Skip to main content
DDoS filters are active by default on all protected IPs. Each filter only permits traffic that matches the expected protocol signature for that application, blocking everything else on the covered port range. No configuration is required to benefit from these filters.

Active application filters

Protocol: UDPDefault ports: 51820–51920Only traffic conforming to the WireGuard protocol specification is permitted on these ports. Non-WireGuard UDP traffic targeting ports in this range is dropped.
Protocol: UDPDefault ports: 1194–1294Only OpenVPN UDP traffic is permitted on these ports. There is no TCP OpenVPN filter — if you run OpenVPN over TCP, your traffic is covered by the standard TCP protection layer rather than this application-specific filter.
The OpenVPN filter covers UDP only. TCP-based OpenVPN deployments are not covered by this dedicated filter.
Protocol: TCPDefault port: 22Only SSH protocol traffic is permitted on port 22.
If you have moved SSH to a non-standard port for security reasons, the default SSH filter will not cover that port.
Protocol: UDPDefault ports: 9000–9999Only TeamSpeak 3 voice traffic is permitted on these ports. TeamSpeak filesharing and server query ports are not covered by this voice filter, those ports fall under the default TCP protection.

Summary table

ApplicationProtocolDefault portsNotes
WireGuardUDP51820–51920WireGuard specific traffic only
OpenVPNUDP1194–1294UDP only | no TCP OpenVPN filter
SSHTCP22SSH specific traffic only
TeamSpeak 3UDP9000–9999Voice traffic only | filesharing/query via TCP protection