DDoS Protection. Always-on scrubbing.

Every server on Sigilhosting is protected by our DDoS scrubbing infrastructure at the network edge. Volumetric attacks are detected and filtered inline — no rerouting, no manual activation, no additional cost. Protection is automatic from the moment your server comes online.

Edge
Scrubbing
L3/L4
Network layer
L7
Application WAF
Always
On
Network Layer

Layer 3/4 — Volumetric attack mitigation

All inbound traffic passes through our scrubbing infrastructure before reaching your server. This happens inline — there's no rerouting step and no latency penalty on legitimate traffic during normal operation.

When volumetric attack traffic is detected (SYN floods, UDP amplification, DNS reflection, NTP amplification, memcached reflection), it's filtered at line rate at the network edge. Our scrubbing capacity is distributed across all points of presence, so attack traffic is absorbed close to its source rather than concentrated at your server's data center.

Detection uses a combination of flow analysis, packet inspection, and behavioral heuristics. The system adapts to your server's normal traffic patterns and can distinguish between a legitimate traffic spike and an attack. False positive rates are monitored continuously.

DDoS Filtering Pipeline Multi-stage inspection drops malicious traffic before it reaches your server INCOMING TRAFFIC 100 Gbps Mixed attack + legitimate STAGE 1 Network Edge Rate limiting IP reputation GeoIP blocking 60% dropped · 40 Gbps 40 Gbps STAGE 2 Protocol Analysis TCP validation SYN flood defense Fragment reassembly 80% dropped · 8 Gbps 8 Gbps STAGE 3 Deep Inspection Behavioral analysis Challenge-response Pattern matching 95% dropped · 500 Mbps 500 Mbps clean Traffic Volume at Each Stage 100 Gbps 40 Gbps 8 Gbps 500 Mbps Incoming After network edge After protocol analysis Clean traffic Always on No manual activation needed < 1ms added latency Hardware-accelerated filtering 99.5% attack absorption Only clean traffic reaches origin All filtering happens at the network edge before traffic enters our data centers
Application Layer

Layer 7 — HTTP/HTTPS protection

For HTTP and HTTPS workloads, we offer an optional application-layer WAF that sits in front of your load balancer or directly in front of your server. It inspects HTTP requests and filters malicious traffic based on configurable rules.

Rate limiting per IP address, geographic blocking by country code, bot detection using behavioral analysis, and custom rules based on request headers, paths, or query parameters. Rules are configured via API and take effect within seconds.

The WAF logs all blocked requests with full details (source IP, country, matched rule, request summary). Logs are available via API for integration with your SIEM or monitoring system.

Inline scrubbing. Zero latency. No rerouting.

How It Works

Attack lifecycle

What happens when your server is targeted.

When an attack is detected, the scrubbing infrastructure tightens its filtering rules automatically. The severity and type of attack determines which mitigation techniques are applied — a SYN flood triggers SYN cookie enforcement, while a DNS amplification attack triggers source validation and rate limiting on UDP/53.

During and after an attack, full telemetry is available via your dashboard and API: attack type, peak bandwidth, duration, source distribution (by country and ASN), and the mitigation techniques that were applied. Post-attack reports are generated automatically.

Features
Inline Scrubbing
All traffic passes through scrubbing infrastructure. No BGP rerouting, no GRE tunnels, no latency spikes during attacks.
Inline
SYN/UDP Filtering
SYN floods, UDP amplification, DNS reflection, NTP amplification, and memcached reflection filtered at line rate.
Line rate
Layer 7 WAF
Optional HTTP/HTTPS protection with rate limiting, geo-blocking, bot detection, and custom rules via API.
WAF
Auto Escalation
Mitigation scales automatically during large attacks. Rules tighten dynamically based on attack type and severity.
Auto
Attack Telemetry
Real-time and post-attack reports with peak bandwidth, duration, source distribution, and mitigation details.
Reports
Free Included
Network-layer DDoS protection is included with every server at every tier. No activation, no additional cost.
$0

Every server protected by default.

No configuration. No additional cost.