New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
DDoS Protection
HalfEatenPie
Veteran
So what can you do to protect yourself from DDoS? Also what do providers usually do if you get DDoSed (like bandwidth wise and whatnot. Will you have to foot the bill and everything?)
I was reading about it and I just wanted to get a general consensus of what other people do.
Comments
We have an autonull for all attacks on unfiltered IP addresses. The nullroute happens at the backbones so no one, even egihosting, foots the bill on it.
For filtering we have a router with awknet that we route traffic through for $3.00/m/ip. It's not a perfect setup but we're working to continue to improve it
Francisco
Do you guys foot the bill for the router with awknet or does your customers have to request/pay for it?
We pay for the router over there since we need it to help protect our billing panel. We needed the filtering anyways since every time we'd do a large sale we'd get pounded for hours on end. We simply found a way to turn it into a profitable venture
Francisco
So basically you guys need it to regardless due to high volumes of traffic for orders. Gotcha.
What are the most common forms of DDoS protection? I know nullrouting is one way but is there any other way?
Those DDOS attacks are sometimes called "stock release".
I'll admit, I did have my fair share of f5 for BuyVM.
Jokes aside we had ~700Mbit UDP spikes and 100Mbit+/sec SYN floods for quite a bit of time
Francisco
Kindness goes a long way, those who ddos are probably an emotional bunch.
@Francisco
How is the traffic routed between Awknet and EGI? Internet or do you have private transport between them?
How is the traffic routed between Awknet and EGI? Internet or do you have private transport between them?
That's for me to know
Francisco
We have a deal with Verisign pending, we'll see.
The German DC (myLoc) I use auto-null routes incoming IPs that are attack. I can also view traffic for my IPs per IP and null route them too.
DataShack you have to email them, although they usually do it fairly quick.
Arbor Networks scrubber at the core of the network usually does the trick!
Man, the latency would suck.
Nullrouting is only "DDoS protection" in the sense that it protects your server/network from taking the hit - it will be unavailable for everyone. If you want to keep your stuff running even under a DDoS, you're probably looking for 'DDoS mitigation'. DDoS mitigation can have several forms - you have software mitigation (not very effective) like DoS Deflate (which bans IPs that have too many connections, every minute or so), and hardware mitigation, which is far more effective and typically a separate hardware appliance (FortiDDoS, Cisco Guard, ...) that filters out the DDoS traffic and rejects it, while letting through the genuine traffic. What BuyVM is using would, as far as I am aware, be hardware mitigation at Awknet, after which traffic is somehow forwarded to the original server(s) at CoreSite.
EDIT: Obligatory disclaimer: 100% reliable DDoS protection does not exist. If your pipe is full, then your pipe is full. There are certain companies (most notably Prolexic) that can handle ridiculously large DDoS attacks, but even they will hit a limit at some point. If the DDoS is big enough, you're screwed.
Yahoo, Paypal, VISA all had their share so you can see that even very fat pipes get filled at times.
Mitigation does work under the condition that is happening far enough where the pipe is fatter than the packets at provider or even backbone level, however, with very high traffic it introduces too much latency if the packets get inspected somehow, it is generally a case-by-case solution that works.
There are also app level attacks that consist of automated requests sent to your server which will break the RAM, IO, CPU much faster than breaking the connectivity. Script kiddies preffer UDP flood with rented botnets as it involves 0 coding, all is done by the botnet operator for a fee. It also has a higher rate of success in case they rent a big enough botnet or the ISP null-routes the IP at fairly small attacks. In that way, a small attack at regular intervals keeps the target down for days while discussions take place between ISP and operator.
M
App level attacks can be defeated often by an Imperva web application firewall (WAF), having an Abor and an Imperva at your network core that you can pull out when necessary should stop most minor attacks, if your core network is fast enough. (An abour can scrub 30Gbs of bad traffic)
@joepie91
Unless your google and have plenty of servers to split the traffic across :P
Yeah, at one point the targets gets so big (e.g. Google, Microsoft etc) that you'd rather DDoS the internet (backbone) than the actual target
Yeah, until some kid finds a vulnerability in Plesk, owns thousands of servers across the world, and decides it's fun to take down some core Google routers
@Francisco Oldest profession in the world?
Love it XD
I suppose in the carts there are 16 GB SD cards ?
M
...you do know that Pony == me, right? :P
The 16GBs were a bit pricey. We decided to go with a slightly older, but highly efficient model:
Erf, who would buy 32 mb ones
Store some 8 pictures ?
M
We have some 700c HHCs in use that were originally outfitted with the 32mb cards. I've had all of them on the 128MBs (a software limitation =) for about a year now, though.
This discussion will now devolve as follows: 1.44Mb floppies, 1.2Mb floppies, 360K floppies, 180K floppies, carrier pigeons RFC.
There is a long story with that. Sad and too personal, but has nothing to do with Mao :P
I have this nick for more than 10 years and in the beginning google searches only found my stuff, but now i had the surprise to find many maouniques
Actually there were 16 K and even 8 k cartdriges for zylog80 powered machines, I bet there were even smaller ones down to the punched cards...
M
Noone has yet filled out 10gbps pipe on our side, filtering out the UDPs, however we have to divide the traffic to multiple backend servers with specific configuration to be able to handle the larger PPS, as otherwise they would directly crash our webservers.
Honestly, so far I have never seen attack over 1.5gbps UDP and ~80-90mbps ssyn.
It is only a matter of time IMO. Botnets are getting ridiculously cheap these days. It will happen.
M
Ask UPC Austria, a customer of us took down half of Graz (and parts of Styria, Carinthia and Vienna) with a almost 3 digit UDP DDoS - So it CAN happen.