Traffic Routing

Traffic to DDoS Protected services is routed through user configuration of:

  1. Ports: A TCP or UDP port which can be forwarded to one more backend addresses
  2. Port Ranges: A range of TCP or UDP ports which can be forwarded to one or more backend addresses
  3. DMZs: The forwarding of all remaining TCP and/or UDP traffic to one or more backend addresses

It is a good idea to forward the smallest number of ports necessary for service operation.

More than one backend can be defined with load balancing. For information on Load Balancing see the the article on Load Balancer capabilities.

Backend Communication Methods

Depending on your backend Operating System and requirements the type of Port to use will vary. The Reverse Proxy setup type is the most simple and advisable for non-technical users.

Reverse Proxy Ports

A Reverse Proxy (RP) is a type of forwarding that forwards traffic by rewriting the TCP and UDP packets for a new destination. This functions very similarly to our filtering server making a connection to your backend as a client itself. These resources are then returned to the client through our server as though they originated on our server rather than your backend.

This is the simplest method of configuration and does not necessarily require any changes to your backend or service. Depending on your backend operating system and requirements the type of Port to use will vary.

This method is not always compatible with every application and service and does not allow the clients IP address to be retrieved on the backend server (e.g for banning).

At Layer 4 it is not possible for services protected with this method to make outgoing connections as no integration is provided or necessary on the backend server. Modules exist to retrieve the client IP at Layer 7 HTTP(s).

Tunneled Ports

A tunneled port communicates to the backend over a GRE or IP-in-IP. This method has the maximum compatibility with UDP services. Tunnels are available on Linux, Windows, BSD and many Router OS's. Automated setup scripts are provided for both Linux and Windows.

Tunneled connections expose the connecting clients IP directly as the packets from the connecting client are communicated inside the tunnel with minimal modification. Backend servers are able to make outgoing connections over this tunnel (such as to register game servers with list servers).

Tunneled ports come in two varieties:

  1. Encapsulated (NAT): Available to all /32 service customers and the default. You will be issued a private network in the 10.x.x.x range to which we will deliver traffic.

  2. Routed: Available to Network Protection customers only

To use the tunnel you have defined on the tunnels page and installed on your backend server you will need to have at-least one port using the "Encapsulated" or "Routed" port method and refererencing the tunnel you wish to use.

Port Protocols

The protocol selector in the ports table exposes Layer 4 and Layer 7 options for traffic routing. Layer 7 (lite) are implemented as Layer 7 specific filters at Layer 4.

Layer 4: TCP & UDP

There are two main Layer 4 protocols in use on the internet today and those are TCP and UDP.


TCP is a stream based protocol with a three way handshake for connection initialization. Being stream based and featuring Layer 4 (protocol) level connection handling it's a commonly used for applications requring client connections.

You may know it from such applications as: - HTTP and HTTP/2 (see also Layer7 HTTP) - Minecraft - TLS/SSL - SSH


UDP or User Datagram Protocol is a core protocol on the internet popular in real-time and lossy applications such as gaming and media streaming.  UDP Forwarding can be configured on the services Ports page.

Common Uses:

  • Domain Name Servers (DNS)

  • Online Games

  • Video Streaming applications

  • Chat servers (but not IRC)


A TCP&UDP port type is exposed in the protocol selector. This protocol is functionally equivalent to having both a UDP and TCP port defined with the same settings. This port is provided as a convenience.

Layer 7: HTTP(s) Ports and Games

Unlike TCP and UDP which are OSI Layer 4 Protocols, HTTP is an OSI Layer 7 Port. Multiplexing is supported with other HTTP ports when using the Domain field to define Virtual Hosts. Only HTTP(s) ports are protected against Layer 7 HTTP attacks.

HTTP servers typically run on TCP port 80, HTTPS (SSL/TLS) typically runs on port 443. Note Port protocol refers to the frontend protocol (how we communicate with connecting clients) not the backend communication protocol. See the padlock icon next to the backend server ip and port to enable HTTPS for backend communication.

Both HTTP and HTTPS ports can be defined however multiplexing can not occur between HTTP and HTTPS ports. For more information on HTTPS and SSL see the article page on SSL. HTTP(s) ports have a backend protocol property (also known as "secure") to enables communication with the backend server via SSL/TLS which may be enabled separately to the frontend protocol.

When using the domain field you must specify either:

  1. an exactly matching host (e.g, or; or
  2. a wildcard (e.g *; or
  3. which matches both and *

More information on HTTP(s) is available on it's dedicated article. For more information on Layer 7 protection see it's dedicated article.