DDoS Protection · included on every plan

Attacks stop
at the edge.

Q: What types of attacks are mitigated?

Layer 3/4 volumetric attacks (SYN floods, UDP amplification) are handled by Cloudflare Magic Transit. Layer 7 application attacks are caught by our in-line hardware filters.

Q: Will DDoS protection add latency?

Cloudflare Magic Transit adds negligible latency via nearest anycast PoP. Our in-line hardware filters use XDP at the kernel level with zero rerouting overhead.

Every SurgeNode server is protected by Cloudflare Magic Transit with 400+ Tbps of Layer 3/4 scrubbing capacity, plus our own in-line hardware filtering for Layer 7 application attacks. No upsell, no protection tiers.

Cloudflare Magic Transit

L3–L7 full-stack

No extra cost

Live traffic visualisation

Normal traffic flowing through firewall

Clean traffic Passed to server Malicious (blocked)

400+Tbps

Mitigation capacity

L3–L7

Full-stack filtering

Extra cost

01 - Layer 3/4

Cloudflare Magic Transit· Network-layer defence

Volumetric attacks absorbed before they reach us.

Cloudflare Magic Transit sits in front of our entire network. Every packet destined for SurgeNode passes through Cloudflare's global anycast network first, where malicious traffic is identified and dropped at the nearest edge PoP.

How it works

BGP advertisement

Our IP prefixes are announced via Cloudflare's anycast network across 330+ cities worldwide.

Edge scrubbing

Malicious traffic is identified and dropped at the closest Cloudflare PoP, absorbing attacks before they ever reach our infrastructure.

Clean forwarding

Only clean, verified traffic is forwarded to your server via GRE tunnels, maintaining low latency and full throughput.

330+ PoPs worldwide

Attacks are absorbed at Cloudflare's nearest edge location, meaning volumetric floods never traverse the internet backbone to reach our datacentres.

400+ Tbps capacity

Cloudflare's combined network capacity exceeds 400 Tbps, comfortably handling even the largest volumetric DDoS attacks without impacting your service.

Always on

Protection is inline and always active. There is no detection delay, no manual switch, and no “scrubbing centre” failover. Packets are filtered from the first byte.

Sub-3s mitigation

Cloudflare's autonomous edge detects and mitigates most attacks in under 3 seconds, typically before your players or users notice anything at all.

02 - Layer 7

In-line hardware filtering· Application-layer defence

Protocol-aware filtering on the wire.

Cloudflare handles volumetric floods, but sophisticated application-layer attacks need deeper inspection. Our in-line hardware filtering uses XDP (eXpress Data Path) to inspect packets at wire speed, applying protocol-specific rules that understand the difference between a legitimate FiveM client and a crafted attack payload.

XDP-based filtering

Packets inspected at kernel bypass speeds, before they reach your application.

Protocol-specific rules

Custom filter profiles per game and service. Not generic rate-limiting.

Zero added latency

In-line processing means no rerouting to a scrubbing centre. Packets are checked in place.

Supported protocols

Games

FiveM / RedM

Minecraft (Java & Bedrock)

Rust

Source Engine (CS2, Garry's Mod)

ARK

Arma Reforger

Services

SSH

RDP

WireGuard

OpenVPN

TeamSpeak 3

HTTP/S (amplification)

03 - Together

Two layers, one standard

Defence in depth.

Every packet passes through both layers before it reaches your server. Volumetric junk never makes it past Cloudflare. Sophisticated application attacks are caught by our hardware filters. Your server only ever sees clean traffic.

Internet

All inbound traffic

Cloudflare

L3/4 volumetric scrubbing

Hardware filter

L7 protocol inspection

Your server

Clean traffic only

04 - FAQ

DDoS protection questions

Protection FAQ

Got more questions? Ask in Discord.

Open Discord

01Does DDoS protection cost extra?

No. Cloudflare Magic Transit and our in-line hardware filtering are included on every SurgeNode plan at no extra cost. There are no protection tiers or paid upgrades.

02What types of attacks are mitigated?

Layer 3/4 volumetric attacks (SYN floods, UDP amplification, ICMP floods, etc.) are handled by Cloudflare Magic Transit. Layer 7 application attacks (protocol-specific exploits, query floods, crafted payloads) are caught by our in-line hardware filters.

03Will DDoS protection add latency?

Cloudflare Magic Transit adds negligible latency because traffic is routed via the nearest anycast PoP. Our in-line hardware filters use XDP at the kernel level with zero rerouting overhead.

04What games are supported by L7 filtering?

FiveM/RedM, Minecraft (Java and Bedrock), Rust, Source Engine games (CS2, Garry's Mod), ARK, Arma Reforger, and more. Our filter profiles are continuously updated.

05What happens during a large attack?

Cloudflare's 400+ Tbps network absorbs the volumetric component at the edge. Any application-layer payloads that pass through are caught by our hardware filters. Your server continues serving clean traffic throughout.

Attacks stopat the edge.