New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Hetzner introducing DDoS mitigation for all customers and services
As posted here in the Hetzner forums (german and registration only):
https://forum.hetzner.de/thread/23562-ddos-mitigation/?postID=239250#post239250
Hallo Zusammen, Wir haben ueber die letzten Monate verschiedene Systeme zur Abwehr von DDOS-Angriffen getestet und inzwischen auch ein System implementiert. Dieses besteht im wesentlichen aus 3 Ebenen ueber welche wir in der Lage sind Angriffstraffic von validen Traffic zu trennen. 1. Automatische Erkennung von Angriffsmustern Neben der bisherigen Erkennung basierend auf der Trafficmenge und Paketmenge sind wir nun in der Lage den eigentlichen Angriff genauer einzugrenzen. Dadurch koennen wir genauer auf den verwendeten Angriffstyp eingehen. Ein UDP-Flood mit 500k pps ist fuer Server kein Problem. 500k SYN Pakete koennen aber schon ein Problem darstellen. Genau diese Unterscheidung ist jetzt moeglich. 2. Filtern des Traffics nach bekannten Angriffsmustern. Auf dieser Ebene werden die haeufig verwendeten Angriffe gefiltert. Somit koennen wir Angriffe sehr effizient herausfiltern. Dies betrifft besonders die haeufig auftretenden Angriffe wie DNS-Reflection oder UDP Floods auf Port80 3. Challenge-Response-Authentifizierung und Dynamische Trafficfilterung Hierbei werden Angriffe wie SYN-Floods, DNS-Floods und Invalid Packets gefiltert. Auch koennen wir an dieser Stelle sehr flexibel auf einzelne Angriffe reagieren. Insgesamt ist es natuerlich notwendig das wir Default-Werte definieren welche fuer alle Kunden funktionieren. Daher sind unsere aktuellen Filter sehr zurueckhaltend konfiguriert. Wir schauen uns aber alle Angriffe an und versuchen unsere Filter und Responses zu verbessern. Sollte jemand Ziel eines Angriffes werden welchen wir nicht erkennen oder unzureichend filtern koennt ihr euch gern melden. Wir werden das dann untersuchen und schauen wie wir auf diesen Angriff reagieren koennen. Ich hoffe das in Zukunft keine Server mehr wegen eingehender Angriffe gesperrt werden muessen. Gruss Martin --- Martin Fritzsche Netzwerksupport
Would love to read more about the details. Hopefully, there will be a more elaborate (and english) announcement on their site soon...
Comments
Gruss is now my new favorite word.
That's gruss!
34EUR, 2x3TB, 8.3k CPU Bench, 16gig, 20TB + AntiDDOS
Deal?
I wonder if that applies to the auction servers too.
Yes, it's network-wide.
500k pps seems low. Still something.
They are not talking about actual limits. Those 500k pps are just used for an illustration.
500pps means 5gbps? Or 50gbps?
pps = packets per second
it's a different measure.
You cannot put 500pps equal to 50Gbps
Since you could Attack a Target with lets say 50k pps with small Packages and still Flood the Services or go with 5k pps and bigger Packages.
No talk about how much their filtering can handle, so I guess it will be webtropia level which means no protection at all.
that profile photo
topkek
Nice, I wonder how well it'll work compared to other companies network wide mitigation. I've always loved Hetzners hardware offerings but the fact that they had no native protection was always a turn off.
This could be a game changer.
"we don't offer DDoS protection and don't want to host DDoS magnets anyway"
everyone leaves
"just kidding there you have it"
To much people were asking for it especially big customers.
Now its "something". I dont think that people will have fun with them if they think "they have it so I can use it."
I guess they will terminate the service anyway.
They now also have a Wiki entry for their DDoS protection:
https://wiki.hetzner.de/index.php/DDoS_Protection
which is mostly a translation of their forum post without new or further information.
They will announce it soon with further news :P
Heyya - do you know how much I can expect from them? (Ddos protection)
They don't tell exactly, so we don't know unfortunately...
According to this thread on WHT they have at least not null-routed anyone since they introduced the DDOS protection
by my chatting with them in mail, they told me they never null route any server since lunch ddos protection, and day by day and increase they capacity and improve their rules for better migrate
For those asking what is the capacity they offer, I have asked them what would be the max capacity in terms of gbps/pps:
>
>
>
>
>
>
I guess it just works, so I this case I would hold it like this: A gentleman never tells.
They never failed on me to this date and you can trust the German engineering I think!
Well, and let's forget about the Volkswagen affair for a moment.
Great. What would you choose now, HTZ or OVH? Which connectivity is better?
So, hetzner made two improvements
Add DDoS mitigation
And increase their network capacity for each server from 100mbps speeds or 250mbps to 1GBPS.
Anyway, they both seem really good to me.
I'd be happy if they'd at least say, if they can hold at least 20 GBps - 50 GBps is something I'd much rather prefer all though having something like the Voxility Protection like at SYS/OVH would be perfect. Do you guys think it's compareable to the Voxility Protection?
Ya a decent ddos protection they have decent hardware and support, only need to do one time setup fee payment for the ips like ovh and 50% of ovh customers will switch to hetzner
Seems security-through-obscurity is in fashion again.
I mean, they can either give the customers an assurance about what attacks they'll be able to deal with, or let the script kiddies do it for them. I don't know why they believe that not disclosing the capacity is somehow going to make things more "secure".
Yeah, it's quite weird. I just want a rough estimate by you guys or a minimal amount of protection I can expect from Hetzner - Saying nothing at all is just confusing. If they can't give me a proper answer or this forum can't I may have to use SYS.