DDoS mitigation.
The edge defences that keep volumetric attacks from reaching your VPS. Always on. Included. Never an upsell.
The set of technical measures — edge rate-limiting, scrubbing centres, anycast diversion, behavioural traffic classification — that prevent a distributed-denial-of-service attack from saturating the bandwidth or compute of the target server. On NordBastion, mitigation is always-on at the edge of all four bastions, included on every tier, with no opt-in or opt-out.
Mitigation is a floor, not a premium tier.
The structural problem with billable DDoS protection is that it lets the attacker set the customer's price. If a Gbps of absorbed flood costs you money, then an attacker who can throw a few hundred Gbps at your IP can force you off the platform by economics alone — without ever breaching anything. NordBastion treats this as a platform-level cost and amortises it across the catalogue: every VPS and every dedicated tier ships with the same always-on volumetric and L7 mitigation, and absorbed attack traffic is never invoiced.
Mechanically, the four bastions each peer at 1.6–2.4 Tbps of aggregate ingress with always-on scrubbing close to the carrier handoff. Volumetric floods (UDP amplification, SYN floods, fragmented IP) are dropped at the edge router; layer-7 storms (slow-POST, HTTP GET floods with rotating user-agents) are classified behaviourally before they reach your tier. The control plane is anycast across the four sites, so an attack large enough to threaten one bastion is automatically diverted across the others.
What mitigation does not do: it does not inspect your application payloads, it does not terminate TLS, it does not see who is logged into your service. It is a network-layer floor that lets your application focus on the requests that actually reached it. If your workload needs application-layer filtering (SQL-injection guards, abusive bot scoring), run a WAF on top — but do not confuse the two.
Follow mitigation across NordBastion.
- · /network/ — the per-bastion peering map, scrubbing topology and anycast plane diagram.
- · /vps/ — every VPS tier (Sentinel through Bastille) ships always-on mitigation by default.
- · /dedicated/ — bare-metal tiers inherit the same edge protection at higher uplink speeds.
- · /status/ — live per-bastion uplink saturation and the public history of mitigated incidents.
- · /peering/ — the IX presence and transit mix that determines the volumetric ceiling at each site.
- · / — the homepage surfaces the always-on mitigation guarantee in the feature strip.
Questions about mitigation, answered.
What attack sizes does the edge handle?
Each bastion peers at 1.6–2.4 Tbps of aggregate ingress capacity with always-on volumetric scrubbing, which absorbs the overwhelming majority of real-world attacks — public Q4-2025 telemetry showed 99.4% of internet DDoS events were under 100 Gbps. Layer-7 floods (HTTP GET/POST storms) are classified behaviourally and dropped before they reach your VPS. The hard ceiling per bastion is the peering total; truly nation-scale attacks (multi-Tbps) get diverted across the four-bastion anycast plane.
Is there an extra fee for DDoS protection?
No — and this is deliberate. Other hosts price DDoS protection as a per-Gbps add-on or a separate enterprise tier, which effectively means a small target gets charged for being attacked. NordBastion includes always-on mitigation in every Sentinel ($5.90/mo) through Bastille ($23.90/mo) VPS tier and in every dedicated tier, with no usage-based billing on absorbed attack traffic. The economics work because mitigation cost is amortised across the platform, not invoiced per incident.
How does it differ from Cloudflare-style WAF?
A WAF (Web Application Firewall) operates at OSI layer 7 — it inspects HTTP requests for application-layer attack signatures (SQL injection, XSS, abusive bot patterns) and is itself a reverse proxy that terminates TLS. NordBastion's DDoS mitigation operates at layers 3–4 — it sheds malformed packets, amplification reflections and volumetric floods at the network edge before they consume your bandwidth, and it does not terminate TLS or see your application payloads. The two are complementary; run a WAF on top if your app needs one.
What if my workload is itself causing the spike?
A legitimate viral traffic event — a launch, a press hit, a Hacker News front page — is rate-limit-shaped, not attack-shaped, and the behavioural classifier will let it through. If you saturate the uplink of your tier with legitimate traffic, the upgrade path is one panel click to a larger VPS or a dedicated tier with a fatter uplink; no support ticket required. Outbound abuse (your server being the source of attack traffic, e.g. an SSH brute-forcer or open mail relay) is handled separately — see /doctrine/ on what we will and will not host.