Support > About independent server > What should the QPS protection value be set for a DDoS protected server?
What should the QPS protection value be set for a DDoS protected server?
Time : 2026-06-09 14:55:00
Edit : Jtti

Among numerous protection metrics, QPS (Queries Per Second) is a core parameter for evaluating the application-layer defense capabilities of a DDoS protected server. Its accuracy directly determines the balance between business security and user experience. So, what are the methods for setting the QPS protection value?

What is QPS?

QPS represents the number of queries per second, the number of requests a DDoS protected server can handle per second. This metric is generally used against application-layer attacks, especially CC attacks. Unlike traditional DDoS attacks, CC attacks do not require massive traffic to clog network bandwidth. Instead, they simulate a large number of legitimate users making high-frequency requests, disguising themselves as normal access, and silently exhausting the server's core resources such as CPU, memory, and database connection pools, causing slow server response or even complete paralysis. The characteristics of these attack requests are very similar to normal traffic, making them difficult for traditional firewalls to effectively identify.

What does the QPS protection threshold setting affect?

Whether a business can withstand a CC attack depends on the QPS protection threshold set for the DDoS protected server and whether this threshold is "smart" enough. If the threshold is set too high, malicious traffic can breach the defenses, exhaust origin server resources, and cause business interruption. If the threshold is set too low, it's easy to mistakenly injure legitimate users, leading to blocked requests from genuine customers, resulting in lost orders and a damaged brand reputation.

The Golden Rule for Setting QPS Protection Values

Accurately setting QPS protection values ​​is not a matter of guesswork, but requires thorough data calculation. The core golden rule is: the cleaning threshold should be set to 1.5 to 2 times the normal peak business volume. For example, if an e-commerce platform's daily peak QPS is 1000, its defense threshold should be set between 1500 and 2000. When the request volume exceeds this threshold, the high-defense server will automatically activate the CC protection mechanism, at which point subsequent refined strategies will take effect

When determining the normal peak volume, a comprehensive analysis of historical traffic data is necessary. Operations personnel can use monitoring tools to analyze the daily QPS fluctuation range of the business, covering access characteristics at different times, including peak data during peak business periods and traffic records from historical attacks. Subsequently, the elastic protection peak value was set slightly higher than the historical high to avoid frequent blocking or rate limiting due to excessively low thresholds, while reserving sufficient redundancy for sudden traffic surges.

Layered and Fine-Grained Configuration Makes Protection "Smarter"

Setting a reasonable global QPS threshold is only a general guideline; the key to truly enabling high-defense servers to achieve efficient defense lies in establishing a layered and fine-grained protection system.

First, intelligent mode should be enabled. Locate the CC protection module in the high-defense backend and prioritize enabling the "intelligent mode" in the basic protection mode. The system will automatically balance defense strength and user experience. While directly enabling strict mode offers strong blocking effects, it is highly prone to triggering large-scale false positives.

After entering the core frequency limiting stage, the high-defense server needs to limit traffic based on different dimensions of access. A request frequency threshold for a single IP should be set. For ordinary enterprise websites, a threshold of 5 to 10 requests per second is suitable, while for e-commerce and news platforms, it is recommended to relax it to 15 to 30 requests per second. This ensures both user experience and effectively blocks low-frequency but continuous CC attacks. In gaming or API gateway scenarios, when a large number of players access the system through the same exit IP, restrictions are frequently triggered. In such cases, the connection rate threshold needs to be increased from the default 500 CPS to 2000-5000 CPS, coupled with a CAPTCHA challenge mechanism to prevent requests from being dropped directly.

For core interfaces such as login, registration, and payment, precise URL protection must be enabled. These operations are often the primary targets of attackers, and the system needs to set stricter frequency limits to prevent brute-force attacks or interface abuse.

Technology Frontier: AI-Driven and Refined Business Protection

Since 2026, QPS protection for DDoS protected servers has evolved from simple threshold blocking to a comprehensive approach of "proactive prediction" and "intelligent learning." Currently, advanced distributed DDoS protected cluster architectures, through Anycast intelligent scheduling, can distribute attack traffic to different cleaning nodes, greatly alleviating the pressure on single-point QPS.

At the attack identification level, behavioral analysis modules are being widely deployed. Traditional defense methods typically rely on static signature databases, which are prone to missed detections with slight changes. Today, models based on deep neural networks (LSTM) can analyze over 300 dimensions of features in access requests in real time, including mouse movement trajectories, click behavior, and the randomness of request parameters, accurately distinguishing between machine scripts and real users. Simultaneously, business compensation mechanisms are constantly being improved; even minor data delays caused by defenses will be optimized through retransmission to ensure zero packet loss for transaction-related businesses.

Fake orders and malicious competition are unique challenges faced by e-commerce and ticketing platforms. These attacks do not aim to overwhelm servers but rather simulate normal human operations to deplete inventory or seize resources. To address this pain point, high-defense servers offer refined business frequency control strategies. The system analyzes the complete behavioral trajectory of user sessions, such as whether the time rhythm from browsing products, adding items to the cart to submitting an order is abnormal. It can combine multi-dimensional features such as browser fingerprint verification and payment interface access frequency to implement millisecond-level interception of suspected fake order scripts.

Common Misconceptions and Troubleshooting

One of the most easily overlooked problems when configuring QPS protection values ​​is setting the entire protection strategy too rigidly. Differentiated handling is crucial for different access sources. For example, adding official crawler IP ranges from search engines like Baidu and Google to a whitelist allows genuine SEO-optimized access to bypass anti-dDoS protection and directly return to the origin server, avoiding false positives from rate-limiting policies. In overseas business scenarios, it's also necessary to pay attention to the different access characteristics of different regions. Removing IP ranges from certain specific regions from the blacklist and implementing a medium-risk strategy, only verifying them without direct blocking, can prevent false blocking while maintaining effective risk control.

Monitoring and alerting mechanisms are equally important. Establishing a full-stack monitoring system to continuously observe key indicators such as CPU load, memory usage, disk I/O, and actual QPS throughput, and setting reasonable threshold alerting rules, allows operations personnel to intervene immediately when attack peaks approach the defense limit. After an attack, timely review of protection logs, analysis of blocked and falsely blocked normal requests, and adjustments to frequency thresholds and precision policy conditions enable the protection system to continuously iterate and optimize.

Future QPS protection technology will increasingly rely on the adaptive learning capabilities of AI, evolving from static thresholds to dynamic business awareness. For businesses, the key right now is to accurately set initial thresholds and iterate and update them rapidly in small steps based on business fluctuations. This article aims to help you systematically master the methods for setting QPS protection values ​​for DDoS protected servers, taking a solid step forward in maintaining the stability and security of your online business.

Relevant contents

What are the differences between single-machine and cluster defense for Hong Kong DDoS protected servers? The video server is using full bandwidth but not full CPU usage? The bottleneck might be in the network card interrupt. What is 95 billing? A bandwidth billing model you must understand if you're running a video website! Is your Hong Kong DDoS protected server experiencing a high false positive rate? Adjust these parameters to make your protection "smarter." Unlimited protection equals zero leakage? In-depth analysis of the elastic cleaning capabilities and SLA commitments of Hong Kong high-defense servers. High-cost HK Server Still Slow? Bandwidth, Cache & Architecture Matter What should be noted when conducting packet loss tests in server virtualization environments (e.g., VMware, KVM)? How to choose the right configuration for a live streaming server? A comprehensive table of parameters for online users, bandwidth, and DDoS protection. What are the advantages of using a Hong Kong CN2 server for cross-border e-commerce backends? How to estimate server load? Solve Night Lag of US Servers | Premium CN2 GIA Network
Go back

24/7/365 support.We work when you work

Support

JT TELECOM INTERNATIONAL PTE.LTD
Global Network Infrastructure Service Provider

Pre-sales consultation JTTI-Defl JTTI-Coco JTTI-Selina JTTI-Ellis JTTI-Eom JTTI-Amano Technical Support JTTI-Noc