Yandex Cloud
  • Services
  • Solutions
  • Why Yandex Cloud
  • Pricing
  • Documentation
  • Contact us
Get started
Language / Region
© 2022 Yandex.Cloud LLC
Yandex Virtual Private Cloud
  • Getting started
  • Step-by-step instructions
    • All instructions
    • Cloud network
      • Creating a cloud network
      • Deleting a cloud network
      • Updating a cloud network
    • Subnet
      • Creating a subnet
      • Deleting a subnet
      • Updating a subnet
      • Viewing a list of used addresses
    • IP address
      • Reserving a static public IP address
      • Making a dynamic public IP address static
      • Making a static public IP address dynamic
      • Deleting a static public IP address
    • Static routing
      • Creating a static route
      • Enabling NAT to the internet
    • Security groups
      • Create a security group
      • Update a security group and rules
      • Delete a security group
    • Enable a software-accelerated network
    • Protection from DDoS attacks
      • Enable protection from DDoS attacks
  • Practical guidelines
    • Architecture and protection of a basic internet service
    • DHCP settings for working with a corporate DNS server
  • Concepts
    • Relationship between service resources
    • Cloud networks and subnets
    • Cloud resource addresses
    • Static routes
    • Security groups
    • Public IP address ranges
    • MTU and MSS
    • DHCP settings
    • Software-accelerated network
    • Quotas and limits
  • DDoS Protection
  • Recommendations
    • Using public IP addresses
  • Access management
  • Pricing policy
    • Current pricing policy
    • Archive
      • Before January 1, 2019
  • API reference
    • Authentication in the API
    • REST
      • Overview
      • Address
        • Overview
        • create
        • delete
        • get
        • getByValue
        • list
        • listOperations
        • move
        • update
      • Gateway
        • Overview
        • create
        • delete
        • get
        • list
        • listOperations
        • move
        • update
      • Network
        • Overview
        • create
        • delete
        • get
        • list
        • listOperations
        • listRouteTables
        • listSecurityGroups
        • listSubnets
        • move
        • update
      • RouteTable
        • Overview
        • create
        • delete
        • get
        • list
        • listOperations
        • move
        • update
      • SecurityGroup
        • Overview
        • create
        • delete
        • get
        • list
        • listOperations
        • move
        • update
        • updateRule
        • updateRules
      • Subnet
        • Overview
        • addCidrBlocks
        • create
        • delete
        • get
        • list
        • listOperations
        • move
        • removeCidrBlocks
        • update
      • Operation
        • Overview
        • get
    • gRPC
      • Overview
      • AddressService
      • GatewayService
      • NetworkService
      • RouteTableService
      • SecurityGroupService
      • SubnetService
      • OperationService
  • Questions and answers
  1. DDoS Protection

Yandex DDoS Protection

Written by
Yandex Cloud
  • Extended protection
    • For details, see also

Yandex DDoS Protection is the VPC component that safeguards cloud resources from DDoS attacks. DDoS Protection is provided in partnership with Qrator Labs.

By activating Yandex DDoS Protection for VM instances or network load balancers, you can efficiently counteract attacks attempting to overwhelm the channel capacity and computing resources of your VM instances. Such attacks utilize a broad bandwidth and produce a large number of packets per second. These are relatively easy to set up: attackers typically send a flood of TCP SYN (SYN Flood) packets or traffic of UDP-based application protocols (DNS, NTP, SSDP, CLDAP, and many others).

To prevent such attacks, DDoS Protection:

  • Constantly analyzes all incoming traffic.
  • Detects the above anomalies in the network and transport layers.
  • Automatically diverts unwanted traffic when its intensity threatens the health of your app in Yandex Cloud.

DDoS protection is available for the public IP addresses of virtual machines, network balancers, and database hosts. You can only activate protection when you create a cloud resource or reserve a static IP address. However, there are no restrictions on working with protected IP addresses. You can make them static or reserve them. If you stop a virtual machine with a protected dynamic address, the address will change the next time it is started, but it will remain under DDoS protection.

The bandwidth for abusive and legitimate traffic is not restricted. You pay for every gigabyte of legitimate traffic passed to the resource.

Please note that when you enable DDoS Protection, you should reduce MTU and TCP MSS.

Please note that this service is not intended to protect websites and mobile apps from higher-level DDoS attacks that:

  • Use valid TCP connections.
  • Use HTTP and HTTPS requests.
  • Exploit bottlenecks in the attacked apps.

If you need protection at the application level, you can request extended protection by contacting technical support.

Extended protection

Extended protection operates at levels 3 and 7 of the OSI model. You can also track loads and attack properties, as well as enable Soundwall WAF in your Qrator Labs account.

When requesting the service, please provide the following information:

Service properties:

  • Number of resources (sites, domains, and services) to protect.
  • Enable WAF (Web Application Firewall): yes or no.
  • Enable encrypted (SSL/TLS/HTTPS) service protection: with or without decryption.
  • Business-critical downtime.
  • Enable dedicated channel to increase SLA: yes or no.

Legitimate traffic properties:

  • Maximum incoming and outgoing application traffic bandwidth.
  • Maximum packet rate (PPS).
  • Maximum request rate (RPS).

We also recommend providing:

  • A network infrastructure diagram: site locations, uplinks, internal architecture from the boundary router to the application.
  • Example traffic stats (chart screenshots) for a 24-hour period.

For details, see also

  • Enable protection from DDoS attacks
  • Enable advanced protection from DDoS attacks

Was the article helpful?

Language / Region
© 2022 Yandex.Cloud LLC
In this article:
  • Extended protection
  • For details, see also