Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Critique of DDoS Protection
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Critique of DDoS Protection

re: @MarkTurner's remark in Any Cheap Dedicated w/ DDOS protection? the other day:

Protection or mitigation?

Most providers don't differentiate. I see companies advertise protection and the reality of it is they just null route you. If you want just null routing - 'DDOS Protection' then you already have it and its included.

I'm interested in what people think constitutes 'DDoS protection' and how its instantiation translates into pricing.

For example, there are a number of providers who offer free protection. On the other hand, take a look at Liquid Web's 'DDoS Prevention Pricing Structure':

The pricing seems completely exorbitant. I guess I'm curious what it is that providers who charge that much are offering that 'lower end' hosts are not. Is it just a ridiculous markup or are they 'actually' offering a service that is substantially better?

«1

Comments

  • UrDNUrDN Member
    edited March 2015

    It's just a marketing term. DDoS is generic, there are so many ways to launch a distributed denial of service attack.

    They can pretend to protect you, but what they'll do is mitigate the flood when it's happening, you can be sure that a company which pretend to have such protection is just going to cause massive performance degradations by activating generic filters.

    So don't put too much trust in a company that says it has a "machine" that will handle that. Most of the time it's a horrible firewall running ultra proprietary softwares made by a company that makes its business entirely on that and which therefore is not willing to help fixing broken things on the Internet.

    Thanked by 1HostNun
  • Huawei makes excellent DDOS filtering router / firewalls. We've been testing in amsterdam.

    They are not cheap and they are complex to 'get right' but when properly tuned for the servers they are protecting, they work....

  • rds100rds100 Member
    edited March 2015

    @HostNun i wonder when they write "2 GB per seconds" do they really mean 2 gigabytes per second (16 Gbps), or it's just 2Gbps, i.e. 8 times lower. It's pity when such a large provider doesn't know how to properly use numbers.

  • You would have a case to argue if it was 2Gbps based on that list :) (since it says 16Gbps / 2GB/sec)

    Thanked by 1netomx
  • ZshenZshen Member

    Data scrubbing isn't cheap. Arbor's TMS is a great example. If Liquid Web uses something similar, I can understand the pricing.

  • To try and answer your question, HostNun, free DDoS protection usually just includes a null route process that consequently blocks your IP to prevent further DDoS. It doesn't prevent or filter DdoS, nor can it be considered a decent solution. Null routing an IP shuts down everything operational on it. It is more annoying than it is helpful, because DdoS attacks will just continue after you have unblocked your IP again. Sometimes, WHP offer free Ddos protection as a filter that is placed before the IP. It measures what your normal traffic is on average and thereby predict potential DdoS traffic. In case of a DdoS attack, it lets through only hat which is normal. It gets more advanced than that, but this is the general idea.

    Filtered DDoS protection is free only because you there are severe retrictions on either the duration of the protection or the quantity (Gbps). For example, you might get an hour or two hours day of protection if needed. As you require more, the price goes up significantly, as you have pointed out.

    Why is it so expensive? Well for one thing, the hardware necessary for setting up DDoS protection in a datacenter costs can cost you around 500k, if not more.

  • It also depends on the Data Center you're in, Mine has full DDOS scrubbing for paying customers "Arbor"and Simple Null Route for non-paying customers, i also have 2 WatchGuard Firewalls that do a good job blocking the small attacks up to 3Mbit.

    like this one lol.
    2015-03-27 05:42:26 ddos_attack_dest_dos popup DDOS against server 104.2.. detected. proc_id="firewall" time="Fri Mar 27 05:42:26 2015 (PDT)" msg_id="3000-0160" Alarm

  • joepie91joepie91 Member, Patron Provider

    AbeloHost said: Filtered DDoS protection is free only because you there are severe retrictions on either the duration of the protection or the quantity (Gbps). For example, you might get an hour or two hours day of protection if needed. As you require more, the price goes up significantly, as you have pointed out.

    That depends. OVH, for example, just has network-wide mitigation - they've slightly increased everybody's monthly fee to cover the expenses.

    Thanked by 1netomx
  • dediserve said: Huawei makes excellent DDOS filtering router / firewalls. We've been testing in amsterdam.

    I did a lot of testing Huawei's filtering system, its ok but definitely not carrier grade. Huawei's stuff most of the time is just poor rip offs of other peoples products. I wouldn't have it anywhere near my network.

    The only install I know of in Europe is Serverius in Netherlands, I am sure for that market its better than nothing. But not something to be relied upon.

    Zshen said: Arbor

    Arbor's products are fantastically reliable but also fantastically expensive. In my experience they are the Rolls Royce of DDOS detection and filtering.

    There are a few other players on the market, but it depends on what you are building

  • Blacklotus is another DDOS protection company but i think arbor is a much better solution for the money. Blacklotus plans start at $1000 month

  • I always assumed that providers call null routing "protection" because it saves customers from bandwidth overages, which they'd technically otherwise be responsible for.

  • Null routing is not DDoS protection, it is DDoS self protection, i.e. the provider protects itself (and it's other customers) from the DDoS.

  • tomsfarmtomsfarm Member
    edited March 2015

    @Clancoms said:
    Blacklotus is another DDOS protection company but i think arbor is a much better solution for the money. Blacklotus plans start at $1000 month

    Blacklotus are switching to Arbor soon.

  • MarkTurner said: Arbor's products are fantastically reliable but also fantastically expensive. In my experience they are the Rolls Royce of DDOS detection and filtering.

    Makes me wonder why OVH is so bad in terms of filtering, especially L7 attacks.

  • tr1cky said: Makes me wonder why OVH is so bad in terms of filtering, especially L7 attacks.

    Because they use a homegrown solution

  • So what? Voxility also uses homegrown solution and it's one of best filtering systems on the market.

  • ZshenZshen Member

    FWIW, Liquid Web uses Arbor (judging by the screenshots). In this instance, if they implemented their TMS that price is certainly justified.

  • MadMad Member

    DdoS protection is useful to avoid such attacks, bust sometimes the providers oversell it with their plans and they are not reliable at all.

  • bsdguybsdguy Member
    edited March 2015

    When thinking about protection one must necessarily ask "what from/against what?" and - often forgotten - "why?".

    Usually the two relevant interests are to keep a server or a service running (as opposed to failing due to non-reachability, "nervous" breakdown, overload, etc.) and to keep costs within bounds (due to immense traffic).

    Funnily there are diverse approaches to the former and basically none to the latter. The problem, from a providers perspective, is that the "traffic-o-meter" is virtually always outside ones network (.i.e. at the providers provider). So, no matter what you put at your borders, the costs are already incurred and all you can do is to at least keep your network working by filtering out evil shit.

    Unfortunately there isn't much any provider could do, other than having massive bandwidth anyway which happens to be how major players deal with it. If you have, say, 200Gb/s connectivity through 3 x 100Gb/s (fiber) capacity and typically have some 150 Gb/s normal traffic flow, a 50Gb/s attack is but a hiccup and even a 200Gb/s 3 hour attack won't drive your bill much, particularly as you hand the costs downstream.
    Unfortunately, most providers don't have and can't afford n x 100Gb/s uplinks right into a major IX switch.

    As for the rest, i.e. the keeping at least your network and/or servers and services running it basically comes down to smart and fast firewalling.
    Now, while some (in fact many, it seems) talk as if any and everything not open source was pure evil, unreliable and fumbled, in fact every DDOS protection system is proprietary by its very nature (although it may or may not use open source building blocks). One of the major roadblocks btw. is intel/AMD CPUs; they're simply not made for that. As soon as bandwidth crosses 10Gb/s or so, you will want capable hardware (which usually is very expensive). Trust me, it's a major difference between doing L7 filtering on a xeon system or in hardware (typically HW regex).

    The next problem is that there are thousands and thousand who can configure a linux firewall but there are very few who really profoundly understand what they're doing and have the experience and knowledge to go beyond that. So, a hardware vendor will certainly want to get as close as possible to "switch it on and the box does its job", which a) will obviously bring along proprietary closed solutions and b) drive up the already high price even further.

    In the end I would advise concerned clients to ask and chose a provider with high backend bandwidth, preferably connected directly to a major IX with a high quality team and very good - and fast - support. They do not need to have anti-DDOS hardware but they must know about the matter and they must be prepared to react quickly - for a price, of course. And trust me, paying 100$ or 200$ support fees to get a good solution quickly is about the cheapest solutions of all and certainly cheaper that the average provider with some magic anti-DDOS box.

  • ClancomsClancoms Member
    edited March 2015

    @apollo15 said:
    So what? Voxility also uses homegrown solution and it's one of best filtering systems on the market.

    "You Know not what you talk about my young padawan"

  • bsdguy said: One of the major roadblocks btw. is intel/AMD CPUs; they're simply not made for that. As soon as bandwidth crosses 10Gb/s or so, you will want capable hardware (which usually is very expensive)

    Truth be told, they'll typically collapse far below 10Gb/s with typical DDOS PPS rates - interrupts kill!

  • raindog308raindog308 Administrator, Veteran

    bsdguy said: Unfortunately there isn't much any provider could do, other than having massive bandwidth anyway which happens to be how major players deal with it.

    I thought this was more or less the OVH strategy - some light mitigation to catch low hanging fruit, but the main "mitigation" is just huge bandwidth capability.

    Clancoms said: "You Know not what you talk about my young padawan"

    Explain? Are you saying Voxility is not using homegrown or Voxility is not "one of the best filtering systems on the market"?

    On another note...I'll point out again how strange it is that I can buy cheap DDOS on the lowend but not in the premium KnownHost/Linode/WiredTree/6sync/etc. space

  • @Microlinux

    You are right for the most part. I worded it generously though because there are x86 CPUs which at least were designed with that kind of jobs in mind and because (reasonably designed x86 based) firewalls use adequate network adapters.

    raindog308 said: I thought this was more or less the OVH strategy - some light mitigation to catch low hanging fruit, but the main "mitigation" is just huge bandwidth capability.

    Possibly. I don't know details about OVH approach. But again, massive bandwidth (and proximity to major IX) is a decisive precondition and tool. Having just, say 2 x 10 Gb in the backend (and possibly 1 or more hops away from the backbone) you'll end up raped by any attack approaching 10 Gb (or even less) no matter what funny high tech anti DDOS equipment you employ.

    As for the low hanging fruit, well, pretty everything L2-L4 is low hanging fruit. It gets ugly at L7 and really, really ugly in network flow patterns. That's were you definitely want hardware that can deal with n x 10 Gb/s (let alone 40 or 100 Gb) flows (think of some kind of super-snort for a start...).

    Now, for the sake of fairness, virtually all DDOS attacks actually are quite simple. So fat pipes plus high-cap firewalls actually are pretty all a large provider needs to deal with even quite large attacks .

    However, turning this around and looking at it from the other side, it also means that virtually all not-seriously-major players talking about Blah-XTRON-2000 DDOS protector boxes are either grossly snakeoiling you or they are plain stupid believing their own horseshit or they merely resell what they get (at cheap prices I might add) from upstream (who have the necessary size to play the fat pipe approach). The latter being actually OK, particularly when they honestly tell it.

  • SplitIceSplitIce Member, Host Rep
    edited March 2015

    Liquid Web and other providers are selling the real cost of DDoS protection (plus a good chunk of markup) to serious customers. Its safe to assume they are covered even if the attack lasts the entire month at 100% capacity.

    For $1 - $3 / IP you are getting the same product. This is the product that your web host / VPS provider / server provider is providing via assumptions (likely via overselling). These assumptions include that you will not use the entirety of the capacity for a prolonged time, and that there will be enough protection to go around (or else someone might get nulled a little early). In many ways this is like insurance.

    The degree of overselling likely depends on the provider, for people using a Staminus tunnel (or similar) are receiving a 20Gbps protected tunnel. This can be used to protect 1 site, or it can be used to protect 1,000,000. The difference? Primarily this impacts the frequency of issues (99.9% of attacks may be mitigated successfully - but if you are getting thousands of attacks that's still tens of issues)

    Voxilities native protection (not to be confused with our Voxility RO protection where we do not use Voxility for anything other than UDP Amp & ICMP due to quality issues) is pretty reasonable for bulk protection. It a few rough corners here and there (more so than Staminus in my opinion). Suffers a bit from false positives and the likes (already found a few cases at BuyVM) unfortunately, however in Sensor mode this may be acceptable. But - there is no one else willing to gamble on offering such huge amounts of bandwidth/protection to individual clients (quite the gamble) for those prices.

    Really its a bit of a gamble. What are you willing to spend (per month) - for 20Gbps or there abouts:

    $0 / Included: Its free, cant complain if it doesnt work. Some cost likely recouped from excesses within network or hardware costs.

    $3 - 10: Hey its lowend, set your expectations thus. A lot of people grouped togeather to cover a $2,000 - $4,000 mitigation service. No incident handling normally - it works, or it doesn't.

    $15 - 500 (pricing determined by location & frequency of expected attacks / risk): Should be fairly trouble free, this is getting close to the real cost if - a) there is enough people to justify all expenditures b) everyone along the chain is happy

    $500 - 2,000: The real price of "guarantees", should have no issues with being under attack all month

    $2,000 - 10,000: SLAs, Premium Bandwidth, Phone support, Proactive monitoring, Engineers ready to ACL etc

    Thanked by 1deadbeef
  • FranciscoFrancisco Top Host, Host Rep, Veteran
    edited March 2015

    SplitIce said: Suffers a bit from false positives and the likes (already found a few cases at BuyVM) unfortunately, however in Sensor mode this may be acceptable. But - there is no one else willing to gamble on offering such huge amounts of bandwidth/protection to individual clients (quite the gamble) for those prices.

    That's the problem with a lot of the providers offering protection right now - very few of them know how to handle day to day leaks, nevermind L7 filtering or more complex things like that

    When we originally started offering filtering we were with a provider that had minimal in the way of TCP filtering, so we had to build that all ourselves. I was spending a few hours a night going over new PCAP's and such looking for patterns/etc I could catch.

    There's at least one voxility reseller that had a customer leak and they ended up terminating the client instead of addressing it or knowing what to do. It smacked their node and they had no recourse.

    I know there's multiple providers now trying to get out of their Staminus contracts or things like that but really, they should stay with someone that's willing to hold their hand at every single point. While Voxility's support has been fine, they'll never touch Staminus when it comes to help/tuning/etc at all hours of the day. Those guys know their stuff and I'm just so damn proud of what Matt's been able to accomplish since his early days on the eye arrrr seas.

    Francisco

  • SplitIceSplitIce Member, Host Rep

    MarkTurner said: Arbor's products are fantastically reliable but also fantastically expensive. In my experience they are the Rolls Royce of DDOS detection and filtering.

    Agreed. Rioreys are pretty nice too. Although best coupled with a different system (e.g ACLs + Synproxy & bulk filtering) for additional filtering as the cost per Gbps is astronomical.

  • MaouniqueMaounique Host Rep, Veteran

    The fundamental problem is that the attack is cheaper than the defense and willc ontinue to be so for a long time. residential lines are cheap and pack a lot of power, even asynchronous, not to mention big servers out there running forgotten in a datacenter by some company admin. Those can have 10 Gbps ports and as long as the company pays for overages, the DC has no interest to pull the plug.
    This is like the war on drugs, nobody really wishes for a victory, in the end, the little guy pays the price both ways.

    Thanked by 1n0my
  • yhuzayhuza Member

    arbor its bad mitigation :) cant mitigation small packet spoofing and weak for L7 :)

    arbor good for huge attack only

    example for ntp, dns,ssdp mean for single source port attack :)

    Huawai And Riorey its good :)

  • DDoS is really easy to set up. There's alarming number of providers whose policy is "if you're DDoSed, we will terminate you account".

    I hope they understand that a targeted attack on them can get rid them of all the customers.

    DDoS can be unprovoked. "Just because we can do that".

  • @Maounique said:
    The fundamental problem is that the attack is cheaper than the defense ... residential lines are cheap and pack a lot of power... not to mention big servers out there ...

    Well, yes and no. Yes because the attack is cheap while the defense is not.
    And no because bandwidth is virtually never the relevant element in DDOS attacks. Packet numbers and source spread is, i.e. many many packets from many many sources.
    That's not just relevant because more source packets mean more to filter but, way worse, it also means (at least often) more diverse patterns overloading most firewalls. Btw. what I'm talking about is one of the 'D's in "DDOS".

    And it adds more trouble in that one can hardly reasonable ask some ISP to block hundreds or even tens of thousands of his customers (home subscribers).

    This is like the war on drugs, nobody really wishes for a victory, in the end, the little guy pays the price both ways.

    I'm not so sure about that. You are certainly right as far as carriers and the backend (and anti-DDOS snakeoil boxes sellers) are concerned. They either lose no money or even earn money with it.
    But this goes deeper. Just think "critical infrastructure" or state players.

    Finally, the little guy may end up being his own victim in that soner or later (just wait for some serious case, say, crippling major infrastructure) DDOS will end up being one of the major and maybe even the final cornerstone of a new "we need more control and surveillance" attack from some state(s).

    In the end states have - or will - understand that DDOS is some kind of a powerful weapon and guess whose monopoly big weapons are supposed to be? As it so happens those very players, states, are also the ones holding the most dangerous weapons of all - a pen in a politicians hand.

    Finding technical (rather than political/legislative) ways to stop stop DDOS attacks seems way more attractive to me. What we need is real solutions rather than assholes who just monetize the problem by selling snakeoil.

Sign In or Register to comment.