Skip to main content

Overview

Custom protection profiles define rules and policies based on network traffic and security requirements.

Step 1. Open protection profiles

  1. In the Gcore Customer Portal, navigate to DDoS Protection > Protection profiles.
  2. Review the list of available profiles:
    • Default profiles
    • Custom profiles
Protection profiles

Step 2. Create a protection profile

  1. Click Add protection profile.
  2. Select a template.
    Templates include preconfigured settings for common use cases.
  3. Enter a profile name.
    Use a clear and descriptive name for easier identification.
Example: High-security web server profile
Protection profiles

Step 3. Configure rules and policies

A protection profile includes two configuration areas:
  • Rules
  • Policies
Protection profiles rules and policies

Configure rules

Rules define traffic-matching criteria and apply a selected policy to matching traffic.

Policy reference

This table provides a consolidated reference of the available policies, including what each policy does.
Policy IDPolicy NameDescription
minecraftMinecraft ProtectionProtocol-aware protection for Minecraft (Java and Bedrock) traffic with TCP and UDP support. Mitigates handshake/login floods, ping/status abuse, and volumetric attacks while allowing legitimate client connections.
counter-strike-16Counter-Strike 1.6Protocol-aware protection for Counter-Strike 1.6 (GoldSrc) traffic. Mitigates UDP floods, query abuse, and malformed packet patterns while allowing normal gameplay traffic.
counter-strike-goCounter-Strike GOProtocol-aware protection for Counter-Strike: GO (Source) traffic. Mitigates A2S query floods, connection floods, and high-PPS UDP attacks while allowing legitimate players and server queries.
counter-strike-2Counter-Strike 2Protocol-aware protection for Counter-Strike 2 traffic. Mitigates UDP floods, query abuse, and abnormal packet patterns while allowing normal gameplay sessions.
left-4-dead-2Left 4 Dead 2Protocol-aware protection for Left 4 Dead 2 (Source) traffic. Mitigates A2S query floods and volumetric UDP attacks while allowing legitimate clients and server discovery.
fivem-tcpFiveM TCPProtocol-aware protection for FiveM TCP traffic. Mitigates connection floods and handshake abuse while allowing legitimate sessions to be established and maintained.
fivem-udpFiveM UDPProtocol-aware protection for FiveM UDP traffic. Mitigates high-PPS floods and abnormal packet patterns while allowing legitimate gameplay traffic.
sampSan Andreas MultiplayerProtocol-aware protection for San Andreas Multiplayer (SA-MP) traffic. Mitigates connection floods, query abuse, and malformed UDP packets while allowing legitimate player connections.
rustRust Game ProtectionProtocol-aware protection for Rust traffic. Mitigates UDP floods, connection spikes, and abnormal packet patterns while allowing legitimate gameplay traffic.
team-speak3TeamSpeak 3 Voice ChatProtocol-aware protection for TeamSpeak 3 traffic. Mitigates UDP floods and connection abuse while allowing stable voice sessions.
rust-a2sRust Game A2S CachingProtocol-aware protection for Rust Steam A2S queries. Enables query response caching to mitigate A2S flood patterns and reduce origin load.
bf2-queryBattlefield 2 Query CachingProtocol-aware protection for Battlefield 2 server queries. Enables query response caching to mitigate server-browser query floods and reduce origin load.
bf2Battlefield 2 GameProtocol-aware protection for Battlefield 2 gameplay traffic. Mitigates UDP floods and malformed packet patterns while allowing legitimate sessions.
unity-unetUnity Engine UNETProtocol-aware protection for Unity UNET traffic. Mitigates malformed packets and high-PPS flood patterns while allowing legitimate game sessions.
unity-utpUnity Engine UTPProtocol-aware protection for Unity Transport Protocol (UTP) traffic. Mitigates UDP floods and abnormal packet patterns while allowing real-time traffic.
geoGeo RestrictionProtocol-aware protection for geo-based access control rules. Enforces allow/deny decisions based on client location metadata. This policy must be configured in the Policy tab before use.
ssh-serverSSH ServerProtocol-aware protection for SSH traffic. Mitigates connection floods and abnormal connection patterns while allowing legitimate administrative access.
default-tcpDefault TCPProtection for generic TCP traffic with baseline destination limits (per IP address): 20k pps, 50 Mbps and policy caps (overall): 50k pps, 500 Mbps to mitigate common TCP flood attacks.
default-udpDefault UDPProtection for generic UDP traffic with baseline destination limits (per IP address): 5k pps, 5 Mbps and policy caps (overall): 50k pps, 50 Mbps to mitigate common UDP flood attacks.
default-icmpDefault ICMPProtection for generic ICMP traffic with baseline destination limits (per IP address): 100 pps and policy caps (overall): 1k pps to mitigate common ICMP flood attacks.
default-otherDefault OtherProtection for generic traffic with baseline destination limits (per IP address): 200 pps and policy caps (overall): 1k pps to mitigate common flood attacks.
ratelimiter-lowRate Limiter LowGeneric rate-limited traffic with a destination PPS limit up to 50k pps (default: 50k). Intended to limit packet rate during abnormal traffic spikes. This policy can be configured in the Policy tab before use.
ratelimiter-mediumRate Limiter MediumGeneric rate-limited traffic with a destination PPS limit from 50k to 150k pps (default: 150k). Intended to limit packet rate during abnormal traffic spikes. This policy can be configured in the Policy tab before use.
ratelimiter-highRate Limiter HighGeneric rate-limited traffic with a destination PPS limit from 150k to 300k pps (default: 300k). Intended to limit packet rate during abnormal traffic spikes. This policy can be configured in the Policy tab before use.

Add a rule

  1. Click Add rule.
  2. Complete the required fields:
    • Protocol: Select the protocol (for example, TCP, UDP, ICMP).
    • Source IP: Enter a source IP address or range.
    • Destination IP: Enter a destination IP address or range.
    • Source port: Enter a port number or range.
    • Destination port: Enter a port number or range.
    • Policy: Select the policy to apply (for example, tcp-server).
Rules are processed from top to bottom. The first matching rule is applied. Traffic that does not match any rule is dropped. To change the rule priority, drag the rule up or down.
Protection profiles rules order
  1. Click Save.
Protection profiles save rule
Multiple rules can be added to a protection profile. Example
Match TCP traffic on destination port 80 (HTTP) and apply a whitelist policy.

Configure policies

Policies define how matching traffic is handled.
Protection profiles Policy
Available policy settings depend on the selected template and profile type. Common options include:
  • Geo filtering
  • Whitelisting
  • Rate limiting
  • Traffic filtering
  • Anomaly detection thresholds
Protection profiles Policy settings

Example: Configure a whitelist

  1. Add trusted IP addresses or ranges to the whitelist.
  2. Confirm that whitelisted traffic bypasses the required protection mechanisms.
Whitelisting is recommended for trusted partners and internal systems.

Save the profile

  1. Review the configured rules and policies.
  2. Click Add protection profile.
Save the protection profile

Best practices and next steps

  • Start with simple rules and expand them as needed.
  • Test new profiles in a non-production environment first.
  • Document rules and policies for future maintenance.
  • Review and update profiles regularly based on traffic patterns.
  • Next, apply the custom profile to a protected network