Summary

  • Amarutu Technology Ltd is visible in public infrastructure records as the company behind the KoDDoS network and hosting brand. RIPE records list Amarutu Technology Ltd as a local internet registry organisation with the abuse contact abuse@koddos.com at https://rest.db.ripe.net/ripe/organisation/ORG-ATL58-RIPE, RIPEstat says AS206264 is announced under "AMARUTU-TECHNOLOGY Amarutu Technology Ltd" at https://stat.ripe.net/data/as-overview/data.json?resource=AS206264, and PeeringDB maps AS206264 to Amarutu Technology Ltd with the alias KoDDoS, global scope, open peering policy, 20 exchange points and 18 facilities at https://www.peeringdb.com/api/net/7809. The commercial offer is not a commodity cloud account. KoDDoS markets offshore hosting, medium-risk and high-risk hosting, DDoS-protected dedicated servers, remote DDoS protection, broad payment methods and an explicit acceptable-use policy through pages such as https://koddos.net/, https://koddos.net/high-risk-hosting.html, https://koddos.net/ddos-protected-dedicated-servers.html, https://koddos.net/payment-methods.html and https://koddos.net/tos.html.
  • The economic thesis is conditional. Amarutu is attractive when the buyer values reachable infrastructure, DDoS mitigation, offshore content posture, payment flexibility and direct support more than the reputational spread attached to a high-risk hosting account. The spread is not moral; it is operating cost. Abuse complaints can consume support time, blocklist remediation can strain upstream relationships, wide payment options can widen risk, and a reputation for permissive hosting can increase customer-acquisition friction for legitimate buyers who need banks, advertisers, customers or counterparties to accept their infrastructure choice. The thesis would change if published metrics showed consistently low abuse-listing density per announced prefix, fast abuse-ticket closure, strong renewal retention, low payment failure rates, low migration-away churn after attacks, and independently verifiable uptime or mitigation outcomes beyond the self-reported status page at https://status.koddos.net/api/v2/summary.json.

The account begins with a reachability problem

The buyer in Amarutu's market is often not beginning from the same place as a buyer comparing a cheap virtual machine at a local VPS host. The useful opening case is a service owner with a website, forum, game panel, media service, trading community, controversial speech project, payment-facing application or reseller account that expects unwanted traffic. The owner wants a server to stay reachable, but also knows that the bill may include things a mainstream cloud invoice does not show as line items: support exchanges about abuse reports, replacement IPs, blacklist clean-up, upstream pressure, card or crypto payment friction, and the possibility that a user, advertiser or partner will ask why the service sits behind a high-risk host.

That buyer has substitutes. A mainstream hyperscale cloud account such as AWS with Shield at https://aws.amazon.com/shield/ can offer scale, compliance posture and integrated security, but it also brings account review, policy enforcement and potentially complex bandwidth economics. A CDN and security bundle such as Cloudflare at https://www.cloudflare.com/application-services/products/ddos/ can protect an application edge, but it does not replace every origin-server or hosting need. A local VPS host such as Hetzner Cloud at https://www.hetzner.com/cloud/ or a developer VPS provider such as DigitalOcean at https://www.digitalocean.com/products/droplets can be cheaper and easier for ordinary workloads, but may be less appealing for customers expecting harassment traffic or content complaints. An infrastructure provider with explicit anti-DDoS positioning such as OVHcloud at https://www.ovhcloud.com/en/security/anti-ddos/ or a cloud/VPS host such as Vultr at https://www.vultr.com/products/cloud-compute/ is another substitute. Self-hosting can preserve control, but it moves the customer into transit, router, power, remote-hands and mitigation problems.

Amarutu's KoDDoS offer sits in the gap between those alternatives. It tells the buyer that a high-risk or offshore account is a product category, not an embarrassment. The homepage at https://koddos.net/ advertises remote protection from $140 per month, DDoS-protected servers from $450 per month, offshore hosting from $8.95 per month, and a range of protection claims from 10 Gbps to 350 Gbps. The medium-risk shared hosting page at https://koddos.net/medium-risk-hosting.html lists plans from $39.99 to $389.99 per month, with 10 Gbps to 120 Gbps maximum attack filtering, 50 GB to 200 GB clean bandwidth, one domain and locations in the Netherlands, Hong Kong or the United States. The high-risk hosting page at https://koddos.net/high-risk-hosting.html lifts the monthly entry point to $140 and the top listed plan to $700, with 50 Gbps to 200 Gbps filtering and 100 GB to 400 GB clean bandwidth. The DDoS-protected dedicated-server page at https://koddos.net/ddos-protected-dedicated-servers.html lists dedicated packages from $450 to $825 per month, with one usable IP, 1 Gbps network interface, 20 TB to unmetered clean bandwidth options, and maximum attack filtering up to 350 Gbps.

Those pages are the first clue that reputation is being priced. Ordinary web hosting usually sells more storage, more RAM or more CPU. KoDDoS adds risk tiers and mitigation capacity to the commercial menu. The customer paying $140 for high-risk shared hosting is not buying the cheapest way to publish a site. The customer is paying for a provider willing to market itself around traffic filtering, offshore posture and content tolerance. That willingness is valuable only if the provider can keep the service reachable without allowing the reputation cost to rise faster than revenue.

Amarutu is the resource holder; KoDDoS is the operating brand

The public identity is clear enough for a company-research article, even though it is not a full financial filing. RIPE's organisation object at https://rest.db.ripe.net/ripe/organisation/ORG-ATL58-RIPE lists Amarutu Technology Ltd as an LIR, with country code SC, registration number 189024, address lines in Hong Kong, phone number +2484225244, email noc@koddos.com, admin and technical handle RL11970-RIPE, abuse role AR39335-RIPE and maintainer sc-amarutu-1-mnt. The same record was created on February 20, 2017 and last modified on May 13, 2026. A second and older pair of RIPE organisation records returned by a search for Amarutu show the same KoDDoS contact pattern under other maintainers, but the current LIR organisation object is the cleaner anchor.

RIPE's AS object at https://rest.db.ripe.net/ripe/aut-num/AS206264.json identifies AS206264 as AMARUTU-TECHNOLOGY, tied to ORG-ATL58-RIPE, with status assigned, created February 22, 2017 and last modified February 26, 2026. It lists transits including GTT, Arelion, Tata, RETN, Cogent, Telstra, NTT and Orange, then a long set of peers and route-policy imports and exports. RIPEstat's overview at https://stat.ripe.net/data/as-overview/data.json?resource=AS206264 says the holder is Amarutu Technology Ltd and that the ASN is announced. RIPEstat's announced-prefix feed at https://stat.ripe.net/data/announced-prefixes/data.json?resource=AS206264 showed dozens of IPv4 and IPv6 prefixes visible in the June 22 to July 6, 2026 window, including 185.191.124.0/24, 183.81.169.0/24, 89.249.49.0/24, 31.220.40.0/23, 103.109.100.0/22, 2402:7840::/32 and 2a0d:1000::/30. These are evidence of a real routing footprint, not proof of the content or identity of any customer.

PeeringDB is the bridge from legal entity to commercial network identity. Its network record at https://www.peeringdb.com/api/net/7809 names Amarutu Technology Ltd, lists the alias KoDDoS, website https://koddos.net, ASN 206264, IRR AS set AS-KODDOS, network type NSP, mostly inbound traffic ratio, global scope, IPv6 support, open general peering policy, no location or contract requirement, 20 exchange points and 18 facilities. The PeeringDB exchange attachment feed at https://www.peeringdb.com/api/netixlan?net_id=7809 shows large European and Asian exchange presence, including AMS-IX, NL-ix, Speed-IX, HKIX, AMS-IX Hong Kong, DE-CIX Frankfurt, Global-IX, GNM-IX, ERA-IX Amsterdam, 1-IX EU, JPNAP Tokyo, BBIX Tokyo, ERA-IX Frankfurt and Peering.cz. The facility feed at https://www.peeringdb.com/api/netfac?net_id=7809 lists Amsterdam, Frankfurt, Hong Kong, Stockholm and Tokyo sites, including NIKHEF Amsterdam, Digital Realty Amsterdam AMS9, Equinix AM5 and AM7, Frankfurt Equinix and Digital Realty sites, Hong Kong Equinix and iAdvantage facilities, and Tokyo Equinix facilities.

That infrastructure matters because the customer is buying reachability, not just a machine. A high-risk hosting account with weak paths is not high value. It would fail at the first large traffic event, upstream dispute or congested route. Amarutu's public records show enough exchange and transit diversity to make the product credible as a network service. The same records also show why the business has dependency risk. The customer ultimately relies on the tolerance and commercial behaviour of transit providers, exchange fabrics, data centres, route servers, domain and payment providers, and the legal jurisdictions in which servers, company addresses and customers sit.

The network sells route diversity, but upstream tolerance is finite

KoDDoS's own network page at https://koddos.net/network.html says its infrastructure is near Amsterdam, near Washington and in Hong Kong, claims 99.99% network availability, names premium providers such as TeliaSonera, Tata Communications, GTT, RETN and OpenPeering, and says customers can test the Netherlands or Hong Kong network through looking-glass links. It also says multiple transit suppliers provide fast routes to other networks, that the network is connected to main European networks and major exchange points, and that it uses Juniper and Cisco routing equipment. Those are provider claims, but they align with the RIPE and PeeringDB records.

The Statuspage data adds a second operating signal. The public status API at https://status.koddos.net/api/v2/status.json is branded "Amarutu Technology Ltd." and reported "All Systems Operational" at fetch time on July 6, 2026. The summary API at https://status.koddos.net/api/v2/summary.json listed operational components for KoDDoS Customer Portal, Netherlands, Hong Kong, Washington, D.C., Anti DDoS, IP Transit, DNS and Phone Support, with no current incidents or scheduled maintenance. The RSS history at https://status.koddos.net/history.rss shows past network maintenance items in 2019 and 2020, including edge-router replacement, Netherlands network changes, Hong Kong network upgrade, a core-switch update and an edge-router upgrade to support higher bandwidth capacity.

This evidence supports a moderate claim: Amarutu maintains public operational reporting and has a visible multi-region network presence. It does not prove that every advertised DDoS event is absorbed, every customer stays online, or every route remains clean under pressure. In fact, KoDDoS's own terms warn that extreme attacks may lead to upstream-provider rulings and partial continental accessibility or complete shutoff for reasons outside KoDDoS's control at https://koddos.net/tos.html. That sentence is commercially important. It tells the buyer that mitigation is not a magic shield; it is a negotiation among packet volume, filtering capacity, upstream policy, route reachability and customer behaviour.

The best way to read Amarutu's network proposition is as a layered option. A customer could buy a cheap VPS from a local host and add a CDN. That may work for normal web traffic. If the customer expects direct IP exposure, gaming traffic, application protocols that do not sit cleanly behind an HTTP CDN, or a history of harassment traffic, then the combination of transit, IX presence and provider willingness becomes more valuable. But the value is always conditional. A route that is reachable today can be dampened, filtered, rate-limited, de-peered or made commercially expensive tomorrow if abuse volume, attack traffic or upstream complaints rise.

The same point follows from RIPEstat's announced-prefix feed at https://stat.ripe.net/data/announced-prefixes/data.json?resource=AS206264 and PeeringDB's network record at https://www.peeringdb.com/api/net/7809: this is not a tiny single-prefix shop. It is a network with many visible advertisements, many peering surfaces and many individual address blocks that can acquire their own deliverability, blocklist and support histories. More-specific announcements can reflect traffic engineering, allocation history or operational requirements. In a reputation-sensitive hosting business, they also create more small operating theatres where one customer's behaviour can affect another customer's perception of the provider.

Terms of service make abuse a cost centre

The strongest economic evidence is not the marketing page. It is the terms page at https://koddos.net/tos.html. KoDDoS describes Amarutu Technology Ltd and the KoDDoS brand as an internet service provider operating under safe-harbour provisions. It bans spam and unsolicited commercial email, says spam can lead to immediate account termination, and puts responsibility for violations on members. It says accounts defaulting on monthly billing receive an email notification and 24-hour grace period, then deactivation, with a $20 reactivation fee. It says some refunds may be available only under narrow timing and reason conditions. It puts backup responsibility on the subscriber. It describes offshore hosting as self-managed, excludes emergency support for offshore plans, and says support is limited to server-level issues for shared and reseller hosting.

The acceptable-use section is permissive and restrictive at once. It frames offshore hosting as free-speech webhosting for forums, communities and download sites, with few content restrictions according to Netherlands laws and regulations. It also bans child sexual abuse material, spam-related sites, phishing, malicious scripts, botnets, trojans, viruses, exploitation scripts, shells, spam tools, proxies, CGI-IRC, fake mailers, mass mailers, SMS bombers, resource abuse and link farms. It says some HYIP, autosurf and Ponzi-style hosting requires a minimum of 50 Gbps DDoS protection VPS, a high-risk plan or a DDoS-protected server. It says KoDDoS has total discretion and will not hesitate to terminate accounts if a customer endangers its standing with the network.

That is the cost structure in one paragraph. The business wants customers who value a tolerant hosting posture, but it cannot let tolerance become upstream hostility. Every complaint has a handling cost. A false complaint costs support time and may irritate the customer. A valid complaint can require warning, suspension, termination, data handling, refund argument, route remediation or explanation to an upstream provider. A customer who generates abuse can create costs that are not proportional to storage or CPU usage. A single bad account can consume tickets, pollute an IP range, stress payment processors and create reputational drag on neighbouring customers.

KoDDoS's terms make this explicit in the violation section. They say the company may charge clients for breach recovery to offset costs of investigating suspected violations, remedying harm, responding to complaints, responding to subpoenas or legally authorized third-party requests, and having KoDDoS and upstream IP numbers removed from abuse databases. They also say no credit or refund will be granted for service interruptions due to user-agreement violations. The commercial logic is clear: abuse clean-up is not free support; it is a recoverable cost. That matters for margins because high-risk hosting only works if the provider can make the customers who create extraordinary remediation cost pay for that cost or leave quickly.

The abuse contact records support the same reading. RIPE's AR39335-RIPE role at https://rest.db.ripe.net/ripe/role/AR39335-RIPE.json lists abuse@koddos.com as the abuse mailbox for the current Amarutu organisation. A legacy KoDDoS role, KDDS9813-RIPE, at https://rest.db.ripe.net/ripe/role/KDDS9813-RIPE.json also lists abuse@koddos.com and a Hong Kong phone number. An abuse mailbox does not prove responsiveness, but it is the address where outside complainants, network operators and reputation services can push cost into the company. DShield's public ASN details endpoint at https://www.dshield.org/asdetailsascii.html?as=206264 returned headers and no 30-day source-IP rows for AS206264 at fetch time. That is a weak signal because DShield's coverage is not universal and absence from one feed is not a clean reputation certificate. It is still useful as a reminder that abuse metrics need normalization and multiple sources, not anecdotes.

Payments and support expand the funnel and the risk

KoDDoS makes payment flexibility a selling point. Its payment-methods page at https://koddos.net/payment-methods.html lists PayPal, credit card, bank wire, Alipay, UnionPay, Perfect Money, Bitcoin, Litecoin, Peercoin, Ethereum, Dash, Monero, Zcash, CashU and Payeer with credit-card, WebMoney, LiqPay and Russian-bank rails. For ordinary SaaS buyers, that list looks unusually broad. For a global offshore-hosting provider, it is a demand funnel. Customers who cannot or do not want to pay with mainstream cards can still buy. Customers in regions where local banking is awkward can route payment through alternative processors. Customers who value privacy can choose crypto assets.

The benefit is addressable market. The cost is payment operations. A wide list of payment methods can improve conversion, but it can also increase fraud handling, reconciliation work, chargeback disputes, sanctions screening, processor dependency and customer-support complexity. It may attract customers whose payment preferences are legitimate, but it may also attract customers with higher compliance or abuse risk. The question for Amarutu is whether payment breadth increases good revenue faster than it increases bad-account churn and operational drag.

Support is similarly double-edged. The contact page at https://koddos.net/contact.html lists support, billing, sales and "under attack" email channels, says users should allow up to 24 hours for a satisfactory reply, and points to the client area for tickets. The homepage at https://koddos.net/ and product pages advertise 24/7 live support, 24/7 monitoring and security engineers working round the clock. The status API includes "Phone Support" as an operational component. For a customer under attack, these signals matter. A provider that sells reachability must be reachable itself.

The tension is in the terms. Offshore hosting is described as self-managed; emergency support is excluded for offshore plans; support abuse can lead to account disablement. That boundary is commercially rational. If $8.95 offshore shared-hosting customers can consume round-the-clock engineering time, the margin breaks. If high-risk and DDoS-protected server customers cannot reach skilled staff when a real attack hits, the premium positioning breaks. Amarutu must segment support by account value and risk without making lower-tier customers feel abandoned or allowing noisy accounts to overwhelm the queue.

This is why the unit of analysis is a server account, not a server. The buyer is paying for the account relationship: billing, tickets, abuse desk, mitigation configuration, route availability, content posture, and the ability to stay online when a complaint or attack arrives. A cheap virtual machine with no such operating posture can be cheaper in dollars and more expensive in failure. A high-risk account with poor support can be more expensive in dollars and still fail. Amarutu's value sits in the difference.

Reputation is a spread on customer acquisition

Reputation should be analysed as cost, not as a sermon. A permissive or high-risk host may win customers that mainstream providers will not serve. It may also lose customers who need a cleaner brand association. A lawful forum, activist site, adult-adjacent project, security-research community or attacked media property may want offshore tolerance and DDoS filtering. But the same customer may need payment partners, advertisers, search visibility, email deliverability, enterprise counterparties or customers to accept the infrastructure. If an address range has poor reputation, the cost can show up as blocked email, failed API calls, verification friction, blocked sign-ups, higher fraud reviews, customer suspicion or migration planning.

KoDDoS's own marketing acknowledges this by making risk explicit. "Medium Risk" and "High Risk" are product labels at https://koddos.net/medium-risk-hosting.html and https://koddos.net/high-risk-hosting.html. The network page at https://koddos.net/network.html says abuse and DMCA messages will be forwarded to the client for resolution and that in most cases action is not required, while still naming hard prohibitions. The terms page reserves broad discretion. The company is not pretending to be a generic developer cloud. It is selling a hosting posture to customers who can benefit from that posture.

External market signals are thinner than the routing evidence. The official review page at https://koddos.net/reviews.html points to HostAdvice at https://hostadvice.com/hosting-company/koddos-reviews/ and WHTop at https://www.whtop.com/review/koddos.net, and displays review-award badges. Those links are market signals only. They do not substitute for churn data, net promoter scores, audited customer counts, complaint closure records or independent retention cohorts. They show that KoDDoS wants prospective buyers to see third-party review surfaces, but they do not by themselves prove service quality. That distinction matters because review portals can over-represent customers motivated to praise or complain, while silent retained customers and silent lost customers remain invisible.

The absence of dense credible media coverage under the Amarutu legal name is also a signal, but a limited one. The legal entity is a resource holder and network operator; the commercial identity is KoDDoS. Sparse legal-name coverage can mean the company is operationally niche, privately held and brand-led, not necessarily weak. It also means a buyer cannot easily triangulate revenue, ownership, margin, customer concentration or compliance history from public corporate reporting. A hyperscale provider exposes far more public financial and operating data. A small offshore host exposes more of its infrastructure posture and terms, but less of its balance sheet.

Academic work on hosting-provider security reputation warns against simple "bad provider" labels. A 2016 paper on security reputation metrics for hosting providers at https://arxiv.org/abs/1612.03641 explains that provider comparisons are sensitive to attribution, abuse-data coverage, normalization, aggregation and interpretation. That is exactly the right lens here. A provider with more customers, more public prefixes or more attacked clients can appear riskier in raw abuse counts than a smaller provider. A provider that actively accepts controversial but lawful customers can receive more complaints than a provider that rejects them at onboarding. The correct question is not whether Amarutu has any abuse risk. The correct question is whether abuse incidents per active customer, per advertised address block, per revenue unit and per support hour are low enough to sustain the premium.

DDoS demand is real, but advertised capacity is not the same as delivered outcome

The demand side is not imaginary. Public reporting on DDoS escalation shows why some buyers will pay for specialist mitigation. PC Gamer's January 2026 coverage of Cloudflare's DDoS report at https://www.pcgamer.com/software/security/an-unprecedented-bombardment-cloudflare-claims-a-new-world-record-for-a-31-4-tbps-ddos-botnet-attack-it-recorded-late-last-year/ described Cloudflare's claim of a 31.4 Tbps attack in late 2025 and said attacks rose quarter over quarter and year over year. TechRadar's January 2026 report at https://www.techradar.com/pro/security/the-biggest-ddos-attack-ever-has-been-detected-but-fortunately-you-probably-barely-noticed-it described the same 31.4 Tbps event and emphasized telecom-sector targeting. Wired's March 2026 report at https://www.wired.com/story/us-takes-down-botnets-used-in-record-breaking-cyberattacks discussed law-enforcement disruption of large botnets used in record-breaking attacks. These are not Amarutu-specific reports, but they explain why a customer might rationally pay a high-risk or DDoS-hosting premium.

The economic point is that DDoS pressure changes the buyer's cost curve. A local VPS can be cheap until the first serious attack. A CDN can be cheap until the origin is exposed or the protocol does not fit. A self-hosted server can be cheap until the customer's access link, router, upstream or data centre is overwhelmed. A hyperscale cloud can absorb large attacks, but the customer may dislike policy enforcement, account review, architecture complexity or downstream costs. A specialist provider such as KoDDoS monetizes that gap by bundling the server with a stated mitigation posture.

But capacity claims need delivery evidence. A plan page saying up to 350 Gbps filtering is not the same as an independent incident report showing which attack vectors were mitigated, how much legitimate traffic survived, how quickly routes converged, how many customers were affected and whether the attack caused collateral damage. KoDDoS says its DDoS protection system detects and blocks attacks in milliseconds, that it monitors attacks and can customize protection, and that it protects against TCP SYN floods, UDP floods, HTTP and HTTPS floods, DNS amplification, TCP ACK floods and ICMP echo request floods on pages such as https://koddos.net/ddos-protected-dedicated-servers.html and https://koddos.net/high-risk-hosting.html. Those are service claims. The buyer should price them against observed outcomes.

The strongest future evidence would be a transparent mitigation report: attack volume distribution, packet-per-second peaks, application-layer request rates, average mitigation time, false-positive rate, customer-visible downtime, route-withdrawal frequency, upstream blackhole events and post-incident churn. Without that, the thesis remains probabilistic. Amarutu has visible network resources and a product designed for reachability under attack. It also has the same information gap common to many private infrastructure providers: public plan pages reveal what is sold, not how often the promise is fulfilled.

Substitutes set the ceiling on the premium

Amarutu's price premium has a ceiling because the buyer can split the job across other products. A lawful site with ordinary web traffic can run origin servers at a local host, put Cloudflare in front of HTTP and HTTPS traffic, and keep a migration plan ready. That buyer may not need a high-risk account at all. A SaaS or enterprise buyer can choose AWS Shield, place the application behind AWS networking and security services, and accept Amazon's account governance in exchange for scale and procurement legitimacy. A European small business can use Hetzner Cloud or OVHcloud, keep data closer to its commercial base, and avoid the reputational questions that come with offshore branding. A developer team can start on DigitalOcean or Vultr, outsource only the edge to a CDN, and treat deeper mitigation as a contingency.

That substitute set is the discipline Amarutu must live under. KoDDoS does not win merely because attacks exist. It wins when the customer needs several things at once: server hosting, direct network reachability, DDoS posture, tolerance for controversial but lawful content, flexible payment, and support staff accustomed to complaints and attacks. If the customer needs only one of those things, a narrower substitute may be cheaper and cleaner. If the customer needs all of them, combining substitutes can become awkward. A CDN may protect only the front door. A hyperscale provider may reject the use case or impose more policy friction than the customer can bear. A local VPS host may suspend first and investigate later. Self-hosting may give maximum control while creating maximum operational exposure.

The substitute question also explains why KoDDoS's terms are not incidental. A mainstream provider can keep prices low by declining messy accounts early. Amarutu's brand promise is that some messiness is anticipated, categorized and priced. That is attractive to a customer whose history already includes DDoS attacks, DMCA notices, harassment traffic, content complaints, payment problems or ordinary providers asking the customer to leave. The account is buying a provider that has seen the pattern before. The catch is that prior experience is not the same as unlimited tolerance. The terms still ban spam, phishing, botnets, exploitation and malicious code, and they reserve broad termination rights. The customer is buying a wider operating lane, not a private lawless network.

This creates a ladder of rational buyers. The first group is temporary crisis buyers: they arrive during an attack, pay for mitigation, then leave when the immediate threat falls. They generate revenue, but they may create high support intensity and weak retention. The second group is persistent-risk customers: forums, game services, communities or media sites that are repeatedly targeted and need a provider comfortable with that pattern. They can justify renewals if reachability is good. The third group is reputation-sensitive customers who need protection but also need clean counterparties. They are the hardest to keep because every blocklist, card review or partner question raises the chance of migration. The fourth group is abusive customers. KoDDoS can earn short-term fees from them only by creating long-term cost for itself, which is why the terms try to push breach costs back to the account and preserve termination discretion.

The competitive moat is therefore not "DDoS protection" in isolation. It is the operating routine around difficult accounts. Large clouds have more infrastructure, but they may not want the use case. Cheap hosts have lower prices, but they may not want the complaint load. CDN/security bundles have powerful edges, but they may leave origin, payment and account policy unresolved. Other offshore or DDoS-focused providers can compete directly, which means Amarutu must defend on route quality, support response, payment convenience, customer trust and historical uptime. Those are measurable categories. If KoDDoS can show high renewal after attacks, low complaint recurrence, clean enough address reputation and stable upstream relationships, the premium looks like a rational insurance-like cost. If it cannot, substitutes will define it as expensive emergency hosting.

The unit economics can break in several places

The obvious revenue unit is the monthly hosting account. The less obvious cost unit is the incident. A quiet account consumes rack space, bandwidth, IP address inventory, billing operations and some routine support. A noisy account consumes engineering attention, abuse-desk time, payment review, IP reputation work, customer education, upstream communication and sometimes legal or law-enforcement response. The account can look profitable on the plan page and unprofitable after the third complaint. KoDDoS's terms at https://koddos.net/tos.html try to close that gap by charging for breach recovery and denying credits for interruptions caused by violations. That is economically sensible, but it works only if the provider can identify the responsible account, recover the fee, and stop repeat behaviour before upstream trust erodes.

Address inventory is one fragile point. RIPEstat's announced-prefix data at https://stat.ripe.net/data/announced-prefixes/data.json?resource=AS206264 shows many individual IPv4 /24-style announcements. A /24 is useful because it is the smallest widely accepted IPv4 route on the global internet, and it can be moved, filtered, announced or withdrawn as an operational unit. It is also a reputation unit. If a /24 picks up spam, scanning, phishing or malware associations, a customer on that range can experience delivery and connectivity friction even if the customer's own service is lawful. The provider can rotate addresses, segment customers, clean listings or move a customer to a different range, but each action consumes scarce IPv4 inventory and support time. The more reputation-sensitive the customer, the more expensive those operational choices become.

Upstream dependence is the second fragile point. PeeringDB shows AS206264 with open peering policy and many exchange attachments at https://www.peeringdb.com/api/net/7809 and https://www.peeringdb.com/api/netixlan?net_id=7809. RIPE's aut-num object lists named transits and many peers at https://rest.db.ripe.net/ripe/aut-num/AS206264.json. Diversity is valuable because it gives the network options. It does not eliminate dependence. During a very large attack, an upstream provider may prefer blackholing, rate limiting or route filtering to protecting a downstream customer whose traffic threatens other customers. During an abuse dispute, a transit provider may ask for faster response or threaten commercial consequences. During a routing mistake, many peers can propagate reachability problems quickly. The network premium is therefore partly a payment for route options and partly an exposure to the rules of every route provider.

Support staffing is the third fragile point. A high-risk hosting company needs staff who can separate three different cases quickly: a customer under attack, a customer causing abuse, and a customer caught in a false or exaggerated complaint. Each case has a different response. The attacked customer wants urgent mitigation and reassurance. The abusive customer needs containment or termination. The false-complaint customer needs evidence, patience and sometimes upstream explanation. If support treats all three as ordinary tickets, good customers churn. If support treats all three as emergencies, labour costs climb and low-value accounts consume high-value time. The contact page at https://koddos.net/contact.html and status component list at https://status.koddos.net/api/v2/summary.json show public support channels, but they do not disclose queue depth, escalation time or after-hours engineering coverage.

Payment is the fourth fragile point. The long payment-method list at https://koddos.net/payment-methods.html is commercially useful because it lets more customers enter the funnel. It also creates a filter problem. The account that pays by bank wire, card, PayPal, Alipay, UnionPay, Perfect Money, Bitcoin, Monero or another cryptocurrency may have a completely legitimate reason. The same breadth can be attractive to customers who expect disputes, chargebacks, sanctions screening, privacy questions or fast abandonment. The provider must distinguish payment flexibility from customer quality. If payment breadth mostly brings durable customers, it is an advantage. If it brings high-risk one-month accounts that create abuse cleanup, it becomes a hidden acquisition cost.

Finally, content posture can turn into customer-selection risk. Offshore and high-risk marketing attracts a heterogeneous customer base. Some customers are legitimate and simply hard to host: they are attacked, unpopular, politically sensitive, adult-adjacent, security-focused or located in regions where mainstream payment and cloud services are awkward. Other customers are looking for tolerance because they plan to externalize harm. The provider's margin depends on telling those groups apart early. KoDDoS's public terms and abuse mailbox show the control surface. The unknown is how often the controls work before a bad account consumes reputation that good accounts need.

Jurisdiction is part of the product, not a footnote

Amarutu's public records combine Seychelles registration context, Hong Kong contact addresses and KoDDoS hosting locations in the Netherlands, Hong Kong and the United States. RIPE's ORG-ATL58-RIPE object at https://rest.db.ripe.net/ripe/organisation/ORG-ATL58-RIPE uses country code SC and registration number 189024, while the contact page at https://koddos.net/contact.html lists Hong Kong and Seychelles address blocks. The product pages list Netherlands, Hong Kong or USA locations for shared and dedicated plans. The network page at https://koddos.net/network.html emphasizes the Netherlands and Hong Kong as offshore locations with more content and speech freedom, subject to hard prohibitions.

Jurisdiction therefore has two faces. It is a selling point for customers who want alternatives to domestic hosting pressure. It is also an operating risk because complaints can arrive through many channels: local law, upstream policy, payment processors, RIR contact obligations, data-centre rules, domain registrars, copyright complainants, security researchers and reputation services. A customer may believe it is buying distance from one jurisdiction, only to discover that the relevant pressure point is a transit provider, exchange peer, payment processor or data centre in another.

The terms page's DMCA and abuse posture is best understood through that complexity. It does not say all complaints are ignored. It says many abuse and DMCA messages will be forwarded to clients for resolution and that action is often not required, while also reserving discretion and banning specific content and conduct. That lets KoDDoS differentiate itself from mainstream providers that may remove marginal accounts quickly. It also creates a need for judgement. If the provider is too strict, it loses the customers who came for tolerance. If it is too permissive, it risks upstream standing, blocklists, payment access and collateral harm to legitimate customers.

This is where reputation becomes a cost of capital for the network. Transit providers, exchange peers, data centres and payment processors do not only evaluate current invoices. They evaluate expected trouble. A provider with frequent unresolved complaints may face worse terms, more reviews, less tolerance during attacks or a narrower set of willing partners. A provider with documented abuse handling, fast remediation and clean routes can keep the high-risk premium without paying an excessive upstream-risk spread. Amarutu's terms show it understands that trade. Public data does not yet show how well it manages it.

Retention is the hidden metric

The most important number not visible in public is retention. A DDoS-protected or high-risk server account is valuable if customers stay after the first incident. That means the customer survived the attack, resolved complaints, paid the invoice, found support adequate, avoided unacceptable collateral damage and did not migrate to a CDN bundle, hyperscale shield, local VPS, OVHcloud-style anti-DDoS account or another offshore provider. Churn after an attack would be more revealing than plan-page capacity.

Retention is also where reputation cost appears. A customer may tolerate higher monthly fees while under attack, then leave once the crisis passes. A customer may sign up through crypto during a crisis and never renew. A lawful but reputation-sensitive customer may test the provider, then migrate if payment partners or users object. A reseller may generate short-term revenue but leave behind support load. A game community may value low-latency reachability until route quality or mitigation false positives frustrate players. These are the customer-level economics behind the generic word "risk".

The current public evidence points to a mixed but coherent judgement. Amarutu has a real network footprint, a long-lived KoDDoS brand, explicit risk-tiered product pages, broad payment methods, public status reporting, abuse contacts and terms that try to push violation costs back to customers. The product makes sense for buyers who have already learned that ordinary hosting can be too fragile or too policy-constrained. The product is less compelling for customers whose main need is cheap compute, clean enterprise optics, managed compliance, predictable developer tooling or a mainstream procurement path.

The margin question is whether the high-risk premium exceeds the risk cost. Medium-risk shared hosting at $39.99 to $389.99 and high-risk shared hosting at $140 to $700 are not cheap when compared with ordinary VPS hosting. DDoS-protected dedicated servers at $450 to $825 are a larger commitment. Those prices can be rational if the customer avoids downtime, extortion, migration chaos, support abandonment or upstream shutoff. They are irrational if the customer gets ordinary hosting reliability with a reputational surcharge.

The customer should also think about reversibility. A server account that solves one emergency can create a new switching cost if the application becomes dependent on a specific mitigation setup, IP allocation, payment method, support habit or jurisdictional posture. Moving away later may require DNS changes, IP warm-up, payment re-verification, new abuse contacts, different firewall rules, CDN reconfiguration and another round of user trust. That makes the first month more important than the headline price implies. A buyer who treats KoDDoS as a temporary shelter should define the exit path before the attack. A buyer who treats it as permanent infrastructure should monitor whether reputation effects are rising or falling over time.

The cleanest procurement case is therefore not the loudest emergency. It is a customer that knows why mainstream hosting is insufficient, can document lawful use, can respond to complaints quickly, can maintain its own backups and application controls, and can measure whether the provider is reducing downtime rather than merely moving risk into a less visible corner.

That discipline is also how the provider keeps the account from becoming a permanent subsidy for the worst customers in the pool.

The judgement turns on measurable abuse, reachability and churn

The best current judgement is conditional but not neutral. Amarutu's KoDDoS server account is a credible specialist product for customers whose operating problem is reachability under attack or complaint pressure. The network footprint is visible in RIPE, RIPEstat and PeeringDB. The commercial offer openly prices risk tiers and mitigation capacity. The terms page shows that abuse risk is understood as a recoverable cost and an upstream-standing problem. Payment breadth and support channels widen the funnel. Statuspage data provides a public operational surface.

The weakness is that the most important performance metrics are private. Public sources do not disclose revenue, gross margin, attack success rates, abuse-ticket volume, average time to complaint closure, blocklist-removal time, renewal rates, payment failure rates, customer concentration, support backlog or post-attack churn. Review surfaces linked from https://koddos.net/reviews.html are useful as market signals, but they are not enough to prove retention or service quality. DShield's empty 30-day row set at https://www.dshield.org/asdetailsascii.html?as=206264 is too narrow to settle reputation. CIDR Report and PeeringDB show routing scale, not customer outcomes.

Several concrete metrics would change the thesis. First, abuse density: confirmed spam, phishing, malware, scanning or botnet complaints per thousand active customer accounts and per announced /24, with median and 95th-percentile closure times. If those numbers were low and falling, reputation risk would look controlled. If they were high, sticky and concentrated in recurring customers, reputation would be eating the margin. Second, reachability under stress: independently measured uptime, mitigation time, customer-visible packet loss, false-positive rate, route-withdrawal events and upstream blackhole events during attacks. If those were strong, the premium would be easier to defend. Third, retention: renewal rate after first attack, churn after abuse complaints, payment-failure rate by method, migration-away rate after mitigation events and support response satisfaction for high-risk and dedicated accounts. If attacked customers renew and pay through mainstream or stable alternative rails, Amarutu's product is working. If they arrive in crises and leave after disputes, the provider is selling expensive triage rather than durable infrastructure.

For now, the thesis should be stated with that discipline. Amarutu's server account is not attractive because it is cheap. It is attractive when reachability, mitigation, offshore tolerance, payment convenience and direct support reduce the buyer's total risk more than the account's reputation, abuse-handling, upstream and jurisdictional risks increase it. The firm sells a difficult account because some customers have difficult traffic. The investment-quality question is whether Amarutu can keep that difficulty priced, contained and renewable.