BuyVM incompetent DDoS protection setup
There is an issue with BuyVM, where traffic destined to protected subnets, from within the LAN, will skip past filtering. This means that sufficient SYN traffic can lead to your server becoming unusable. It doesn't matter what provider, skids will compromise a host for this.
Nearly all of the LET providers have a similar issue and it doesn't matter if there are filters setup on path.net/voxility's side. This is what efnet skids are abusing and I'd like to see it resolved. Easiest fix, of course, would be to force traffic destined to the subnets through the WAN.
Better solution, though, would be an isolated VLAN per host, for the DDoS protected IPs, where all traffic must pass through the WAN.
Oh, right, BuyVM has an awful path.net setup, where SYNPROXY doesn't establish connections properly... heh. OVH? Nope, skids just spoof the source address to be that of an OVH monitoring host.