All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Experiences with DDoS protected services other than cloudflare
Hi guys, so this question has a lot more background I will probably share and hopefully I shall in due course but to keep it short (yeah right!), does anyone have any experiences they can share regarding other DDoS protected services (preferrably transparent ones like OVH?).
I'm inclined to build my project using multiple OVH instances BUT I remember someone saying that OVH DDoS protection was easy to circumvent. In particular, I am referring here to perhaps core DDoS protection (lower layers) since I don't think OVH protects the application layers by default?
Have you ever experienced downtime with OVH DDoS protection failing?
And most importantly, did any of you have any such DDoS that was so bad that your only solution was Cloudflare?
Please let me know. Right now I'm totally frustrated with getting my SNI webserver implementation to work on cloudflare due to the complexity (my lack of understanding) of all the SSL jargon and features. My issue is more complicated than just generating whatever intermediate SSL certs are required for the webserver to work with cloudflare proxy servers because I want to allow user specified domains to also work and having cloudflare in between in this particular case seems to problematic (I guess I would have to somehow generate SSL certs for each user's domain) - again figuring out IF and how to automate that would cloudflare would probably be an issue and probably cost a million dollars as well.
Thanks guys!
Comments
If I understand you correctly you want to automatically add new, user-specified domains to Cloudflare.
It's pretty easy to do with Cloudflare API and limits are quite high (50 domains per 30 minutes), but there's also partner program for such integrations https://portal.cloudflarepartners.com/English/register_email.aspx
Take a look
tho I dont know if its free or if they accept only big players...
For basic management of 100+ domains on your CF account you can use this paid tool https://domainsoftwares.com/product/cloudflare-api-console-for-bulk-add-domains-and-dns-records/
but if you know any programming knowledge then just read Cloudflare API docs and build it yourself.
OVH DDoS protection is fine for the price — however — (not sure if this is still the case) keep in mind that if someone decides to attack you within the same OVH DC, the DDoS protection will not kick in.
I'll definitely look into this more but yes, I'm a super small player and considered start up. Also I need something relatively unlimited since it all depends on who wants the domain pointing to the source server(s).
Thanks a lot for these resources! API part I can most probably do but limits are going to be the issue if I go with cloudflare.
Thanks!! This is super helpful and something I did not think about. Thanks for this! Definitely will consider blending multiple different providers even though the intention would have been to begin with OVH.
Have you looked at Cloudflare for SaaS product? I think it's designed for external domains under your umbrella (or hosting).
"To enable Cloudflare for SaaS, go to the SSL tab -> Custom Hostnames."
https://blog.cloudflare.com/cloudflare-for-saas/
Thanks I did not in detail! Appreciate this resource link as well! Still probably going to be a deal breaker since I'm definitely going to need much more than that as onddns grows and well is currently free for everyone!
I know for DNS I use OVH and Path, works fine so far. Ns1 at OVH ns2 at BuyVM
Thanks for this! Yes onddns uses multiple providers for dns already to keep things from falling apart in the event of DDoS. This is another expansion to the project where I'm interesting now in onddns (DNS) powering a http grid. That's why I've been trying to get SSL working. More details on this if I get this to eventually work - currently building the project and won't see this become a reality until a few weeks perhaps.
Yeah. For DNS it’s really simple. You can just go with all DDoS providers and have 4 nameservers or so :P
I might want to add Voxility too
Correct indeed! I did reinvent the wheel for onddns though, it doesn't use bind or powerdns etc. It uses a custom coded dns server which doesn't have all the bells and whistles of these larger projects but a lot of flexibility with literally being able to do unusual things - that was sort of the point of the project and offer dynamic dns for free and later on geodns. I thought the adoption rate would have been higher but I'm years late to the game here so I'm hoping to add this additional grid feature as a goodie and hopefully more folks will benefit from DNS (which is pretty generic as is)
Ovhs ddos protection is -fine- for what you are paying for it, and stops alot of kiddos. But for someone experienced in the field, its just a paper wall. It is actually fairly simple to kill any ovh server, if you just know how to do it, and what patterns to use.
But for normal use, ovh is perfectly fine. For critial things, it is not.
Thanks, yes agreed. Are you referring to application attacks to kill a server or something lower down the stack? I definitely understand if you're referring to app attacks but if it's something else and you can be slightly more specific without giving away your secrets, that would be great!
Doing HTTPS for customer domains can be very hard, it does not scale well. There are all kinds of limits that you might hit; Let's Encrypt rate limits for getting the certificates for example. Or your webserver/load balancer. I have a HaProxy instance that is pointed to a folder with certificates (around 1200 certificates I think) and when that server receives a HTTP flood/application layer attack it uses a lot more CPU then a server that just has one certificate loaded (when under attack as well with the same amount of requests).
Cloudflare for SaaS is a good choice, but you'll get locked in, and it's 2$ per hostname after the free 100 domains, so for a free service it is not doable.
Cloudflare is (for what I've seen) in not a silver bullet either for attacks application layer attacks, they will block a huge chunk of the bad traffic, but a lot will also flow through (at least for the first few minutes, as it's very hard to detect "smaller" attacks at their scale - I've not checked if their paid-for plans are any different). Last week, around 6-12 thousand requests per second of an HTTP flood passed through Cloudflare, right to my origin servers - I see 200-500 requests/s HTTP requests getting through during attacks at Cloudflare multiple times a month, so your origin server(s) should be able to take at least something.
I think that using a bunch of different providers works best, to prevent things like internal attacks that might bypass a specific provider for network based attacks.
As for providers, Cloudflare, Path, and OVH should all be pretty good at blocking network level attacks without any issues.
For providers that specifically protect against HTTP floods; Combahton offers application layer protection for HTTP, but you will have to upload certificates to their system using their API, and I'm not sure how many domains they allow. I've also seen Javapipe (I contacted them once about their "Unlimited domains" plan, and they quoted a much higher price then the page says due to how many resources the amount of domains that I asked for would require ( I think I said around 600 certificates)). And Blazingfast also offers a reverse proxy, but I don't think you can automate uploading certificates there. And I'm not sure how good they all are at blocking attacks, but those are some reverse proxy options besides Cloudflare that come to mind.
I don't think that you can offer vanity domains as a free feature without big pockets, doing it in-house you will reach limits pretty quickly. It's fine for <500 domains or so, but above that amount you might run into issues, or at least have to do some work-arounds. And most reverse proxy services will not allow you to upload 500+ certificates to their edge, or at least not at a price that would be acceptable for a free service.
-Tim
Tim, thank you so much for this detailed information! Indeed very surprised with your experience regarding the certs on the haproxy! I would definitely have assumed haproxy would have handled much more than that before being overloaded. Bummer indeed that this may not be a project that I can render free to users but I'm definitely going to try and do some testing and hopefully provide some results on how this goes and if I can figure out how if there's a way to cross the 1200 cert limit! Thanks again for this detailed experience!
This is more a resources thing limited by the hardware, HaProxy has to figure out what the right certificate is to handle the request with, so it's a bit more expensive to do for the server. Especially during HTTP floods.
I have around 1200 certificates loaded, you can go higher without any issues, but I assume that it will take more computing power. I included it to show that you cannot scale infinitely, it will take up more resources as you have more domains in there, and for a free service that might cause issues. I'm sure that HaProxy (the software itself) can handle a lot of traffic.
-Tim
Not sure what his trade secrets are, but the easiest way to bring down a ovh server, ironically, is to use another ovh server. They don't filter internal traffic. It's nice to think about how to mitigate ddos but will your service really attract ddos this early into development?
Thanks Tim, that indeed makes sense, appreciate it!
Thanks for confirming this! Indeed you are correct that at this point, I don't expect it to attract ddos BUT moons ago when I was working on a free uptime service, the day I launched on LET was the day it went down due to ddos. I naively thought because it was free (at least to begin with) that no one would want to ddos it but I was clearly stupid about uptime back then. While in dev, I want to try to mitigate bad practice (if I can before hand) so that in the event of attack, I can try my best to keep things up if that makes sense.
Will this be a possible ddos magnet - eventually yes I suspect and that's why I'm thinking about these things before hand if I can.
I heard that this has already been fixed in OVH, but the problem still exists in Path.net.
Sounds like good news, thanks for confirming this!
No, it has not been fixed AFAIK, but OVHcloud's infrastructure is a bit better laid out, compared to the "legacy" infrastructure (KS, SYS, etc); they have started to fix the IPv6 implementation for the newer infrastructure, too.
Not going to make any guide on how to do it, but random traffic, on random ports, from random ips gives you an idea. Multible $5 stressers out there can actually down a game server running on ovh game without issues.
Thanks for the little extra details, this will help a far deal, really appreciate this!