New members get Extra 10% Discount! Code: KOLAN26 Copied!
00 Days
:
00 Hours
:
00 Min
:
00 Sec
Sign Up
+90 282 606 08 20 24/7 Support Live Chat
Announcements Login Sign Up
Security & SSL

How does DDoS protection work?

Last updated: May 18, 2026 5 min read 17 views

A DDoS (Distributed Denial of Service) attack aims to make a system unresponsive by sending synthetic traffic to your server simultaneously from thousands of different IPs. In Kolan IT's server and VDS packages, an always-on, two-layer protection architecture filters such attacks before they reach your server. In this article we explain how the protection works, what attack types it protects against, and what you can do during an attack.

1. What Is a DDoS Attack?

In a DDoS attack, the attacker coordinates thousands/millions of previously compromised devices (a botnet) to send requests to the target server at the same time. When the server's bandwidth or processing capacity can't handle this traffic, legitimate users can't reach the site. Common attack types:

  • UDP Flood: Sending very high-volume UDP packets to random ports of the target.
  • SYN Flood: Leaving TCP connections half-open to fill the server's connection table.
  • Amplification: Abusing services like DNS/NTP/Memcached to produce big responses from small requests; multiplying attack traffic.
  • Botnet attacks: Coordinated request waves from thousands of compromised devices.
  • Volumetric attacks: Traffic at Gbps/Tbps levels that fully saturates bandwidth.
  • TCP flag manipulation: Exhausting server resources with invalid flag combinations.

2. Two-Layer Protection Architecture

Traffic reaching our servers passes through two distinct filtering layers before it is delivered to the server resource:

  1. Upstream Backbone Filtering — high-volume malicious traffic is absorbed close to the source country on G-Core's global backbone.
  2. Edge XDP Filtering — on the edge router in front of the server, anomalies are detected and filtered at the packet level using kernel-level XDP technology.

The purpose of these two layers is not "to kick in when an attack arrives" but to clean traffic always. Thanks to this, protection works from the first millisecond of an attack and you don't see a visible outage on your site.

3. Upstream Backbone Filtering — Absorbing Traffic at the Source

Traffic targeting your server first reaches G-Core's distributed PoP (Point of Presence) network on its global backbone. Backbone capacity is 200+ Tbps; this number is thousands of times the capacity of local providers in Turkey. Benefits:

  • Attack traffic is absorbed close to the source country; filtered before reaching our data center.
  • Thanks to the massive backbone capacity, even the largest volumetric attacks don't saturate the link.
  • Through the Istanbul PoP, low latency is preserved for Turkey traffic — because protection isn't "switched on", there's no latency increase.

4. Edge XDP Filtering — Packet-Level Inspection in Front of the Server

Traffic that gets through the backbone is inspected a second time at the edge router right before being delivered to the server. This layer uses XDP (eXpress Data Path) technology; packets are caught at the lowest level of the Linux kernel and processed at very high speed.

  • Kernel-level processing: The decision is made before the packet reaches userspace; low CPU load, high throughput.
  • Packets-per-second (PPS) based protection: High-PPS SYN/UDP floods are dropped at the packet level.
  • Anomaly detection: Unusual packet structures and invalid TCP flag combinations are auto-blocked.
  • Dynamic blacklist: Attacker IPs/IP blocks are auto-added to the blacklist.
  • Protocol-level filtering: Invalid protocol behavior is rejected.

5. Always-On Protection — Why It Matters

Some DDoS protection solutions kick in only after an attack is detected (on-demand). In this approach, analyzing traffic after the attack starts, bringing up the protection layer and rerouting traffic can take minutes; your users can't reach the site during this time.

In our architecture, protection is continuously active; both normal and attack traffic pass through the same filtering layers. Result:

  • No "kick-in" delay when an attack starts — the protection is already there.
  • You see consistent latency both during normal use and under attack.
  • No manual intervention is needed for activation; systems are monitored 24/7.

6. Which Packages Include It?

DDoS protection is included standard in Kolan's VDS, Premium VDS, Germany VDS, Germany EPYC and Dedicated server packages; no separate purchase required. On hosting packages, attacks targeting our servers are absorbed thanks to this infrastructure. For full protection capacity details and the architecture diagram, you can review the kolan.net.tr/en/ddos-protection page.

7. If You Think You're Under Attack

If you're having access issues with your site/server and you suspect it's from a DDoS attack:

  • First check the server status (the website doesn't open, ping is high, ssh/rdp is laggy).
  • Emergency DDoS line: +90 282 606 08 20 — reachable 24/7.
  • Open a support ticket from the client area, mentioning your service ID and the behavior you observed (when did it start, which services were affected).
  • If possible, share sample entries from Apache/Nginx access logs; attack source and target analysis goes faster.
Note: Ordinary traffic spikes (campaign, viral content, ad surge) can sometimes be indistinguishable from a DDoS attack. Our team determines via log analysis whether it's a real attack and applies additional filtering rules if needed.

If you want additional info about our DDoS protection infrastructure or guidance on choosing a package, you can open a support ticket to reach our sales team.

Share:

Related articles

Security & SSL

How do I activate the SSL certificate?

Activating free Let's Encrypt SSL with cPanel AutoSSL, status check, HTTPS redirection, WordPress site URL update, mixed content and automatic renewal.

4 min read
Step 1 / 2