What is a DDoS attack?
A DDoS attack (Distributed Denial of Service) is a distributed “denial of service” attack. The attacker does not necessarily hack your site or server — they create a load under which your resource stops responding to normal users.
Imagine thousands of people entering your store at once. They buy nothing, block real customers from getting through and completely jam the checkout. The doors are open, staff are in place, goods are on the shelves — but the business is effectively stopped. The same thing happens online, only instead of people the attack uses infected devices, servers, IoT cameras, routers and bots.
The main danger of DDoS is that it can stop a business without a classic breach. Data may not be stolen, passwords may not be compromised, the server may be technically healthy — yet customers still cannot open the site, pay an order, log into their account or connect to a VPN.
Why DDoS is now a threat to ordinary business too
DDoS used to be seen as a problem for banks, government sites and large corporations. Today an attack can hit an online store, a clinic, a SaaS service, a logistics company or an ordinary services website. The reason is simple: attacks have become cheaper, more accessible and automated. Ready-made botnets and automatic tools are sold on the black market. Sometimes DDoS is used for extortion, sometimes by competitors, sometimes as a distraction before another attack.
2026: attack volume and botnets are exploding
According to StormWall, in Q1 2026 the number of DDoS attacks worldwide rose 168% year over year. The “army” of infected devices grew nearly threefold to 7 million IP addresses. Attacks on telecom exceeded 2 Tbps, with some reaching 3.5 Tbps. The most-targeted industry was the financial sector.
DDoS is a real threat for Azerbaijan too
In 2025 Azerbaijan saw days-long massive DDoS attacks on state information resources; in February major media resources were hit too. Over the year ~450 million malicious attempts on government systems were prevented. Per the Cloudflare Q2 2025 report, Azerbaijan jumped 31 places into the top-10 most DDoS-targeted countries.
How DDoS affects your resources
The phrase “we have a powerful server” is not DDoS protection. A server may be powerful, but if its port is 1 Gbps and the IP receives a 20, 50 or 100 Gbps attack, users cannot reach it — the channel is jammed before the server can process anything. It is like having an excellent office and a strong team while the road to the office is completely blocked.
Attack power grows several-fold every year
According to Cloudflare public reports, the power of the largest mitigated DDoS attack grew several-fold in just a couple of years: 5.6 Tbps in 2024, rising to 31.4 Tbps by the end of 2025 — and that attack lasted only 35 seconds. In 2024 alone Cloudflare mitigated 21.3 million DDoS attacks (+53% year over year).
Main types of DDoS attacks
- Volumetric — flood the channel with junk traffic: UDP flood, DNS/NTP amplification.
- Protocol (Layer 3/4) — exploit protocol weaknesses: a SYN flood exhausts the memory of firewalls and routers.
- Application (Layer 7) — target the app: an HTTP flood looks like normal requests but hammers the heavy parts of a site (search, login, cart, API).
Why defending only on the server is not enough
A Linux firewall, iptables, fail2ban, nginx rate limit are useful tools, but they do not solve the core problem of volumetric DDoS. If malicious traffic has already reached your server, it has already passed through your external channel. And if the channel is jammed, a local firewall sees the problem too late. So protection must begin not on the server but higher up — at the data center and provider level, before traffic reaches the client infrastructure.
What Cloudflare is and where it helps
Cloudflare is a global protection network that sits between users and your site. The domain is pointed to Cloudflare, traffic arrives there first, gets inspected, WAF rules are applied, bots are filtered out, and only clean traffic is passed to the origin server. At Layer 7 (HTTP/HTTPS, API, login forms) Cloudflare is a very strong first layer of defense: CDN, WAF, rate limiting, bot protection and hiding the real IP.
Where Cloudflare may not help
The main risk is a leak of the server real IP address. If an attacker learns the origin server IP, they can attack it directly, bypassing Cloudflare. DNS may show Cloudflare, the site may open through Cloudflare, the WAF may be on — but the attack goes straight to the IP. The IP can leak from old DNS records, MX records (if mail runs on the same server), scan history, logs or exposed services (SSH, RDP, VPN, panels). So proper protection must account not only for the domain but for the IP itself.
Accept traffic only from Cloudflare
One of the right practices is to close direct access to the origin server. If the site runs through Cloudflare, an ordinary user does not need to connect to the real IP directly. Firewall rules can be set so the server accepts web traffic only from Cloudflare IP ranges and blocks everything else. Then even if the real IP is known, direct traffic is dropped while legitimate traffic keeps flowing through Cloudflare. Important: SSH, RDP, mail, VPN and control panels must be moved to a separate protected scheme (VPN, allowlist, bastion host).
Why you need protection from the data center up to Layer 4
Protection at the data center level filters malicious traffic before it reaches your port, router or server. This matters especially for L3/L4 attacks: UDP flood, SYN flood, amplification. If a 30 Gbps attack hits a server with a 1 Gbps port, the server cannot fight back — it does not even receive normal traffic. If filtering runs at the data center or upstream provider, the junk is dropped higher up and only cleaned traffic reaches the client. So a serious setup is not “Cloudflare or the data center” but a multi-layered architecture.
| Layer | Strength | Limitation |
|---|---|---|
| Server firewall | Local rules, IP/port control | Too late once the channel is jammed |
| Cloudflare (L7) | WAF, CDN, bots, HTTP flood, IP hiding | Bypassable if the real IP leaks |
| Epro.io DC (L3/L4, 100 Gbps) | UDP/SYN flood, amplification, channel protection | Does not replace app-level (L7) protection |
How much a DDoS can cost a business
The cost of a DDoS is almost never equal to the price of “fixing the server” — the server may be perfectly healthy. The real losses come from elsewhere: lost sales, cancelled orders, SLA penalties, engineers working at night, an emergency infrastructure move, lost customer trust and dropped search rankings because the site was unavailable. The most expensive DDoS protection is the one bought during an attack, because at that moment there is no time for calm analysis, testing and configuration.
One DDoS attack cost a company up to $12 million
In September 2021 the US telecom provider Bandwidth Inc. was hit for days by a ransom DDoS attack: voice, messaging and 911 services went down, and even providers running on top of its network (Twilio, RingCentral, DialPad) were affected. The company estimated the damage to its annual revenue at $9–12 million. Note: the server was not breached — it was unreachable.
Every minute of downtime is money
By industry estimates, downtime during a DDoS attack on a web application averages around $6,000 per minute (~$360,000 per hour), and for large enterprises it can exceed half a million dollars per hour. The average attack lasts 45 minutes — so a single episode can cost an unprotected business roughly $270,000.
Questions to ask before an attack
If you do not have precise answers to these, your protection rests on hope rather than architecture:
DDoS protection at Epro.io
Epro.io hosts infrastructure with DDoS protection up to Layer 4 and the ability to protect traffic up to 100 Gbps. Our job is more than placing a server in a data center — we account for how traffic reaches the server, which IPs are exposed to the internet and what happens if an attacker learns the real IP.
In a typical protected setup we use a combined approach: Cloudflare for the site, CDN, WAF and Layer 7; Epro.io DDoS protection up to Layer 4 for the IP, TCP/UDP traffic and the channel; source filtering so the server accepts web traffic only from Cloudflare; and a separate protected admin access for SSH, RDP, panels and VPN. This way, even knowing the real IP, an attacker cannot bypass Cloudflare and hit the origin directly. We do not promise to remove the risk by 100% — no one can give that honest guarantee — but we do the main thing: we do not leave a business alone with an attack.
Without protection
- ✕The channel fills with junk traffic
- ✕Site, CRM and mail go down at once
- ✕Every minute of downtime is direct loss
- ✕Panic and rushed decisions mid-attack
With Epro.io — Layer 4, up to 100 Gbps
- ✓Junk traffic is filtered in the data center
- ✓The origin accepts traffic only from Cloudflare
- ✓Site and services keep running
- ✓Protection is set up in advance — no emergency migration
See also: Dedicated server · Private Cloud · Why Epro.io — Tier III DC
FAQ
Does Cloudflare fully protect against DDoS?
No. Cloudflare protects web traffic, APIs and apps very effectively — if traffic actually passes through it. But if the server real IP is known and the server accepts direct connections, an attacker can bypass Cloudflare and attack the origin.
If the attacker learns the IP, is Cloudflare useless?
Not necessarily. Cloudflare is easy to bypass only if the server accepts direct connections from anywhere. If origin access is limited to Cloudflare IP ranges and the rest is blocked at the firewall and data center level, a direct bypass becomes much harder.
Is a firewall on the server enough?
No. A firewall on the server is useful but cannot stop an attack that jams the channel. If the channel is overloaded, legitimate users will not connect regardless of firewall rules.
Which is better: Cloudflare or data center protection?
These are different layers of protection. Cloudflare covers web, WAF, CDN and Layer 7 well. Data center protection matters for L3/L4, direct IP attacks, TCP/UDP and the channel. Ideally they work together.
Is Layer 4 protection in all plans?
Yes. Epro.io includes DDoS protection up to Layer 4 with the ability to protect traffic up to 100 Gbps. For Layer 7 we additionally recommend Cloudflare/WAF.
If the site is small, is protection needed?
Site size does not always matter. Sometimes the target is hit not because the company is large but because the resource is a convenient target: competition, a conflict, extortion or an automated attack across an entire IP range.
Found an error or have a question?
✉️ Write to usAll our services come protected — you just pick one
DDoS protection up to Layer 4 (up to 100 Gbps) and a Baku Tier III data center are already included in every plan. Choose VPS, a dedicated server or hosting — we handle the rest.