Layer 3 / 4 · Volumetric
Anycast scrubbingAnycast absorption at every PoP. Automatic detection inside 2 seconds for SYN, UDP-flood, amplification (NTP, DNS, Memcached) and reflection attacks.
1 Tbps of anycast DDoS scrubbing, 150+ Gbps of blended Tier-1 transit, peering with the major European IXs — all terminated in jurisdictions chosen for free-speech precedent. Every IP on every plan is dual-stack, DDoS-shielded, and ready for BYOIP.
What the pipes and the scrubbers actually look like — numbers, not marketing.
L3/L4 scrubbing capacity across four PoPs. L7 rules available on demand.
Tier-1 IP transit aggregated across five diverse upstream carriers.
Direct peering at AMS-IX, DE-CIX, LINX, FICIX, BIX and SwissIX.
Every box ships dual-stack. /64 by default, /48 on flagship Citadel.
Blended upstreams chosen for diversity — five different ASNs carry traffic for each location, with automatic failover if one degrades.
Carrier-diverse Tier-1 transit with BGP weighting tuned for latency-first on our side and price on upstream overflow. Every DC has ≥ 3 of these active.
AS3257AS2914AS174AS3356AS1299AS1299We peer directly at the European Tier-1 IXs — traffic to/from Netflix, Cloudflare, Google, Hetzner, OVH, and most hyperscalers stays off paid transit entirely.
NLDEUKFIHUCHVolumetric, protocol and application-layer attacks are absorbed at the edge before they ever reach your server. No opt-in, no per-incident fee, no "fair-use" fine print.
Anycast absorption at every PoP. Automatic detection inside 2 seconds for SYN, UDP-flood, amplification (NTP, DNS, Memcached) and reflection attacks.
Optional L7 rules on Bastion and up — rate-limits, JS challenges, captcha flows and bot-fingerprint filtering. Templates ready for auth, checkout and game lobbies.
Drop or rate-limit by country, ASN, known-bad IP list, or a custom prefix list you upload via API. Every rule is pushed to the edge in < 60 s.
Control over your prefix, your announcements and your reverse DNS — without tickets.
Every server ships with a routed /64 by default and a full /48 on Citadel. Reverse DNS editable per host from the dashboard.
On Fortress and Citadel we accept BGP sessions from your ASN for IPv4 /24 or longer and any IPv6 prefix. Send LOA + IRR object, go live in 2 – 3 days.
Well-known BGP communities: prepend by region, de-preference a carrier, blackhole a prefix, steer away from transit during IX congestion. Full list in docs/bgp.
All upstream and peer sessions are RPKI-validated and IRR-filtered. Route leaks from your AS are caught before they leave us; hijacks directed at you are dropped.
No marketing between you and our network — run traceroutes, BGP lookups and ping tests directly from our PoPs.
Traceroute, ping, MTR and BGP show ip bgp from each of our 4 PoPs. IPv4 and IPv6. No login required, no rate-limit for interactive use.
route / route6 objects, and the origin ASN. We'll provision a BGP session, accept your prefix (minimum /24 IPv4, any IPv6) and announce it from our edge. Typical turn-up is 2 – 3 business days.cs:100:carrier), regional prepend (cs:200:region), selective blackhole (cs:666:prefix). Outbound: no-export, do-not-advertise-to-$peer, and geographic steering. Full reference in docs/bgp./48. We'll provide a NAT64/DNS64 endpoint you can point resolvers at, so legacy v4-only services still resolve.cryptoservers. suffix. Changes propagate globally in under 5 minutes. The API accepts up to 1000 PTR updates per request for bulk deployments.BYOIP, cross-connects, private VLANs, ASN setup, transit-only deals — all quoted per project.