New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Prometeus also takes attacks very seriously. Nullroutes are applied for long periods (sometimes 24 hours) and at repeated attacks the customer has to go, after the first if was found to be running one of the DDoS magnet services that are forbidden in general/for his plan.
We do not offer DDoS protected services and that is made clear from the first attack.
Even if the network can easily take 7 gbps and 3-4 mil packets, the individual ports on the nodes are 1 gbps and can't take much more than 300k pps, so one customer cannot be allowed to create service disruption for many others.
Outgoing attack means instant and permanent removal.
But why not nullroute him for 15 minutes each time instead of making them stay offline for 24 hours? Sometimes we'll raise the nullroute to 30 minutes or maybe 1 hour if we're tired of seeing the e-mails but I still think 24 hours is unreasonable. Then an attacker will know that they only need to do a minimal attack for a few seconds and take them offline for a whole day. It's essentially forcing the client to leave your service.
@KuJoe
1. DoS happens
2. DoS is detected
3. Nullroute is initiated
4. RTBH is pushed to the upstream(s)
5. The RTBH is picked up by the upstreams and applied
6. The DoS traffic stops hitting your upstream links
With big enough attacks your upstream pipes (or the node's interface for that matter) are filled up by the DoS and you have packet loss between steps 1 and 6
Now how your innocent customers feel if they have packet loss for some minutes every hour?
Sometimes it is better to directly or indirectly make a troublesome customer leave you, thank to degrade the service of your other, troublefree customers.
@rds100 I guess you're right. A couple dropped packets an hour might cause some issues for some clients (although 99% wouldn't notice). But still, I don't see why 24 hours is satisfactory.
@Kujoe it depends what kind of customers you have. If they are just storing their backups on the VPS or their personal blog which nobody visits - they probably wouldn't even know there was some packet loss.
However if they are hosting their company PBX with you - packet loss even for a short time can be a big problem for them.
Because if the attack is persistent, this will cause network blips every hour, potentially causing issues for other users.
I guess I'm just thick-headed because I still don't get the logic behind it (unless of course it is to get the client to move then I do get it).
It must be a sufficiently strong warning so they know that they have to either stop the DDoS magnet service, or prepare to pack shop and leave.
If you offer DDoS protection, then fine, but you wont need to blackhole the IP most of the time, and if you dont offer, you dont want the other customers suffer.
What are you running?
@KuJoe - that's exactly it. 99% of the time a client being attacked is because of their own stupidity. It's best to start with a 24 hour null, and then slow walk them until they get the idea and move on. (Or if it continues cancel them.)
@unused Well if the sole purpose of a 24 hour nullroute is to get the client to leave then that makes total sense.
It might serve as a very serious warning too. Perhaps they can move the offending service, here it happens often and there is no need for a second and permanent nulling.