New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
for UK you can look at https://krystal.uk/technology
they do upstream filtering with voxility/link11 but have also local corero scrubbing
https://hostyd.org/ HostYD.org is my recommandation
Thats how ddos protection work, if done correctly. Voxility just blocks traffic from several networks and does not implement proper challenge response, as every well known vendor does - I'm sure you'll find out once under a real attack. Thats why you run critical services under permanent ddos protection.
I could not really agree with that. Nearly no one has a visible challenge in terms that while under attack or permanent people get disconnected the first time they try to connect or an even more visible switch between sensor and enabled state. Can you give me a vendor that does that as well? I’ve seen none…
At the point of real ddos attack — I’ve seen quite a few, and never had problems with any traffic passing through. Their biggest problem is that sensor will not always detect smaller attacks so sometimes a manual switch would be required. Even with no challenge, with no offense to you, from my tests, it detected a syn flood and majority of tcp attacks while you struggled (recent test).
I would not be able to say that Voxility is the best, but it’s performing better than most of the services and never letting any malicious traffic through. At costs at lower download speeds, due to not being stateful, which is not a priority to me and doesn’t affect real-user traffic, while your challenges do.
Please let me know if I missed anything and do not get it as any offense. It’s all my perspective and I can’t guarantee Voxility to perform better for anyone, but for my use, it’s on top with OVH.
$140 for AMD opteron? This must be a joke 🤣
Biggest examples are Netscout Arbor, A10 Networks and Corero. All of them use challenge response - thats how usually tcp authentication is done. You can even do them same for some udp applications, but need to implement the whole connection flow for the applications you are dealing with. Bigger vendors wont do that, they dont care about gameservers, their target audience are rather large enterprises.
How do you think it would be done otherwise, if not by just using GeoIP/Blocklists?
It's alright to do a challenge-response verification, however, none of them as I've seen (I'm not talking about A10 at this point, I've never used them) force players to reconnect after their first connection. It's impacting normal flow of players to some point. Also, Corero will never disconnect everyone when an attack is detected, so won't do a newer Arbor (although it was happening before). There must be a way of protecting server without a need of disconnecting everyone as an attack is detected, and without force-reconnect.
Blocking potentially malicious IPs, IP reputation, packet flow inspection are all ways of detecting suspicious traffic, and more transparent methods should be used. It's 2021, possibilities are limitless. Both OVH and Voxility are not impacting traffic in any way, while providing exceptionally great results. Corero is not impacting it, but leaking a lot.
On top of that, please explain me how freestress**.to is enough to bypass 71Mbit of traffic with all those challenges? Makes no sense. (attack to port 333) from DeinServerHost (your downstream).
Let me tell you Javapipe not only uses Riorey, they also use other DDoS Protection inhouse and they have their own panel.
How you can say, that they aren't enough if you didn't used them? Javapipe have a large experience with DDoS Attacks in the past they had a company called r00t-services.
Check Javapipe WorldShield v3 Features and Session Verification Feature, you will find it in DDoS Protection page
https://javapipe.com/ddos-protection/
You said they only use RioRey, nope. You are wrong
https://bgpview.io/prefix/5.254.66.0/24#info
They have servers in Romenia, with Voxility. They use rioray hardware and own DDoS Protection inhouse.
I highly recommend you get in touch with them in order to understand how they work and with options they offer.
Thats the right time then, to get in touch with your provider in order to have them create a flexrule or open a ticket with us. There are several potential reasons why something is leaking, discussing them in a public forum doesnt make sense, nor it would help you.
That's not the point. I never had to open up a ticket in order to see why the most public, well known, first-on-google DDoS stress test is able to bypass more than 70Mbit. A minimum that DDoS protection should do itself is to block all well-known free stressers. I can understand that there are more sophisticated attacks that are not possible to be blocked by regular "signatures or common user/bot behavior", but free ones most usually can. Don't worry, it's not up to DSH, I had the same experience under fastpipe as well before. Even if users really HAVE to create flexrules to mitigate such small, well-known attacks, there should be a system to do that automatically, intelligently based on type of the attack.
Other vendors usually perform much better:
have you read my post https://www.lowendtalk.com/discussion/comment/3289883/#Comment_3289883 did you try em out?