analyst to notice elevated traffic on a monitoring graph. Faster detection means less collateral damage to neighboring customers on shared uplinks.
• Audit trail and PCAP evidence: Every incident is logged with timestamps, attack vectors, traffic volumes, and optional PCAP captures. When a customer files an abuse report or asks for incident documentation, you have it ready. When upstream providers ask you to justify a FlowSpec rule, you have the evidence.
• Reduced support tickets: A significant percentage of "my server is slow" tickets are caused by undetected DDoS attacks. Small attacks (10-50 Kpps) may not be large enough to trigger network-level alarms but are enough to degrade application performance. Per-node detection catches these micro-attacks and mitigates them before the customer notices. Fewer mysterious slowdowns means fewer support tickets.
• Reduced NOC workload: Auto-mitigation handles 80-90% of incidents without human intervention. Your NOC team reviews auto-resolved incidents during business hours instead of being paged at 3 AM to manually apply firewall rules. This is particularly valuable for smaller hosting providers where the NOC team also handles other operational responsibilities.

Before and After: The Transformation

Consider the operational difference between reactive and proactive DDoS handling:

Before: Reactive Null-Routing

• Attack hits customer IP, saturates shared uplink for 5-15 minutes
• Multiple customers experience degraded connectivity
• NOC analyst identifies target, applies null-route manually
• Targeted customer goes fully offline, files support ticket
• Support team explains what happened, customer questions your reliability
• No data on attack type, volume, or duration for post-incident review
• Customer considers switching to a provider with DDoS protection

After: Proactive Detection and Automated Mitigation

• Attack hits customer IP, detected within seconds by the on-node agent
• FlowSpec rule pushed to edge router, attack traffic filtered surgically
• Legitimate traffic to the target continues uninterrupted
• No impact on neighboring customers
• Customer receives alert: "Attack detected and mitigated, your server is unaffected"
• Full incident report with attack classification, traffic graphs, and optional PCAP
• Customer tells colleagues: "Our hosting provider stopped a DDoS attack and we did not even notice"

The difference is not subtle. It is the difference between losing customers after every significant attack and building a reputation as the provider that keeps servers online no matter what.

Getting Started

The fastest path to offering DDoS protection is to start with your most-attacked customer segment. For most hosting providers, that is game servers. Game server hosting attracts frequent, targeted DDoS attacks. These customers are already asking for protection, they are willing to pay for it, and the results are immediately measurable.

Here is the pilot plan:

1. Deploy Flowtriq agents on 10-20 game servers from customers who have experienced recent attacks or submitted DDoS-related support tickets.
2. Configure auto-mitigation with FlowSpec rules for common game server attack vectors (UDP floods, GRE floods, DNS amplification).
3. Set up customer dashboards so these pilot customers can see their traffic patterns and any detected incidents.
4. Measure results over 30 days: count null-routes applied (should decrease), count DDoS-related support tickets (should decrease), and collect customer feedback on the dashboard and alerting experience.
5. Price it and expand: Once you have concrete data on attack reduction and customer satisfaction, package the service with a clear price point and roll it out to your full customer base.

The pilot costs almost nothing. Flowtriq includes a 7-day free trial per workspace, and at $7.99-$9.99 per node after that, protecting 20 nodes for a month costs under $200. The reduction in null-routes, support tickets, and customer churn from those 20 nodes will likely justify the cost within the first week.

Back to Blog

Related Articles