# SwissShield DDoS Protection ## SwissShield™ DDoS Protection SwissShield™ is UP-NETWORK’s multi-layer DDoS protection system designed to keep your services online during attacks.\ It combines **local mitigation in Switzerland**, **global scrubbing capacity**, **BGP automation**, and **real-time traffic analysis**, ensuring reliable protection for all VPS, dedicated servers and network solutions. *** ### ⚡ Overview SwissShield provides: * Real-time L3/L4 DDoS detection * Local mitigation up to **\~20 Gbit/s** in Switzerland * Automatic overflow to > **1 Tbps** global scrubbing centres * Full support for IPv4 & IPv6 * BGP-based signalling (blackholing, redirect, clean-return) * Automatic traffic normalisation and behavioural filtering * Included free on all services (VPS, Dedicated, Transit\*, Tunnels\*) SwissShield is designed to handle both volumetric and application-layer attacks. *** ## 🛡 How SwissShield Works SwissShield operates in two coordinated layers: {% stepper %} {% step %} ### 🟩 Local Mitigation (Switzerland) All traffic first passes through UP-NETWORK’s Swiss infrastructure: * Filters up to **\~20 Gbit/s** of attack traffic locally * Handles floods such as UDP reflection, SYN floods, ACK floods, malformed packet storms * Applies smart rate-limiting and L3/L4 heuristics * Ensures minimal latency since filtering is done directly within Switzerland * Ideal for small to medium attacks or targeted bursts If the attack exceeds local capabilities or becomes highly volumetric, the system escalates automatically. {% endstep %} {% step %} ### 🟦 Global Scrubbing (Automatic Overflow) For large-scale or distributed attacks: * Incoming traffic is redirected via **BGP signalling** to an external scrubbing provider * Scrubbing centres have **>1 Tbps mitigation capacity** and a backbone exceeding **3.5 Tbps** * Malicious traffic is filtered out * Clean traffic is then re-injected into UP-NETWORK’s backbone * The entire process is automatic and seamless This hybrid approach ensures both low latency and massive resilience. {% endstep %} {% endstepper %} *** ### 🧠 Detection & Filtering Capabilities SwissShield can mitigate: * UDP floods (Chargen, NTP, DNS, SSDP, memcached, etc.) * TCP SYN/ACK floods * TCP connection exhaustion * ICMP floods * Fragmentation & malformed packet floods * Multi-vector attacks * Slow-rate or protocol-specific attacks (when applicable) * Prefix-based blackholing on demand Advanced tools include: * **BGP communities for customer control** * **Automatic behaviour-based filtering** *** ## 🌍 Supported Services SwissShield protection applies to all UP-NETWORK services: #### VPS Hosting * Included by default * Protection against bursts and repeated attacks #### Dedicated Servers * Full filtering on all IP ranges * Optional enhanced policies for BYOIP customers #### UP-Connect (Transit) * DDoS protection available as an add-on * Ideal for businesses colocated at the Gland datacenter #### UP-Transport (GRE/VXLAN Tunnels) * Optional protection (+ CHF 20/month) * Filters attacks before they reach your tunnel endpoint *** ## 🧩 Optional Add-Ons You may extend SwissShield with: * **Custom filtering rules** * **Per-project mitigation profiles** * **Customer-controlled BGP blackhole communities** * **Enhanced anomaly detection** * **Traffic reports & attack analytics** * **Secure BGP packages (Basic / Secure / Dual-Port)** Contact support for custom requirements. *** ## 📈 Roadmap & Evolution SwissShield is continuously expanding: * Increasing local mitigation from 20 Gbit/s to higher capacities * Deploying additional filtering nodes in multiple Swiss PoPs * Expanding scrubbing partnerships * Moving towards **full sovereign Swiss DDoS mitigation** (no external scrubbing) UP-NETWORK invests heavily to ensure world-class network protection. *** {% hint style="info" %} ## 💡 Best Practices for Users To maximise protection efficiency: * Use stable and consistent firewall rules * Enable rate-limits on public services (SSH/HTTP/SIP/etc.) * Implement geofencing where possible * Avoid exposing unnecessary services * For high-risk services, request **custom SwissShield profiles** Our support team can assist with hardening and architecture design. {% endhint %} *** ## 🚀 Next Steps {% stepper %} {% step %} SwissShield is active on all new services by default. {% endstep %} {% step %} For custom filtering, BGP blackholing, or enhanced protection, open a support ticket. {% endstep %} {% step %} For information on configuring BGP, tunnels or routing with SwissShield, visit the **Networking & BGP** section. {% endstep %} {% step %} For service-specific protection details (VPS / Dedicated), refer to the relevant documentation page. {% endstep %} {% endstepper %} *** SwissShield™ — engineered by UP-NETWORK to keep your infrastructure secure, fast and online, even under attack. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.up-network.ch/documentation/ddos/swissshield-ddos-protection.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.