{"id":82501,"date":"2026-03-04T10:47:06","date_gmt":"2026-03-04T15:47:06","guid":{"rendered":"https:\/\/www.inmotionhosting.com\/blog\/?p=82501"},"modified":"2026-03-03T10:54:05","modified_gmt":"2026-03-03T15:54:05","slug":"ddos-protection-strategies-dedicated-infrastructure","status":"publish","type":"post","link":"https:\/\/www.inmotionhosting.com\/blog\/ddos-protection-strategies-dedicated-infrastructure\/","title":{"rendered":"DDoS Protection Strategies for Dedicated Infrastructure"},"content":{"rendered":"\n
\"DDoS<\/figure>\n\n\n

A distributed denial-of-service attack against a dedicated server is different from one targeting shared hosting. You’re the only tenant which means the attack is aimed specifically at your infrastructure, and you have the root access to respond directly. The question is whether you’ve configured the right defenses before the attack arrives, or whether you’re scrambling… <\/p><\/div>\n\n\n

Understanding What You’re Actually Defending Against<\/strong><\/h2>\n\n\n\n

DDoS attacks are not a monolithic threat. The category includes several distinct attack vectors that require different mitigation strategies:<\/p>\n\n\n\n

Volumetric attacks<\/strong> flood your network pipe with traffic \u2014 UDP floods, ICMP floods, amplification attacks using DNS or NTP. These are measured in Gbps and Mpps (million packets per second). A 100Gbps volumetric attack against a server with 10Gbps connectivity simply fills the pipe regardless of how good your server-level firewall is. Mitigation requires upstream scrubbing before traffic reaches your data center.<\/p>\n\n\n\n

Protocol attacks<\/strong> exploit weaknesses in TCP\/IP \u2014 SYN floods being the most common. These exhaust connection table capacity on your server rather than bandwidth. A sustained SYN flood can bring down a server without saturating the network link at all.<\/p>\n\n\n\n

Layer 7 (application) attacks<\/strong> target your application specifically. Low-and-slow attacks like Slowloris keep connections open indefinitely, exhausting connection limits without generating significant traffic volume. HTTP floods send legitimate-looking requests to expensive application endpoints \u2014 database-heavy pages, large file downloads, search functions.<\/p>\n\n\n\n

According to Cloudflare’s 2024 DDoS Threat Report<\/a>, HTTP DDoS attacks increased substantially year over year, with application-layer attacks now representing a significant proportion of total DDoS events. Volumetric attacks still occur, but sophisticated attackers increasingly target the application layer specifically because basic volumetric scrubbing doesn’t stop them.<\/p>\n\n\n\n

Layer 1: Upstream Mitigation (Scrubbing Centers)<\/strong><\/h2>\n\n\n\n

For volumetric attacks, no amount of server-side configuration helps if your 10Gbps connection is already saturated with 40Gbps of attack traffic. The mitigation must happen upstream, before traffic reaches your server.<\/p>\n\n\n\n

Cloudflare’s Magic Transit<\/strong> and AWS Shield Advanced<\/strong> both provide upstream scrubbing services that filter traffic before it arrives at your data center. Cloudflare’s network capacity exceeds 250Tbps, meaning they can absorb volumetric attacks that would overwhelm any single data center’s transit capacity. Magic Transit<\/a> announces your IP prefixes via BGP and routes all traffic through Cloudflare’s scrubbing infrastructure, passing only clean traffic to your server.<\/p>\n\n\n\n

This layer is not optional for infrastructure that needs guaranteed availability during volumetric attacks. The server-side techniques below address Layer 7 and protocol attacks; they don’t solve bandwidth exhaustion.<\/p>\n\n\n\n

InMotion Hosting’s dedicated server network<\/a> provides baseline DDoS mitigation at the data center level. For higher-volume threat environments, layering a CDN or scrubbing service in front of your InMotion infrastructure adds the upstream capacity needed to absorb large attacks.<\/p>\n\n\n\n

Layer 2: Rate Limiting at the Web Server<\/strong><\/h2>\n\n\n\n

Nginx and Apache both support connection rate limiting that stops Layer 7 floods before they consume application server resources.<\/p>\n\n\n\n

Nginx rate limiting configuration:<\/strong><\/p>\n\n\n\n

# Define a zone tracking requests by IP address<\/p>\n\n\n\n

limit_req_zone $binary_remote_addr zone=api_limit:10m rate=30r\/m;<\/p>\n\n\n\n

server {<\/p>\n\n\n\n

    location \/api\/ {<\/p>\n\n\n\n

        limit_req zone=api_limit burst=10 nodelay;<\/p>\n\n\n\n

        limit_req_status 429;<\/p>\n\n\n\n

    }<\/p>\n\n\n\n

}<\/p>\n\n\n\n

This configuration limits each unique IP to 30 requests per minute against \/api\/ endpoints, with a burst allowance of 10 requests before rate limiting activates. Nginx’s rate limiting documentation<\/a> covers the full parameter set. Set rates based on legitimate user behavior \u2014 an authenticated user submitting a form shouldn’t trigger a limit; an automated script hitting an endpoint 500 times per minute should.<\/p>\n\n\n\n

Connection limiting<\/strong> addresses Slowloris-style attacks:<\/p>\n\n\n\n

limit_conn_zone $binary_remote_addr zone=conn_limit:10m;<\/p>\n\n\n\n

server {<\/p>\n\n\n\n

    limit_conn conn_limit 20;<\/p>\n\n\n\n

    client_body_timeout 10s;<\/p>\n\n\n\n

    client_header_timeout 10s;<\/p>\n\n\n\n

    send_timeout 10s;<\/p>\n\n\n\n

}<\/p>\n\n\n\n

The timeout values are critical. Slowloris works by sending HTTP headers very slowly, keeping connections open. Short timeouts drop these connections before they accumulate.<\/p>\n\n\n\n

Layer 3: Firewall Rules for Protocol Attack Mitigation<\/strong><\/h2>\n\n\n\n

SYN flood protection starts with kernel-level settings on Linux:<\/p>\n\n\n\n

# Enable SYN cookies to handle SYN floods without exhausting connection tables<\/p>\n\n\n\n

echo 1 > \/proc\/sys\/net\/ipv4\/tcp_syncookies<\/p>\n\n\n\n

# Reduce the number of times a SYN-ACK is retransmitted before the kernel drops the connection<\/p>\n\n\n\n

echo 2 > \/proc\/sys\/net\/ipv4\/tcp_syn_retries<\/p>\n\n\n\n

# Reduce TIME_WAIT state duration to recycle connections faster<\/p>\n\n\n\n

echo “1 4 2 6 10 15 25 26” > \/proc\/sys\/net\/ipv4\/tcp_retries2<\/p>\n\n\n\n

# Make permanent<\/p>\n\n\n\n

sysctl -p<\/p>\n\n\n\n

For firewall-level mitigation, nftables<\/strong> (replacing iptables on modern Linux distributions) provides efficient packet filtering with minimal CPU overhead:<\/p>\n\n\n\n

# Block invalid TCP packets (common in SYN flood attacks)<\/p>\n\n\n\n

nft add rule inet filter input tcp flags ‘& (fin|syn|rst|psh|ack|urg) == fin|psh|urg’ drop<\/p>\n\n\n\n

# Rate-limit new connections<\/p>\n\n\n\n

nft add rule inet filter input ct state new limit rate 100\/second accept<\/p>\n\n\n\n

nft add rule inet filter input ct state new drop<\/p>\n\n\n\n

Fail2Ban<\/strong> automates IP blocking based on log patterns which is useful for repeated failed authentication attempts or sustained requests from single IPs that slip through rate limiters. Fail2Ban<\/a> reads your Nginx, Apache, or SSH logs and adds iptables\/nftables rules automatically when thresholds are exceeded.<\/p>\n\n\n\n

Layer 4: IP Reputation and Geo-Filtering<\/strong><\/h2>\n\n\n\n

IP reputation filtering<\/strong> blocks known malicious IPs before they reach your application. Services like AbuseIPDB<\/a> maintain databases of IPs with confirmed abuse history. Integrating these blocklists into your firewall or WAF eliminates traffic from IPs already known to participate in attacks.<\/p>\n\n\n\n

Geographic filtering<\/strong> is a harder call. Blocking entire countries sounds appealing during an attack, but consider the collateral damage carefully. Residential IPs in any country can be compromised and used as botnet nodes, so geo-blocking rarely provides clean protection. For applications that genuinely have no legitimate users in specific regions, geo-filtering is a reasonable first layer.<\/p>\n\n\n\n

Cloudflare’s free tier provides both IP reputation filtering and country-level blocking without server-side configuration.<\/p>\n\n\n\n

Layer 5: Application-Level Protections<\/strong><\/h2>\n\n\n\n

The most targeted Layer 7 attacks hit expensive application operations deliberately. Common targets:<\/p>\n\n\n\n

    \n
  • Search functions<\/strong> that trigger full-text database queries<\/li>\n\n\n\n
  • Login endpoints<\/strong> that require bcrypt hash comparison<\/li>\n\n\n\n
  • Large file download endpoints<\/strong><\/li>\n\n\n\n
  • WordPress XML-RPC<\/strong> and admin endpoints if exposed publicly<\/li>\n<\/ul>\n\n\n\n

    Protect expensive endpoints with:<\/p>\n\n\n\n

      \n
    • CAPTCHA challenges<\/strong> via Cloudflare Turnstile or hCaptcha on login and registration flows<\/li>\n\n\n\n
    • API keys or authentication<\/strong> on any endpoint that runs database queries<\/li>\n\n\n\n
    • WordPress-specific hardening<\/strong>: disable XML-RPC if not needed (deny all; in Nginx for \/xmlrpc.php), block access to \/wp-admin\/ by IP allowlist if your team is geographically consistent<\/li>\n<\/ul>\n\n\n\n

      Incident Response: What to Do When an Attack Is Active<\/strong><\/h2>\n\n\n\n

      If you’re currently under attack, priorities in order:<\/p>\n\n\n\n

        \n
      1. Identify the attack type<\/strong>: Check netstat -an | grep SYN_RECV | wc -l for SYN floods; check Nginx access logs for HTTP flood patterns; check iftop for volumetric attacks.<\/li>\n\n\n\n
      2. Enable Cloudflare or equivalent proxying immediately<\/strong>: Route traffic through a scrubbing service if not already configured. This is the fastest path to volumetric mitigation.<\/li>\n\n\n\n
      3. Temporary IP blocks for obvious attack sources<\/strong>: nft add rule inet filter input ip saddr <attack_ip> drop<\/li>\n\n\n\n
      4. Contact InMotion Support<\/strong>: The APS team can assist with traffic analysis and coordinate with the network operations center for upstream filtering.<\/li>\n<\/ol>\n\n\n\n

        The teams with the lowest mean-time-to-recovery from DDoS events are the ones who tested their response plan before an attack.<\/p>\n\n\n\n

        <\/p>\n","protected":false},"excerpt":{"rendered":"

        A distributed denial-of-service attack against a dedicated server is different from one targeting shared hosting. You’re the only tenant which means the attack is aimed specifically at your infrastructure, and you have the root access to respond directly. The question is whether you’ve configured the right defenses before the attack arrives, or whether you’re scrambling to react after traffic has already saturated your connection.<\/p>\n","protected":false},"author":116,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[355],"tags":[],"class_list":["post-82501","post","type-post","status-publish","format-standard","hentry","category-dedicated-server-hosting"],"yoast_head":"\nDDoS Protection Strategies for Dedicated Infrastructure | InMotion Hosting<\/title>\n<meta name=\"description\" content=\"Layer 7 DDoS mitigation for dedicated servers. Practical strategies including rate limiting, IP reputation filtering, and upstream scrubbing center integration.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.inmotionhosting.com\/blog\/ddos-protection-strategies-dedicated-infrastructure\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"DDoS Protection Strategies for Dedicated Infrastructure | InMotion Hosting\" \/>\n<meta property=\"og:description\" content=\"Layer 7 DDoS mitigation for dedicated servers. Practical strategies including rate limiting, IP reputation filtering, and upstream scrubbing center integration.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.inmotionhosting.com\/blog\/ddos-protection-strategies-dedicated-infrastructure\/\" \/>\n<meta property=\"og:site_name\" content=\"InMotion Hosting Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/inmotionhosting\" \/>\n<meta property=\"article:published_time\" content=\"2026-03-04T15:47:06+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.inmotionhosting.com\/blog\/wp-content\/uploads\/2026\/03\/DDoS-Protection-Strategies-for-Dedicated-Infrastructure.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"630\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Sam Page\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@inmotionhosting\" \/>\n<meta name=\"twitter:site\" content=\"@inmotionhosting\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Sam Page\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"DDoS Protection Strategies for Dedicated Infrastructure | InMotion Hosting","description":"Layer 7 DDoS mitigation for dedicated servers. Practical strategies including rate limiting, IP reputation filtering, and upstream scrubbing center integration.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.inmotionhosting.com\/blog\/ddos-protection-strategies-dedicated-infrastructure\/","og_locale":"en_US","og_type":"article","og_title":"DDoS Protection Strategies for Dedicated Infrastructure | InMotion Hosting","og_description":"Layer 7 DDoS mitigation for dedicated servers. Practical strategies including rate limiting, IP reputation filtering, and upstream scrubbing center integration.","og_url":"https:\/\/www.inmotionhosting.com\/blog\/ddos-protection-strategies-dedicated-infrastructure\/","og_site_name":"InMotion Hosting Blog","article_publisher":"https:\/\/www.facebook.com\/inmotionhosting","article_published_time":"2026-03-04T15:47:06+00:00","og_image":[{"width":1200,"height":630,"url":"https:\/\/www.inmotionhosting.com\/blog\/wp-content\/uploads\/2026\/03\/DDoS-Protection-Strategies-for-Dedicated-Infrastructure.png","type":"image\/png"}],"author":"Sam Page","twitter_card":"summary_large_image","twitter_creator":"@inmotionhosting","twitter_site":"@inmotionhosting","twitter_misc":{"Written by":"Sam Page","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"TechArticle","@id":"https:\/\/www.inmotionhosting.com\/blog\/ddos-protection-strategies-dedicated-infrastructure\/#article","isPartOf":{"@id":"https:\/\/www.inmotionhosting.com\/blog\/ddos-protection-strategies-dedicated-infrastructure\/"},"author":{"name":"Sam Page","@id":"https:\/\/www.inmotionhosting.com\/blog\/#\/schema\/person\/b459c4b748083c4f8431d5312e795796"},"headline":"DDoS Protection Strategies for Dedicated Infrastructure","datePublished":"2026-03-04T15:47:06+00:00","mainEntityOfPage":{"@id":"https:\/\/www.inmotionhosting.com\/blog\/ddos-protection-strategies-dedicated-infrastructure\/"},"wordCount":1155,"commentCount":0,"publisher":{"@id":"https:\/\/www.inmotionhosting.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.inmotionhosting.com\/blog\/ddos-protection-strategies-dedicated-infrastructure\/#primaryimage"},"thumbnailUrl":"https:\/\/www.inmotionhosting.com\/blog\/wp-content\/uploads\/2026\/03\/DDoS-Protection-Strategies-for-Dedicated-Infrastructure-1024x538.png","articleSection":["Dedicated Server Articles"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.inmotionhosting.com\/blog\/ddos-protection-strategies-dedicated-infrastructure\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.inmotionhosting.com\/blog\/ddos-protection-strategies-dedicated-infrastructure\/","url":"https:\/\/www.inmotionhosting.com\/blog\/ddos-protection-strategies-dedicated-infrastructure\/","name":"DDoS Protection Strategies for Dedicated Infrastructure | InMotion Hosting","isPartOf":{"@id":"https:\/\/www.inmotionhosting.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.inmotionhosting.com\/blog\/ddos-protection-strategies-dedicated-infrastructure\/#primaryimage"},"image":{"@id":"https:\/\/www.inmotionhosting.com\/blog\/ddos-protection-strategies-dedicated-infrastructure\/#primaryimage"},"thumbnailUrl":"https:\/\/www.inmotionhosting.com\/blog\/wp-content\/uploads\/2026\/03\/DDoS-Protection-Strategies-for-Dedicated-Infrastructure-1024x538.png","datePublished":"2026-03-04T15:47:06+00:00","description":"Layer 7 DDoS mitigation for dedicated servers. Practical strategies including rate limiting, IP reputation filtering, and upstream scrubbing center integration.","breadcrumb":{"@id":"https:\/\/www.inmotionhosting.com\/blog\/ddos-protection-strategies-dedicated-infrastructure\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.inmotionhosting.com\/blog\/ddos-protection-strategies-dedicated-infrastructure\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.inmotionhosting.com\/blog\/ddos-protection-strategies-dedicated-infrastructure\/#primaryimage","url":"https:\/\/www.inmotionhosting.com\/blog\/wp-content\/uploads\/2026\/03\/DDoS-Protection-Strategies-for-Dedicated-Infrastructure.png","contentUrl":"https:\/\/www.inmotionhosting.com\/blog\/wp-content\/uploads\/2026\/03\/DDoS-Protection-Strategies-for-Dedicated-Infrastructure.png","width":1200,"height":630},{"@type":"BreadcrumbList","@id":"https:\/\/www.inmotionhosting.com\/blog\/ddos-protection-strategies-dedicated-infrastructure\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.inmotionhosting.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Dedicated Server Articles","item":"https:\/\/www.inmotionhosting.com\/blog\/dedicated-server-hosting\/"},{"@type":"ListItem","position":3,"name":"DDoS Protection Strategies for Dedicated Infrastructure"}]},{"@type":"WebSite","@id":"https:\/\/www.inmotionhosting.com\/blog\/#website","url":"https:\/\/www.inmotionhosting.com\/blog\/","name":"InMotion Hosting Blog","description":"Web Hosting Strategy, Trends and Security","publisher":{"@id":"https:\/\/www.inmotionhosting.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.inmotionhosting.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.inmotionhosting.com\/blog\/#organization","name":"InMotion Hosting","url":"https:\/\/www.inmotionhosting.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.inmotionhosting.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.inmotionhosting.com\/blog\/wp-content\/uploads\/2019\/11\/imh-logo-all-colors-big.jpg","contentUrl":"https:\/\/www.inmotionhosting.com\/blog\/wp-content\/uploads\/2019\/11\/imh-logo-all-colors-big.jpg","width":1630,"height":430,"caption":"InMotion Hosting"},"image":{"@id":"https:\/\/www.inmotionhosting.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/inmotionhosting","https:\/\/x.com\/inmotionhosting"]},{"@type":"Person","@id":"https:\/\/www.inmotionhosting.com\/blog\/#\/schema\/person\/b459c4b748083c4f8431d5312e795796","name":"Sam Page","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/35c230f33cd7aacf52f0f53bc02230a2ee7840b5b221af549d491ab98f65a363?s=96&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/35c230f33cd7aacf52f0f53bc02230a2ee7840b5b221af549d491ab98f65a363?s=96&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/35c230f33cd7aacf52f0f53bc02230a2ee7840b5b221af549d491ab98f65a363?s=96&r=g","caption":"Sam Page"},"url":"https:\/\/www.inmotionhosting.com\/blog\/author\/samp\/"}]}},"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"primary_category":{"id":355,"name":"Dedicated Server Articles","slug":"dedicated-server-hosting","link":"https:\/\/www.inmotionhosting.com\/blog\/dedicated-server-hosting\/"},"_links":{"self":[{"href":"https:\/\/www.inmotionhosting.com\/blog\/wp-json\/wp\/v2\/posts\/82501","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.inmotionhosting.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.inmotionhosting.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.inmotionhosting.com\/blog\/wp-json\/wp\/v2\/users\/116"}],"replies":[{"embeddable":true,"href":"https:\/\/www.inmotionhosting.com\/blog\/wp-json\/wp\/v2\/comments?post=82501"}],"version-history":[{"count":1,"href":"https:\/\/www.inmotionhosting.com\/blog\/wp-json\/wp\/v2\/posts\/82501\/revisions"}],"predecessor-version":[{"id":82503,"href":"https:\/\/www.inmotionhosting.com\/blog\/wp-json\/wp\/v2\/posts\/82501\/revisions\/82503"}],"wp:attachment":[{"href":"https:\/\/www.inmotionhosting.com\/blog\/wp-json\/wp\/v2\/media?parent=82501"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.inmotionhosting.com\/blog\/wp-json\/wp\/v2\/categories?post=82501"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.inmotionhosting.com\/blog\/wp-json\/wp\/v2\/tags?post=82501"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}