Remote DDoS Protection

You do not have to move hosts to get protected. Keep your existing server exactly where it is and route it through our scrubbing network with a GRE / VXLAN / WireGuard tunnel or a BGP / BYOIP announcement to AS398999. Traffic is scrubbed at the nearest edge — Singapore, Frankfurt or Toronto — and only clean traffic reaches your origin. Free trial, per-hour billing, from $25/mo.

Quick Answer

Remote DDoS protection lets you keep your existing server anywhere and route its traffic through Sucura Networks for scrubbing. Announce your own IP space over BGP, or terminate a GRE, VXLAN or WireGuard tunnel to a protected IP — GRE preserves your users' real source IPs. Traffic is scrubbed at the nearest edge (Singapore, Frankfurt or Toronto) and only clean traffic reaches your origin, from $25 per month plus $0.05 per GB.

Keep Your Host — Protect Any Server Remotely

Remote protection wraps a scrubbing layer around infrastructure you already run, wherever it runs. Nothing has to be migrated, rebuilt or handed over.

No Migration

Your server, VPS or dedicated box stays with its current provider. We protect it in place — you never repoint DNS to a new host or move data.

Two Honest Methods

Terminate a tunnel to a protected IP we hand you, or announce your own /24 by BGP. Both send inbound traffic through our filters first.

Nearest-Edge Scrubbing

APAC origins scrub in Singapore, European origins in Frankfurt, North American origins in Toronto — no pointless cross-ocean backhaul.

Self-Service Trial

Deploy a protected tunnel or session yourself in the Nexus panel, start on a free trial, and convert to paid in place with no teardown.

Method 1: GRE / VXLAN / WireGuard Tunnel to a Protected IP

The simplest way to protect a single server. You do not need your own IP space or an ASN — we hand you a protected IP and you carry traffic to it over an encrypted or encapsulated tunnel.

A protected IP becomes your front door

We assign you a protected IP at the edge and you terminate a GRE, VXLAN or WireGuard tunnel from your origin to it. That protected IP is now your public-facing address, so every packet an attacker sends arrives at our scrubbing edge first — never directly at your box.

Attacks die at the edge, clean traffic returns

Volumetric floods and application abuse are filtered before they can consume your uplink. Only legitimate, scrubbed traffic is sent back down the tunnel to your origin, so your server sees the load it was built to handle and nothing more.

BGP decides where, the tunnel decides how

Routing and transport are two different jobs. The protected IP is advertised from our network so traffic routes to us; the tunnel is simply the pipe that carries that traffic the last hop to and from your origin. You keep your current hosting arrangement untouched.

Works on Linux and Windows origins

GRE and WireGuard are supported by every mainstream operating system, so the origin can be a game server, a web app, a proxy or a bare VPS. Setup is a handful of interface commands, and the Nexus panel walks you through the exact configuration.

Method 2: BGP / BYOIP Announcement

If you already own a /24, you do not need a tunnel at all. Announce your prefix to our AS398999 and we route and scrub it for you.

Bring your own IP space

Announce your /24 to AS398999 and keep using the exact same addresses your services already live on. Nothing your users have bookmarked, whitelisted or hard-coded changes — the prefix simply starts routing through our scrubbing network.

No tunnel to maintain

With BGP the routing itself pulls inbound traffic to our edge, so there is no per-server tunnel to configure or babysit. This suits operators protecting many hosts behind one prefix, or anyone who wants mitigation to be invisible at the origin.

IRR and RPKI aware

We validate announcements against route registries and RPKI so your prefix is accepted cleanly across our extensive peering. Origin verification is part of onboarding, which keeps your space from being flagged or filtered upstream.

Route out how you like

Clean traffic can be returned to your origin over your existing transit or over a tunnel back to your network, whichever fits your topology. You keep control of your addressing while we handle the filtering in front of it.

Scrubbed at the Nearest Edge — Singapore · Frankfurt · Toronto

Remote protection only makes sense if the detour is short. Sucura runs scrubbing edges on three continents and sends your traffic to the closest one: APAC origins are filtered in Singapore, European origins in Frankfurt, and North American origins in Toronto. There is no forced trip to a single distant scrubbing center and back, so the round trip a tunnel adds stays as small as the geography allows.

3
Scrubbing Edges
<1s
Detection
L3-L7
Mitigation
Free
Trial

Your Users' Real IPs Are Preserved

A common fear with remote protection is that everything starts arriving from one proxy address. With GRE, that does not happen.

GRE keeps the true client address

GRE encapsulation wraps each packet without rewriting its original source IP. When the packet is decapsulated at your origin, your application sees the real client address — exactly the same one it would have seen without any protection in front of it.

Geolocation and rate-limiting still work

Because the source IP survives, everything you built on top of it keeps working: per-country routing, abuse rate-limits, ban lists and fraud scoring all read the genuine client, not a shared scrubbing IP.

Game servers still identify players

For Minecraft, FiveM, Rust and similar servers, per-player identification and anti-cheat depend on the real address. Remote GRE protection keeps that intact, so players are recognised correctly while floods are dropped upstream.

A small, honest overhead

Encapsulation adds roughly 24 bytes per packet with GRE and the round trip to your nearest edge. Choosing the closest scrubbing location keeps both minimal — a fair trade for filtering attacks before they ever touch your uplink.

What We Mitigate — Layer 3, 4 and 7

Always-on filtering across the stack, with sub-second detection. No manual toggling when an attack starts.

Layer 3 / 4 volumetric floods

SYN, ACK, UDP, ICMP and amplification floods are absorbed and dropped at the scrubbing edge before they can saturate your origin's link. This is the traffic that most often knocks unprotected servers offline outright.

Layer 7 application abuse

Attacks that mimic real users — HTTP request floods and protocol abuse — are filtered with application-aware rules, so the malicious requests are shed while genuine visitors keep getting served.

Sub-second detection

Attacks are identified and mitigated in under a second, so a flood is contained before it becomes an outage rather than after. Protection is always on, not something you scramble to enable mid-incident.

Any TCP or UDP service

Web apps, APIs, game servers, voice, streaming ingest and custom protocols are all in scope. If it runs over TCP or UDP and you can route it to us, we can scrub it and hand back clean traffic.

Remote DDoS Protection Pricing

Straightforward USD tiers, plus usage-based scrubbing at $0.05/GB with hourly billing available. Every tier includes L3/L4/L7 mitigation, GRE/VXLAN/WireGuard tunnels or BGP, sub-second detection, and the free trial.

Plan Best For From Order
Starter A single origin — one game or app server $25/mo Order →
Business A busy service or a few origins $75/mo Order →
Professional A reseller or high-traffic platform $150/mo Order →
Enterprise A large fleet or mission-critical service $500/mo Order →

Self-Service and Free Trial

This is not a quote-gated enterprise product. You deploy it yourself, try it free, and pay only for what you use.

Deploy it yourself

Everything — tunnels, protected IPs and BGP sessions — is provisioned from the Nexus panel over our own AS398999 network. No sales call is required to get protected, and the panel gives you the exact tunnel configuration to paste onto your origin.

Start on a free trial

Spin up a protected tunnel on a trial, point your service at it, and watch it work under real conditions. When you are satisfied, convert the trial to a paid subscription in place — no teardown and no re-provisioning.

Pay by the hour or the gigabyte

Billing can run per hour, and scrubbing is $0.05 per GB, so you are not locked into a large monthly enterprise minimum to get real mitigation. Pricing is transparent and quoted in USD.

Built for real operators

Game-server hosts, hosting resellers, streamers and independent operators all use remote protection to defend infrastructure they already run — without moving it and without a procurement process.

Remote DDoS Protection FAQ

Common questions about protecting an existing server remotely with GRE tunnels or BGP.

Do I have to move my server to get DDoS protection?

No. Remote protection is designed so you keep your existing server exactly where it is, with no migration. You either terminate a tunnel from your origin to a protected IP we provide, or announce your own /24 to our AS398999 by BGP. We route and scrub the traffic and hand your origin only clean traffic.

How does GRE tunnel DDoS protection work?

You terminate a GRE tunnel from your origin to a protected IP we assign. That protected IP becomes your public-facing address, so attack traffic hits our edge first. We scrub it and send only clean traffic back down the tunnel. GRE also preserves each visitor's real source IP, so your application still sees the true client.

What is the difference between the GRE tunnel and BGP methods?

BGP decides where your traffic routes; a tunnel decides how it is carried. With BGP/BYOIP you announce your own /24 to AS398999 and no tunnel is needed. With a GRE, VXLAN or WireGuard tunnel you keep your current IP arrangement and simply carry protected traffic to and from our edge. Both deliver only scrubbed traffic.

Does remote protection add latency?

A tunnel adds the round trip to your nearest scrubbing edge plus a small per-packet overhead of roughly 24 bytes for GRE. Because we scrub at the closest edge — Singapore for APAC, Frankfurt for Europe, Toronto for North America — that overhead stays minimal and there is no pointless cross-ocean backhaul.

Will my application still see my users' real IP addresses?

Yes. GRE encapsulation preserves the original source IP of every packet, so your application, game server or logs still see the true client address rather than a proxy IP. This keeps geolocation, rate-limiting and per-player identification working exactly as they did before you enabled protection.

What can I protect, and how much does it cost?

Any TCP or UDP service — game servers, hosting resellers, streamers, VPS or dedicated hosts. Plans run from $25 to $500 per month in USD, with usage-based scrubbing at $0.05 per GB and hourly billing available. There is a free trial you can start self-service from the Nexus panel.

Protect Your Server Where It Already Lives

Deploy a protected tunnel or BGP session in minutes — keep your host, scrub at the nearest edge, free trial and per-hour billing.

Open Nexus Panel Contact Sales

More From SucuraGuard

One anycast anti-DDoS network across three continents.