You do not have to move hosts to get protected. Keep your existing server exactly where it is and route it through our scrubbing network with a GRE / VXLAN / WireGuard tunnel or a BGP / BYOIP announcement to AS398999. Traffic is scrubbed at the nearest edge — Singapore, Frankfurt or Toronto — and only clean traffic reaches your origin. Free trial, per-hour billing, from $25/mo.
Remote DDoS protection lets you keep your existing server anywhere and route its traffic through Sucura Networks for scrubbing. Announce your own IP space over BGP, or terminate a GRE, VXLAN or WireGuard tunnel to a protected IP — GRE preserves your users' real source IPs. Traffic is scrubbed at the nearest edge (Singapore, Frankfurt or Toronto) and only clean traffic reaches your origin, from $25 per month plus $0.05 per GB.
Remote protection wraps a scrubbing layer around infrastructure you already run, wherever it runs. Nothing has to be migrated, rebuilt or handed over.
Your server, VPS or dedicated box stays with its current provider. We protect it in place — you never repoint DNS to a new host or move data.
Terminate a tunnel to a protected IP we hand you, or announce your own /24 by BGP. Both send inbound traffic through our filters first.
APAC origins scrub in Singapore, European origins in Frankfurt, North American origins in Toronto — no pointless cross-ocean backhaul.
Deploy a protected tunnel or session yourself in the Nexus panel, start on a free trial, and convert to paid in place with no teardown.
The simplest way to protect a single server. You do not need your own IP space or an ASN — we hand you a protected IP and you carry traffic to it over an encrypted or encapsulated tunnel.
We assign you a protected IP at the edge and you terminate a GRE, VXLAN or WireGuard tunnel from your origin to it. That protected IP is now your public-facing address, so every packet an attacker sends arrives at our scrubbing edge first — never directly at your box.
Volumetric floods and application abuse are filtered before they can consume your uplink. Only legitimate, scrubbed traffic is sent back down the tunnel to your origin, so your server sees the load it was built to handle and nothing more.
Routing and transport are two different jobs. The protected IP is advertised from our network so traffic routes to us; the tunnel is simply the pipe that carries that traffic the last hop to and from your origin. You keep your current hosting arrangement untouched.
GRE and WireGuard are supported by every mainstream operating system, so the origin can be a game server, a web app, a proxy or a bare VPS. Setup is a handful of interface commands, and the Nexus panel walks you through the exact configuration.
If you already own a /24, you do not need a tunnel at all. Announce your prefix to our AS398999 and we route and scrub it for you.
Announce your /24 to AS398999 and keep using the exact same addresses your services already live on. Nothing your users have bookmarked, whitelisted or hard-coded changes — the prefix simply starts routing through our scrubbing network.
With BGP the routing itself pulls inbound traffic to our edge, so there is no per-server tunnel to configure or babysit. This suits operators protecting many hosts behind one prefix, or anyone who wants mitigation to be invisible at the origin.
We validate announcements against route registries and RPKI so your prefix is accepted cleanly across our extensive peering. Origin verification is part of onboarding, which keeps your space from being flagged or filtered upstream.
Clean traffic can be returned to your origin over your existing transit or over a tunnel back to your network, whichever fits your topology. You keep control of your addressing while we handle the filtering in front of it.
A common fear with remote protection is that everything starts arriving from one proxy address. With GRE, that does not happen.
GRE encapsulation wraps each packet without rewriting its original source IP. When the packet is decapsulated at your origin, your application sees the real client address — exactly the same one it would have seen without any protection in front of it.
Because the source IP survives, everything you built on top of it keeps working: per-country routing, abuse rate-limits, ban lists and fraud scoring all read the genuine client, not a shared scrubbing IP.
For Minecraft, FiveM, Rust and similar servers, per-player identification and anti-cheat depend on the real address. Remote GRE protection keeps that intact, so players are recognised correctly while floods are dropped upstream.
Encapsulation adds roughly 24 bytes per packet with GRE and the round trip to your nearest edge. Choosing the closest scrubbing location keeps both minimal — a fair trade for filtering attacks before they ever touch your uplink.
Always-on filtering across the stack, with sub-second detection. No manual toggling when an attack starts.
SYN, ACK, UDP, ICMP and amplification floods are absorbed and dropped at the scrubbing edge before they can saturate your origin's link. This is the traffic that most often knocks unprotected servers offline outright.
Attacks that mimic real users — HTTP request floods and protocol abuse — are filtered with application-aware rules, so the malicious requests are shed while genuine visitors keep getting served.
Attacks are identified and mitigated in under a second, so a flood is contained before it becomes an outage rather than after. Protection is always on, not something you scramble to enable mid-incident.
Web apps, APIs, game servers, voice, streaming ingest and custom protocols are all in scope. If it runs over TCP or UDP and you can route it to us, we can scrub it and hand back clean traffic.
Straightforward USD tiers, plus usage-based scrubbing at $0.05/GB with hourly billing available. Every tier includes L3/L4/L7 mitigation, GRE/VXLAN/WireGuard tunnels or BGP, sub-second detection, and the free trial.
This is not a quote-gated enterprise product. You deploy it yourself, try it free, and pay only for what you use.
Everything — tunnels, protected IPs and BGP sessions — is provisioned from the Nexus panel over our own AS398999 network. No sales call is required to get protected, and the panel gives you the exact tunnel configuration to paste onto your origin.
Spin up a protected tunnel on a trial, point your service at it, and watch it work under real conditions. When you are satisfied, convert the trial to a paid subscription in place — no teardown and no re-provisioning.
Billing can run per hour, and scrubbing is $0.05 per GB, so you are not locked into a large monthly enterprise minimum to get real mitigation. Pricing is transparent and quoted in USD.
Game-server hosts, hosting resellers, streamers and independent operators all use remote protection to defend infrastructure they already run — without moving it and without a procurement process.
Common questions about protecting an existing server remotely with GRE tunnels or BGP.
No. Remote protection is designed so you keep your existing server exactly where it is, with no migration. You either terminate a tunnel from your origin to a protected IP we provide, or announce your own /24 to our AS398999 by BGP. We route and scrub the traffic and hand your origin only clean traffic.
You terminate a GRE tunnel from your origin to a protected IP we assign. That protected IP becomes your public-facing address, so attack traffic hits our edge first. We scrub it and send only clean traffic back down the tunnel. GRE also preserves each visitor's real source IP, so your application still sees the true client.
BGP decides where your traffic routes; a tunnel decides how it is carried. With BGP/BYOIP you announce your own /24 to AS398999 and no tunnel is needed. With a GRE, VXLAN or WireGuard tunnel you keep your current IP arrangement and simply carry protected traffic to and from our edge. Both deliver only scrubbed traffic.
A tunnel adds the round trip to your nearest scrubbing edge plus a small per-packet overhead of roughly 24 bytes for GRE. Because we scrub at the closest edge — Singapore for APAC, Frankfurt for Europe, Toronto for North America — that overhead stays minimal and there is no pointless cross-ocean backhaul.
Yes. GRE encapsulation preserves the original source IP of every packet, so your application, game server or logs still see the true client address rather than a proxy IP. This keeps geolocation, rate-limiting and per-player identification working exactly as they did before you enabled protection.
Any TCP or UDP service — game servers, hosting resellers, streamers, VPS or dedicated hosts. Plans run from $25 to $500 per month in USD, with usage-based scrubbing at $0.05 per GB and hourly billing available. There is a free trial you can start self-service from the Nexus panel.
Deploy a protected tunnel or BGP session in minutes — keep your host, scrub at the nearest edge, free trial and per-hour billing.
One anycast anti-DDoS network across three continents.