NVH Shield Configuration Guide

Comprehensive documentation for configuring and optimizing your DDoS protection settings. Learn how to leverage XDP kernel bypass technology for maximum security.

Global IP Protection

Core protection mechanisms that apply to all incoming traffic regardless of protocol. These settings form the foundation of your security posture and should be configured first.

Global Blacklist boolean

Enables automatic IP blacklisting based on threat intelligence feeds and behavioral analysis. When activated, malicious IPs are automatically blocked across all protocols.

Default Value: enabled
Recommended: enabled
Performance Impact: minimal

TTL Protection boolean

Analyzes packet Time-To-Live values to detect suspicious traffic patterns. Blocks packets with abnormal TTL values commonly used in DDoS attacks.

Detection Range: 1-255
Common Attack TTLs: 1, 2, 255
False Positive Rate: < 0.01%

Private IP Filter boolean

Blocks traffic originating from private IP address ranges (RFC 1918). Prevents IP spoofing attacks using reserved address spaces.

Blocked Ranges: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
Impact: blocks spoofed traffic

Loopback Protection boolean

Filters traffic from loopback addresses (127.0.0.0/8) that should never appear in external network traffic. Essential for preventing local address spoofing.

Blocked Range: 127.0.0.0/8
Protocol: all

MAC Address Validation boolean

Validates MAC addresses in layer 2 frames to detect invalid or malformed headers. Helps identify crafted packets designed to bypass security controls.

Validation Type: format + vendor
Performance: hardware accelerated

Header Validation boolean

Performs comprehensive validation of IP packet headers including checksum verification, length validation, and protocol field analysis.

Checks: checksum, length, version
Processing: XDP hardware offload
Recommendation
Enable all global protection features for maximum security. These checks have minimal performance impact due to XDP kernel bypass technology and provide essential protection against common attack vectors.

Web Server Protection

Advanced protection mechanisms specifically designed for HTTP/HTTPS traffic. These settings protect web applications against Layer 7 attacks and application-specific threats.

HTTPS Protection

Basic HTTPS Protection boolean

Enables fundamental HTTPS traffic analysis and filtering. Provides protection against common SSL/TLS-based attacks and malformed requests.

Default Port: 443
SSL/TLS Versions: 1.2, 1.3

TLS Enhanced Protection boolean

Advanced TLS handshake analysis and cipher suite validation. Detects and blocks TLS-based attacks including cipher downgrade attempts.

Analysis Depth: full handshake
Blocked Ciphers: weak/deprecated

Flag Analysis boolean

Deep packet inspection of TCP flags within HTTPS connections. Identifies suspicious flag combinations used in stealth attacks.

Monitored Flags: SYN, ACK, FIN, RST, PSH, URG

HTTP/2 Rapid Reset Protection boolean

Specialized protection against HTTP/2 Rapid Reset attacks (CVE-2023-44487). Monitors stream creation and reset patterns to detect abuse.

Stream Limit: 100/second
Reset Threshold: 50/second

Rate Limiting integer

Maximum requests per second allowed from a single IP address. Helps prevent application-layer DDoS attacks and brute force attempts.

Default Value: 90 req/sec
Range: 1-10000

Blacklist Duration integer

Duration in seconds for which violating IPs are blacklisted. Balances security with legitimate user access recovery.

Default Value: 60 seconds
Range: 1-3600

HTTP Protection

Basic HTTP Protection boolean

Fundamental HTTP traffic analysis and request validation. Protects against common HTTP-based attacks and malformed requests.

Default Port: 80
Methods Allowed: GET, POST, PUT, DELETE, HEAD

HTTP Rate Limiting integer

Maximum HTTP requests per second from a single source. Lower than HTTPS due to typically higher attack volume on unencrypted traffic.

Default Value: 60 req/sec
Recommended: 30-100
Important Note
Port ranges (Start/End) allow you to apply protection to custom ports. For example, if your HTTPS service runs on port 8443, set both start and end to 8443. For multiple ports, use separate rules or contact support for advanced configuration.

TCP Protocol Security

Comprehensive TCP-level protection mechanisms targeting connection-based attacks. These settings protect against SYN floods, connection exhaustion, and protocol abuse.

TCP Reset Protection boolean

Actively sends TCP RST packets to terminate malicious connections. Helps free up connection resources and stop ongoing attacks quickly.

Response Time: < 1ms
Target: malicious connections

Window Size Validation boolean

Validates TCP window size values to detect abnormal connection attempts. Blocks connections with suspicious window scaling or zero-window attacks.

Valid Range: 1-65535
Zero Window: blocked

Sequence/ACK Validation boolean

Validates TCP sequence and acknowledgment numbers to prevent session hijacking and connection injection attacks.

Validation: stateful tracking
Memory: optimized hash tables

TCP Flags Analysis boolean

Deep analysis of TCP flag combinations to detect various attack patterns including Christmas tree, NULL, and FIN scan attacks.

Blocked Patterns: invalid flag combinations
Processing: XDP kernel bypass

SYN Flood Protection boolean

Advanced protection against TCP SYN flood attacks using SYN cookies and connection rate limiting per source IP.

Method: SYN cookies + rate limiting
Threshold: 100 SYN/sec per IP

Connection Rate Limiting boolean

Limits the number of new TCP connections per IP address per time window. Prevents connection exhaustion attacks while allowing legitimate traffic.

Default Limit: 25 conn/sec
Window: 1 second

Specialized TCP Protection

SSH Protection boolean

Specialized protection for SSH services including brute force detection and connection pattern analysis.

Default Port: 22
Brute Force Threshold: 5 attempts/minute

MySQL Protection boolean

Database-specific protection for MySQL services including connection pattern analysis and query flood detection.

Default Port: 3306
Connection Limit: 10/second per IP
Performance Note
TCP protection features use stateful connection tracking which requires memory allocation. On high-traffic servers (>10Gbps), consider adjusting rate limits to match your expected legitimate traffic patterns.

UDP Traffic Control

UDP-specific protection mechanisms targeting amplification attacks and connectionless protocol abuse. Critical for preventing reflection attacks and UDP flood campaigns.

UDP Drop All boolean

Emergency mode that drops all UDP traffic. Use when under severe UDP-based attacks where surgical protection is insufficient.

Impact: blocks all UDP services
Use Case: emergency response

CloudFlare Spoof Protection boolean

Detects and blocks attempts to spoof CloudFlare IP ranges in UDP traffic. Prevents attackers from impersonating CloudFlare services.

Monitored Ranges: CloudFlare IP blocks
Updates: automatic

NTP Protection boolean

Specialized protection against NTP amplification attacks. Monitors NTP query patterns and blocks malicious time synchronization requests.

Port: 123
Amplification Factor: up to 557x

DNS Protection boolean

Comprehensive DNS security including query rate limiting, response size validation, and DNS amplification attack prevention.

Port: 53
Query Limit: 100/second per IP

DNS Drop All boolean

Emergency DNS protection that drops all DNS traffic. Use during severe DNS amplification attacks when normal protection is overwhelmed.

Impact: blocks DNS resolution
Duration: temporary measure

Amplification Protection boolean

Multi-protocol amplification attack protection covering 20+ UDP services commonly abused in reflection attacks.

Protocols: 20+ services
Detection: traffic pattern analysis

Amplification Protocols

Protocol Port Amplification Factor Description
SSDP 1900 30.8x Simple Service Discovery Protocol
DNS 53 28-54x Domain Name System queries
NTP 123 556.9x Network Time Protocol
SNMP 161 6.3x Simple Network Management Protocol
Memcached 11211 10000x Memory caching system
LDAP 389 46-55x Lightweight Directory Access Protocol
Critical Warning
Enabling "UDP Drop All" or "DNS Drop All" will completely block the respective protocols. Only use these options during active attacks when your infrastructure is under severe load. Consider the impact on legitimate services before activation.

Gaming Server Protection

Specialized protection algorithms designed for gaming servers with ultra-low latency requirements. Optimized for real-time traffic while maintaining strong security against gaming-specific attacks.

FiveM Server Protection

FiveM TCP/UDP Protection boolean

Comprehensive protection for FiveM (GTA V) servers covering both TCP and UDP traffic with optimizations for player connections and resource downloads.

Default Port: 30120
Latency Impact: < 0.1ms

TLS Protection boolean

Protects FiveM's encrypted connections including license verification and server list communications.

Coverage: license + heartbeat
Performance: hardware accelerated

Advanced Flag Analysis boolean

Deep packet inspection specifically tuned for FiveM's network protocol including custom flag combinations and packet structures.

Analysis Depth: application layer
FiveM Specific: protocol aware

L7 Protection (Beta) boolean

Experimental Layer 7 protection for FiveM application data. Provides advanced protection against game-specific exploits.

Status: beta feature
Support: experimental

Other Game Servers

Minecraft Java Protection boolean

Optimized protection for Minecraft Java Edition servers including bot detection and connection pattern analysis.

Default Port: 25565
Bot Detection: enabled

NovaLife Protection boolean

Specialized protection for NovaLife game servers with custom protocol analysis and player behavior monitoring.

Default Port: 7777
Protocol: custom analysis

Gaming Configuration Parameters

Parameter Default Value Range Description
Thread Threshold 6500 1000-50000 Maximum concurrent connections
SYN Rate Limit 2/sec 1-100 New connections per IP per second
FIN Limit 15 1-1000 Connection termination rate
Download Limit 1900 100-10000 Resource download rate (KB/s)
Gaming Best Practices
Gaming servers require careful tuning to balance security and performance. Start with default values and monitor player connections. Adjust thresholds based on your player count and peak connection patterns. Enable L7 protection only if experiencing application-layer attacks.

ICMP Management

Internet Control Message Protocol management for network diagnostics and ping-based attack prevention. Configure ICMP policies to balance network troubleshooting capabilities with security requirements.

ICMP Protection boolean

Basic ICMP traffic analysis and rate limiting. Allows legitimate network diagnostics while preventing ICMP-based attacks.

Types Monitored: echo, unreachable, redirect
Default Action: rate limit

ICMP Drop All boolean

Emergency mode that blocks all ICMP traffic including ping requests. Use during ICMP flood attacks when rate limiting is insufficient.

Impact: no ping responses
Diagnostics: disabled

Rate Limiting integer

Maximum ICMP packets per second allowed from each source IP. Prevents ICMP floods while maintaining diagnostic functionality.

Default Value: 10 packets/sec
Range: 1-1000

Blacklist Duration integer

Time in seconds that IPs exceeding ICMP rate limits are blacklisted. Balances security response with legitimate user recovery.

Default Value: 60 seconds
Recommended: 30-300

ICMP Attack Types

Attack Type ICMP Type Description Protection Status
Ping Flood Type 8 (Echo Request) High volume ping requests Protected
Smurf Attack Type 8 (Echo Request) Amplified ping responses Protected
ICMP Redirect Type 5 (Redirect) Malicious routing changes Protected
Fraggle Attack Type 8 (Echo Request) UDP echo service abuse Protected
Network Diagnostics Impact
Enabling "ICMP Drop All" will prevent network diagnostic tools like ping and traceroute from working. This may impact network troubleshooting capabilities. Consider using rate limiting instead of complete blocking unless under active ICMP-based attack.

Security Best Practices

Proven strategies and recommendations for optimizing your NVH Shield configuration based on infrastructure type, traffic patterns, and security requirements.

Web Server Configuration

Recommended Settings:
• Enable all Global Protection features
• HTTPS Rate Limit: 50-100 req/sec
• HTTP Rate Limit: 30-60 req/sec
• TCP SYN Flood Protection: enabled
• UDP Amplification Protection: enabled

Gaming Server Configuration

Recommended Settings:
• Global Blacklist: enabled
• Game-specific protection: enabled
• TCP Rate Limiting: conservative values
• ICMP Rate Limit: 5-10 packets/sec
• Monitor latency impact carefully

Database Server Configuration

Recommended Settings:
• MySQL/PostgreSQL Protection: enabled
• SSH Protection: enabled (port 22)
• ICMP Drop All: consider enabling
• Strict TCP validation: enabled
• Low connection rate limits

API Server Configuration

Recommended Settings:
• HTTPS Protection: fully enabled
• Rate Limiting: based on API quotas
• TCP Flags Analysis: enabled
• Header Validation: strict mode
• Monitor false positive rates
Configuration Strategy
Start with conservative settings and gradually increase protection levels based on your traffic patterns. Monitor your application performance and adjust rate limits to match legitimate usage patterns. Always test configuration changes during low-traffic periods.

API Configuration Reference

Programmatic configuration options for automating NVH Shield settings through our REST API. Perfect for infrastructure-as-code deployments and dynamic protection management.

Example API Request - Update Protection Rules
curl -X POST https://api.nvhshield.com/add_rule \
  -H "Content-Type: application/json" \
  -d '{
    "apisecret": "your_api_secret_here",
    "userid": 12345,
    "ip": "192.168.1.100",
    "activate": 1,
    "glb_blacklist": 1,
    "https": 1,
    "https_ratelimit": 90,
    "https_blacklist": 60,
    "tcp_synflood": 1,
    "game_fivem": 1,
    "game_fivem_start": 30120,
    "game_fivem_end": 30120
  }'
Endpoint Method Description Authentication
/add_rule POST Create or update protection rules API Secret
/get_rules GET Retrieve current protection settings API Secret
/get_stats GET Fetch real-time protection statistics API Secret
/blacklist POST Manage IP blacklist entries API Secret