NVH Shield Configuration Guide
Comprehensive documentation for configuring and optimizing your DDoS protection settings. Learn how to leverage XDP kernel bypass technology for maximum security.
Global IP Protection
Core protection mechanisms that apply to all incoming traffic regardless of protocol. These settings form the foundation of your security posture and should be configured first.
Global Blacklist boolean
Enables automatic IP blacklisting based on threat intelligence feeds and behavioral analysis. When activated, malicious IPs are automatically blocked across all protocols.
TTL Protection boolean
Analyzes packet Time-To-Live values to detect suspicious traffic patterns. Blocks packets with abnormal TTL values commonly used in DDoS attacks.
Private IP Filter boolean
Blocks traffic originating from private IP address ranges (RFC 1918). Prevents IP spoofing attacks using reserved address spaces.
Loopback Protection boolean
Filters traffic from loopback addresses (127.0.0.0/8) that should never appear in external network traffic. Essential for preventing local address spoofing.
MAC Address Validation boolean
Validates MAC addresses in layer 2 frames to detect invalid or malformed headers. Helps identify crafted packets designed to bypass security controls.
Header Validation boolean
Performs comprehensive validation of IP packet headers including checksum verification, length validation, and protocol field analysis.
Web Server Protection
Advanced protection mechanisms specifically designed for HTTP/HTTPS traffic. These settings protect web applications against Layer 7 attacks and application-specific threats.
HTTPS Protection
Basic HTTPS Protection boolean
Enables fundamental HTTPS traffic analysis and filtering. Provides protection against common SSL/TLS-based attacks and malformed requests.
TLS Enhanced Protection boolean
Advanced TLS handshake analysis and cipher suite validation. Detects and blocks TLS-based attacks including cipher downgrade attempts.
Flag Analysis boolean
Deep packet inspection of TCP flags within HTTPS connections. Identifies suspicious flag combinations used in stealth attacks.
HTTP/2 Rapid Reset Protection boolean
Specialized protection against HTTP/2 Rapid Reset attacks (CVE-2023-44487). Monitors stream creation and reset patterns to detect abuse.
Rate Limiting integer
Maximum requests per second allowed from a single IP address. Helps prevent application-layer DDoS attacks and brute force attempts.
Blacklist Duration integer
Duration in seconds for which violating IPs are blacklisted. Balances security with legitimate user access recovery.
HTTP Protection
Basic HTTP Protection boolean
Fundamental HTTP traffic analysis and request validation. Protects against common HTTP-based attacks and malformed requests.
HTTP Rate Limiting integer
Maximum HTTP requests per second from a single source. Lower than HTTPS due to typically higher attack volume on unencrypted traffic.
TCP Protocol Security
Comprehensive TCP-level protection mechanisms targeting connection-based attacks. These settings protect against SYN floods, connection exhaustion, and protocol abuse.
TCP Reset Protection boolean
Actively sends TCP RST packets to terminate malicious connections. Helps free up connection resources and stop ongoing attacks quickly.
Window Size Validation boolean
Validates TCP window size values to detect abnormal connection attempts. Blocks connections with suspicious window scaling or zero-window attacks.
Sequence/ACK Validation boolean
Validates TCP sequence and acknowledgment numbers to prevent session hijacking and connection injection attacks.
TCP Flags Analysis boolean
Deep analysis of TCP flag combinations to detect various attack patterns including Christmas tree, NULL, and FIN scan attacks.
SYN Flood Protection boolean
Advanced protection against TCP SYN flood attacks using SYN cookies and connection rate limiting per source IP.
Connection Rate Limiting boolean
Limits the number of new TCP connections per IP address per time window. Prevents connection exhaustion attacks while allowing legitimate traffic.
Specialized TCP Protection
SSH Protection boolean
Specialized protection for SSH services including brute force detection and connection pattern analysis.
MySQL Protection boolean
Database-specific protection for MySQL services including connection pattern analysis and query flood detection.
UDP Traffic Control
UDP-specific protection mechanisms targeting amplification attacks and connectionless protocol abuse. Critical for preventing reflection attacks and UDP flood campaigns.
UDP Drop All boolean
Emergency mode that drops all UDP traffic. Use when under severe UDP-based attacks where surgical protection is insufficient.
CloudFlare Spoof Protection boolean
Detects and blocks attempts to spoof CloudFlare IP ranges in UDP traffic. Prevents attackers from impersonating CloudFlare services.
NTP Protection boolean
Specialized protection against NTP amplification attacks. Monitors NTP query patterns and blocks malicious time synchronization requests.
DNS Protection boolean
Comprehensive DNS security including query rate limiting, response size validation, and DNS amplification attack prevention.
DNS Drop All boolean
Emergency DNS protection that drops all DNS traffic. Use during severe DNS amplification attacks when normal protection is overwhelmed.
Amplification Protection boolean
Multi-protocol amplification attack protection covering 20+ UDP services commonly abused in reflection attacks.
Amplification Protocols
Protocol | Port | Amplification Factor | Description |
---|---|---|---|
SSDP |
1900 | 30.8x | Simple Service Discovery Protocol |
DNS |
53 | 28-54x | Domain Name System queries |
NTP |
123 | 556.9x | Network Time Protocol |
SNMP |
161 | 6.3x | Simple Network Management Protocol |
Memcached |
11211 | 10000x | Memory caching system |
LDAP |
389 | 46-55x | Lightweight Directory Access Protocol |
Gaming Server Protection
Specialized protection algorithms designed for gaming servers with ultra-low latency requirements. Optimized for real-time traffic while maintaining strong security against gaming-specific attacks.
FiveM Server Protection
FiveM TCP/UDP Protection boolean
Comprehensive protection for FiveM (GTA V) servers covering both TCP and UDP traffic with optimizations for player connections and resource downloads.
TLS Protection boolean
Protects FiveM's encrypted connections including license verification and server list communications.
Advanced Flag Analysis boolean
Deep packet inspection specifically tuned for FiveM's network protocol including custom flag combinations and packet structures.
L7 Protection (Beta) boolean
Experimental Layer 7 protection for FiveM application data. Provides advanced protection against game-specific exploits.
Other Game Servers
Minecraft Java Protection boolean
Optimized protection for Minecraft Java Edition servers including bot detection and connection pattern analysis.
NovaLife Protection boolean
Specialized protection for NovaLife game servers with custom protocol analysis and player behavior monitoring.
Gaming Configuration Parameters
Parameter | Default Value | Range | Description |
---|---|---|---|
Thread Threshold |
6500 | 1000-50000 | Maximum concurrent connections |
SYN Rate Limit |
2/sec | 1-100 | New connections per IP per second |
FIN Limit |
15 | 1-1000 | Connection termination rate |
Download Limit |
1900 | 100-10000 | Resource download rate (KB/s) |
ICMP Management
Internet Control Message Protocol management for network diagnostics and ping-based attack prevention. Configure ICMP policies to balance network troubleshooting capabilities with security requirements.
ICMP Protection boolean
Basic ICMP traffic analysis and rate limiting. Allows legitimate network diagnostics while preventing ICMP-based attacks.
ICMP Drop All boolean
Emergency mode that blocks all ICMP traffic including ping requests. Use during ICMP flood attacks when rate limiting is insufficient.
Rate Limiting integer
Maximum ICMP packets per second allowed from each source IP. Prevents ICMP floods while maintaining diagnostic functionality.
Blacklist Duration integer
Time in seconds that IPs exceeding ICMP rate limits are blacklisted. Balances security response with legitimate user recovery.
ICMP Attack Types
Attack Type | ICMP Type | Description | Protection Status |
---|---|---|---|
Ping Flood |
Type 8 (Echo Request) | High volume ping requests | Protected |
Smurf Attack |
Type 8 (Echo Request) | Amplified ping responses | Protected |
ICMP Redirect |
Type 5 (Redirect) | Malicious routing changes | Protected |
Fraggle Attack |
Type 8 (Echo Request) | UDP echo service abuse | Protected |
Security Best Practices
Proven strategies and recommendations for optimizing your NVH Shield configuration based on infrastructure type, traffic patterns, and security requirements.
Web Server Configuration
• Enable all Global Protection features
• HTTPS Rate Limit: 50-100 req/sec
• HTTP Rate Limit: 30-60 req/sec
• TCP SYN Flood Protection: enabled
• UDP Amplification Protection: enabled
Gaming Server Configuration
• Global Blacklist: enabled
• Game-specific protection: enabled
• TCP Rate Limiting: conservative values
• ICMP Rate Limit: 5-10 packets/sec
• Monitor latency impact carefully
Database Server Configuration
• MySQL/PostgreSQL Protection: enabled
• SSH Protection: enabled (port 22)
• ICMP Drop All: consider enabling
• Strict TCP validation: enabled
• Low connection rate limits
API Server Configuration
• HTTPS Protection: fully enabled
• Rate Limiting: based on API quotas
• TCP Flags Analysis: enabled
• Header Validation: strict mode
• Monitor false positive rates
API Configuration Reference
Programmatic configuration options for automating NVH Shield settings through our REST API. Perfect for infrastructure-as-code deployments and dynamic protection management.
curl -X POST https://api.nvhshield.com/add_rule \
-H "Content-Type: application/json" \
-d '{
"apisecret": "your_api_secret_here",
"userid": 12345,
"ip": "192.168.1.100",
"activate": 1,
"glb_blacklist": 1,
"https": 1,
"https_ratelimit": 90,
"https_blacklist": 60,
"tcp_synflood": 1,
"game_fivem": 1,
"game_fivem_start": 30120,
"game_fivem_end": 30120
}'
Endpoint | Method | Description | Authentication |
---|---|---|---|
/add_rule |
POST | Create or update protection rules | API Secret |
/get_rules |
GET | Retrieve current protection settings | API Secret |
/get_stats |
GET | Fetch real-time protection statistics | API Secret |
/blacklist |
POST | Manage IP blacklist entries | API Secret |