# About our Anti-DDoS

This document will explain the following:

* [What is GLAD?](#what-is-glad)
* [What is Warden?](#what-is-warden)
* [Explanation of the product and its features](#glad-features-tools)
* [Overview of product packages](#product-packages-overview)

## What is GLAD?

GLAD (Global Low-Latency anti-DDoS protection) is a collection of in-house tools that we offer at i3D.net to prevent, detect, and mitigate DDoS attacks. It's important to understand what an attack is, what attacks can do to disrupt services, and how our GLAD product can deter them.

For more information about how attacks work and how they can impact services, see the [DDoS attack types overview.](/anti-ddos/attack-type-overview.md)

## What is Warden?

**Warden** is i3D.net's per-IP traffic management system. It works as an add-on to GLAD — once GLAD's network filters have run, Warden checks each source IP against your whitelist, greylist, and blacklist, and applies rate limiting to unknown sources. It is particularly well suited for gaming, real-time communication, and applications using custom protocols.

**Key benefits of Warden:**

* **Always active** — no attack needs to be detected first. Warden filters every packet from the moment your server is live.
* **Inline, no latency added.** Unlike other providers, Warden runs inside the same datacenter as your servers, allowing full scrubbing with no increase in latency. Filtering runs at the NIC level, not through the OS, so clean traffic is not slowed down.
* **No false positives for whitelisted players** — whitelisted IPs get through regardless of what else is happening on the network.
* **Fast updates.** Changes to your IP lists reach all Warden locations worldwide in 2–3 seconds via the API.

## How protection layers work

When traffic is heading to your servers, it passes through dedicated protection layers at different points in the network before it gets there.

![GLAD and Warden protection layers](/files/dyZWCl1qGGX6bfD5nI9U)

**GLAD's network filters** run first, on i3D.net's network equipment. Every packet is checked against your ACL rules — this is GLAD Advanced. If you have GLAD Premium, a bytematching filter runs right after, checking the packet payload against signatures you define for your protocol. Both checks are stateless and always on. There is no detection period.

The **Warden Service** runs second, for clients who have it, on dedicated downstream equipment. Warden checks each source IP against your whitelist, greylist, and blacklist, then applies rate limiting. Warden does not run bytematching — GLAD has already handled that step upstream.

Because each layer runs on separate, dedicated equipment at different points in the network, they hold independently. An attack that overwhelms one layer does not bypass the others.

{% hint style="info" %}
**Always active, no ramp-up** — the ACL, bytematching, and Warden filters are stateless and inline. They run on every packet from day one with no learning period. The exception is the automatic null-route feature (included in all tiers): this is detection-based and does have a short activation window. It is designed for large volumetric floods, not as a primary filter.
{% endhint %}

## GLAD features/tools

Below is an explanation of our i3D.net's GLAD's tooling and how each functionality can help to mitigate DDoS attacks.

## What's included in the Standard package

{% stepper %}
{% step %}

### Default ACL (Access Control Lists) on VLAN

Preset Access Control Lists ( **ACL** ) rules that protect against diverse attack types, such as DNS (Domain Name System) and/or UDP attacks. The rules are consistently updated and maintained throughout to ensure ongoing security.
{% endstep %}

{% step %}

### Automatic detection and auto null route

With automatic detection, it will discover incoming DDoS attacks. Once an attacker network is detected, this service blocks all traffic from it. Also, null routing silently discards (or "drops") malicious incoming traffic. The undesired traffic is directed to a route that goes nowhere, protecting the infrastructure. Null routing renders the target server inaccessible to anyone, including clean traffic.
{% endstep %}
{% endstepper %}

## What's included in the Advanced package:

{% hint style="success" %}
*Advanced also includes the features from the Standard package above.*
{% endhint %}

{% stepper %}
{% step %}

### Custom ACL (Access Control Lists) on VLAN

With this feature, you can preset their own ACL rules to protect against most of attack types. For example, they can set the specific ports, protocols, IP addresses that need to be protected from attacks.
{% endstep %}

{% step %}

### Rate limiting

If a specific destination IP/port combination is not critical to the continued operation of the application running on the server, it can be set to receive a limited amount of traffic.

* It limits total traffic for a destination to a configurable Mbps value, such as “*all traffic to a certain destination port.*”
* If the rate limit is exceeded, the overflow traffic is discarded randomly, affecting both legitimate and illegitimate traffic.

**Understanding Rate Limits**

Rate limits control the number of requests that a server can receive within a specific timeframe. These limits help maintain service quality and prevent abuse. Once exceeded, further requests may be blocked or delayed until the limit resets.

For example:

* If you normally expect 10 Mbps traffic to a certain destination IP & destination port combination, you might decide to set a 20 Mbps rate limit.
* But if you then receive a 90 Mbps attack, the 20 Mbps rate limit will drop exceeding 80 Mbps randomly meaning you’ll pass through approximately 4 Mbps of legitimate traffic and 16 Mbps of illegitimate traffic.
* This means you effectively have **60% packet loss on your legitimate 10 Mbps of traffic** when the rate limit is performing exactly as it was configured to do.
* Its usefulness is therefore very limited for the actual application you’re trying to protect; **hard discard or accept methods are often more appropriate**.

Clients often rate limit ICMP traffic to ensure servers respond to pings during normal operation, but halt responses during ICMP-based DDoS attacks. Meanwhile, the application/protocol/port which runs on the server remains unaffected by this ICMP traffic rate limit.
{% endstep %}
{% endstepper %}

## What's included in the Premium package:

{% hint style="success" %}
*Premium also includes the features from the Advanced and Standard packages above.*
{% endhint %}

{% stepper %}
{% step %}

### Byte matching

Byte matching is a technique that identifies and filters out malicious or undesirable traffic from incoming network packets based on specific byte patterns. Customers can tailor specified signatures. As a result, it blocks the bytes that are not supposed to enter the network by taking appropriate actions to safeguard the targeted infrastructure.
{% endstep %}

{% step %}

### API access

This feature allows you to tailor your own protection as needed by managing protection profiles and white/blacklists through the API.
{% endstep %}

{% step %}

### Priority Support

Dedicated technical support with faster response times and direct access to i3D.net's DDoS protection specialists.
{% endstep %}
{% endstepper %}

## Warden Add-On:

{% hint style="success" %}
**Warden is available as part of the GLAD Premium package.** It can also be added as a standalone add-on — contact your i3D.net account manager for details.
{% endhint %}

For unparalleled anti-DDoS protection, Warden is our custom software that filters traffic on a dynamic whitelist furnished by the customer. Its capabilities provide inline filtering, which allows you to achieve a higher level of specificity and detail when filtering their traffic stream.

{% stepper %}
{% step %}

### **Dynamic IP Whitelisting**

Real-time IP management with sub-second global propagation. API-driven whitelist, greylist, and blacklist operations supporting millions of daily changes.
{% endstep %}

{% step %}

### **Advanced Payload Fingerprinting**

Protocol-specific packet inspection with 32-bit payload analysis and configurable bit masks. Creates custom signatures for proprietary protocols and supports multiple client versions.
{% endstep %}

{% step %}

### **Zero-Latency Processing**

Direct NIC-level filtering that bypasses OS overhead, maintaining sub-millisecond processing times with fail-open reliability.
{% endstep %}

{% step %}

### **Protocol-Aware Intelligence**

Distinguishes legitimate traffic from attacks using application-specific patterns. Prevents false positives that block real users during DDoS events.
{% endstep %}
{% endstepper %}

Warden is designed to be flexible and adaptable. New features are continuously added whenever technically feasible, enabling you to benefit from the latest advancements in traffic filtering technology. In the event of server failures, Warden follows a fail-open system. If the redundant systems fail, instead of dropping traffic, Warden allows all traffic to pass through. This ensures that your network remains operational even in challenging situations.

Warden also supports Active-Active setups, allowing horizontal scaling. This means we can expand the capacity of our filtering infrastructure by adding more instances of Warden, distributing the workload, and ensuring scalability.

For more information on integrating Warden, please refer to [Warden: Overview of how it works](/anti-ddos/warden-capabilities-and-benefits.md)

## Product packages overview

Below is an overview of our product packages, detailing the features included.

| Features                                 | Standard | Advanced | Premium |
| ---------------------------------------- | -------- | -------- | ------- |
| Default ACL on VLAN                      | X        | X        | X       |
| Automatic detection and auto null-route  | X        | X        | X       |
| Custom ACL on VLAN                       | -        | X        | X       |
| Rate limiting                            | -        | X        | X       |
| Byte matching                            | -        | -        | X       |
| API Access                               | -        | -        | X       |
| Priority Support                         | -        | -        | X       |
| Dynamic IP Whitelisting (Warden)         | -        | -        | X       |
| Advanced Payload Fingerprinting (Warden) | -        | -        | X       |
| Protocol-Aware Intelligence (Warden)     | -        | -        | X       |
| Zero-Latency Processing (Warden)         | -        | -        | X       |

### Getting Started

* **GLAD packages** are available immediately upon service activation
* **Warden** requires initial configuration consultation
* **GLAD API access** for Warden is provided with comprehensive documentation at <https://glad-api.i3d.net/>

For more information on integrating Warden, please refer to [Warden: Overview of how it works](/anti-ddos/warden-capabilities-and-benefits.md)

## Related topics

* [Attack types overview](/anti-ddos/attack-type-overview.md)
* [DDoS category attack types](/anti-ddos/ddos-attack-types.md)
* GLAD API reference: <https://glad-api.i3d.net/>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.i3d.net/anti-ddos/about_antiddos.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.