Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Proven DDoS Protection / Share your experience
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Proven DDoS Protection / Share your experience

MikePTMikePT Veteran
edited September 2016 in General

Howdy,

We're all aware that many companies advertise a XPTO DDoS Mitigation service, some of those, even in-house hardware devices for mitigation. But how many of those really work?

Feel free to share your experience with us, perhaps this way, we won't be misguided to false advertising.

Have you had any experience with these providers? Who were they? Were they able to mitigate the attacks?

Cheers

«1

Comments

  • Kimsufi works very good. Hetzner work also, but it takes longer time before it kicks in.

  • deployvmdeployvm Member, Host Rep
    edited September 2016

    From my experience, Arbor Peakflow devices are effective against attacks. However, Arbor is a proprietary solution and requires a large investment.

    There is a client device available called Arbor Pravail APS, but it is not as effective against volumetric attacks. Basically, you need cloud-signalling to go with it.

    I've also heard NSFOCUS and Huawei (Serverius) solutions.

    All you need is large bandwidth capacity to tank the incoming traffic, but usually you would need the help of the operator (upstream). Proprietary or custom devices - all comes down to your available capacity.

    Thanked by 1HyperSpeed
  • AlexBarakovAlexBarakov Patron Provider, Veteran

    Most are good, as long as they are above the XXX,XXX$ investment. And of course, big enough pipes and capacity. I'd think at least 200gbps burst/peak is required.

  • But any real experiences? They all say they are great. I'm seeking for personal experiences here

  • I've had attacks around the size of 10gbps and they were easily tanked by OVH's DDoS protection.

    All I can say is I'm satisfied with OVH.

  • hawchawc Moderator, LIR

    I had an attack at Online.net - 125Mbps caused my server to totally lock up and become unresponsive.

  • AlexBarakovAlexBarakov Patron Provider, Veteran

    PM'ed you with some real experience from RioRey and Radware.

  • I had a small 1.5Gbps attack at ReliableSite a while back and didn't even know it had happened until I logged in to my account and saw on the history.

  • Seen Voxility's network protection do pretty good but one incident I recalled, not sure if it was the DC and/or Voxility, but a /24's routing was all messed up after the attack allegedly stopped for over 24 hours.

  • @FlamesRunner The DDoS protection @ OVH protection is decent at best, only on the permanent mitigation mode. Using the "auto mitigation" mode allows for attackers to knock the server offline, before it is moved.

    I've seen 15-20% packet loss in a few attacks before being moved to the mitigation network, and even so, legitimate users got packet loss sometimes because of their system detecting false positives.

  • MaouniqueMaounique Host Rep, Veteran
    edited September 2016

    Nothing is perfect, but, as a rule of thumb, the protection will get more expensive and only big players will afford it, while the attacks will grow.
    There will come a time anything under 100 USD will not make sense to be protected even at a third tier (protection>DC>reseller>reseller).
    This is because everyone except you benefit from attacks. Carriers sell more BW, companies sell "solutions", datacenters sell protection, botnet operators sell attacks and blackmail providers/DCs.

  • @Maounique said:
    Nothing is perfect, but, as a rule of thumb, the protection will get more expensive and only big players will afford it, while the attacks will grow.
    There will come a time anything under 100 USD will not make sense to be protected even at a third tier (protection>DC>reseller>reseller).
    This is because everyone except you benefit from attacks. Carriers sell more BW, companies sell "solutions", datacenters sell protection, botnet operators sell attacks and blackmail providers/DCs.

    Actually, the DDoS protection is getting cheaper. There's plenty of spare bandwidth and, if you have DDoS protection, the attacks won't reflect much in your service therefore will be less as well.

  • MaouniqueMaounique Host Rep, Veteran
    edited September 2016

    MrGeneral said: Actually, the DDoS protection is getting cheaper. There's plenty of spare bandwidth and, if you have DDoS protection, the attacks won't reflect much in your service therefore will be less as well.

    That is only an impression, at this time there are some big players with plenty of bw, peering among each other and this kind of thing made it possible for them to offer cheaper protection, but as they are cutting a larger share of the market and botnets capabilities grow, even with insanely asymmetric lines some countries have, the prices and atacks will grow because there will always be places where internet is cheap and fast, 50%+ of the houses are wired on big pipes and security knowledge is scarce for at least a percentage of those households. Even without those, the exploits multiply and sophisticated automated attacks will grow large botnets. I have seen attacks grow, last big one was well in excess of 100 Gbps here, one year before, largest ones were peaking at some 35-40, the increase is more than 2x year on year. and we have, what, some 5k active customers with maybe 7-8 k VMs/shared hosting with dedicated IP in total.

  • @Maounique said:

    MrGeneral said: Actually, the DDoS protection is getting cheaper. There's plenty of spare bandwidth and, if you have DDoS protection, the attacks won't reflect much in your service therefore will be less as well.

    That is only an impression, at this time there are some big players with plenty of bw, peering among each other and this kind of thing made it possible for them to offer cheaper protection, but as they are cutting a larger share of the market and botnets capabilities grow, even with insanely asymmetric lines some countries have, the prices and atacks will grow because there will always be places where internet is cheap and fast, 50%+ of the houses are wired on big pipes and security knowledge is scarce for at least a percentage of those households. Even without those, the exploits multiply and sophisticated automated attacks will grow large botnets. I have seen attacks grow, last big one was well in excess of 100 Gbps here, one year before, largest ones were peaking at some 35-40, the increase is more than 2x year on year. and we have, what, some 5k active customers with maybe 7-8 k VMs/shared hosting with dedicated IP in total.

    Well, opinions differ. I don't share the same opinion to be honest.

  • SplitIceSplitIce Member, Host Rep

    Because reviewing our-self (https://www.x4b.net) would be biased, I'll quote something recent -

    desperand said: If you looking for really nice protection for website, i guess you should take a look for https://x4b.net/, this guys will not give any chance for attackers to make your site down. I have used a lot them for my very high risk projects, and everytime my website were up, and attackers tried to attack me for 7-14 days nonstop, and each attack were filtered with x4b. And no downtimes at all.

    There is alot more to good protection than just capacity, it takes alot of R&D and investment. Attacks are always increasing in complexity, and often in volume (primarily depending on what vulnerable UDP services are discovered, and the veracity of the attacker).

    Although that said, larger networks certainly have an advantage in the volume department. For small networks keeping (e.g) 1Tbps spare capacity around is not feasible, for a larger network, it may very well be.

  • MaouniqueMaounique Host Rep, Veteran

    SplitIce said: For small networks keeping (e.g) 1Tbps spare capacity around is not feasible, for a larger network, it may very well be.

    A TB spare capacity is not for an average or even larger network, not to mention small, heck, I am not sure networks like S.A.S. (online.net) have 1 TB spare and they are not small by any measure.

  • FranciscoFrancisco Top Host, Host Rep, Veteran

    @Maounique said:

    SplitIce said: For small networks keeping (e.g) 1Tbps spare capacity around is not feasible, for a larger network, it may very well be.

    A TB spare capacity is not for an average or even larger network, not to mention small, heck, I am not sure networks like S.A.S. (online.net) have 1 TB spare and they are not small by any measure.

    Given people get 1Mbit/sec to OVH I'd assume they don't :P

    Francisco

  • MaouniqueMaounique Host Rep, Veteran
    edited September 2016

    Francisco said: Given people get 1Mbit/sec to OVH I'd assume they don't :P

    Or OVH may do that in purpose, who knows, nothing would surprise me. A test is pretty simple, just do a tunnel through one of their common peers and see what comes up.

  • mrKatmrKat Member
    edited September 2016

    If you're looking for a gameserver ddos protection I tested many providers like ovh, online.net, intreppid and X4b NL. Until i found the best one which is nuclearfallout.

    When i got ddosed on OVH the connections of all my players will drop and cause disconfort, and OVH have this shit vac system you have to connect 3-4 times to game until you get in.

    Online.net basic ddos package : fully drop connections for 15-30sec until their antiddos kicks in. Large packet loss afterwords.

    X4B NL the time i used it, it was a good ddos protection based on ddosguard.ru/nl? but after 5mins of being ddos they cut UDP for probably 3-4hours to my servers and that means bye bye players. I read somewhere and now i think they're based on serverius ? no idea about that.

    Intreppid from my point of view i would like to say it was a scam , no filtering at all , they basically ddosed my server with 1gbps via gre tunnel when attack was ongoing. Requested a refund was given a big fuck you, never bragged about it anywhere.. except here and now. (charts were blowing up (probably fake/innacurate) with some incredible high numbers of packets/sec even tho i tested it with maybe 500mpbs from one of my servers)

    Final choice:
    NFO on the other hand has an outstanding firewall system on which you can filter any type of ddos and it will stop reaching your application. I think they filter on host card and its 10gb port. Had no problem with them so far and works wonders no players drop, no nothing, everything is fine! oh hmm if you get ddos for more than 6 hours you get nullroute for 4 hours on ip (quite the hichup there) but managed to fix it with multiple ips (2$/ip i guess).

    May my mistakes be forgiven, i'm from europe.

    Thanked by 1MikePT
  • SplitIceSplitIce Member, Host Rep
    edited September 2016

    @mrKat: 1st post user advertising & reviewing companies. Suspicious to say the least.

    Please feel free to PM me a Ticket ID. I'd be happy to take a look.

    UDP may be dropped in NL if 100Gbps Guaranteed threshold is breached for a long period (usually 6 hours+), it depends on the attack however. Its been a very long time (12months+) since that was last performed given that since then upstream capacity has been doubled. It really depends on the load at the time, ingress route (peering or transit & capacity & 95th).

  • @SplitIce said:
    @mrKat: 1st post user advertising & reviewing companies. Suspicious to say the least.

    Please feel free to PM me a Ticket ID. I'd be happy to take a look.

    UDP may be dropped in NL if 100Gbps Guaranteed threshold is breached for a long period (usually 6 hours+), it depends on the attack however. Its been a very long time (12months+) since that was last performed given that since then upstream capacity has been doubled. It really depends on the load at the time, ingress route (peering or transit & capacity & 95th).

    He's kind of right though: OVH's VAC/vacuuming system is awful at detecting attacks. It's not really suitable for VOIP, let alone gaming, or anything that depends highly on latency.

    Just my 2 cents on it. Adios!

  • SplitIceSplitIce Member, Host Rep

    @doghouch I'll second that part any day. OVH VAC is just a basic system for attempting to solve the basic problems, its better than nothing in many cases I am sure (although a hindrance for certain legitimate traffic loads)

    Thanked by 1doghouch
  • still not found any solution for xmlrpc ddos... no host providing this stuff, only cdns on expensive plans (200$ and more)

  • @Advicerxyz
    Whats wrong with underattack option from cloudflare? its free and it does its job. Fail2ban ? there are alot of option you have to try.

    check this
    https://github.com/kyprizel/testcookie-nginx-module

    Also if you don't know these stuff or probably don't want to learn, you can always throw money at the problem .

    A hosting provider just host your stuff it does not defend you against http requests lol.

  • AdvicerxyzAdvicerxyz Member
    edited September 2016

    xmlrpc bypass under attack so return in to high setting but nothing. cloudflare free plan not worth it. some people for sure know a solution for it, but dont want to share it...
    its a vps - its ddos protected, and asked already 4 vps providers with ddos protection no one include xmlrpc ddos protection... saying its from server side not network... the solution you just gave its making a "testing js please wait" like cloudflare ?
    mod secuirty wont help with it? or mod evaise ?

  • Awmusic12635Awmusic12635 Member, Host Rep

    @Advicerxyz said:
    xmlrpc bypass under attack so return in to high setting but nothing. cloudflare free plan not worth it. some people for sure know a solution for it, but dont want to share it...
    its a vps - its ddos protected, and asked already 4 vps providers with ddos protection no one include xmlrpc ddos protection... saying its from server side not network... the solution you just gave its making a "testing js please wait" like cloudflare ?
    mod secuirty wont help with it? or mod

    So wait, are you being attacked by a Wordpress pingback attack or is your server being used to attack

  • AdvicerxyzAdvicerxyz Member
    edited September 2016

    Im getting attacks of wordpress pingback. Nginx getting 2k-5k request for a second.. Server is functional.. Seems like nginx and apache crashing under the attack but im still able to access my webcontrol panel.

    I dont see any cpu spike but ram spike a huge one

  • If it's just 2-5k r/s you should be able to simply drop any pingback traffic (if that's an option?). SW firewall might be resource intensive but at least the webservers should only handle clean traffic.

  • How could i drop them? Sw firewall?

  • SplitIceSplitIce Member, Host Rep

    @Advicerxyz said:
    still not found any solution for xmlrpc ddos... no host providing this stuff, only cdns on expensive plans (200$ and more)

    Thats easy enough, hit us up. Just grab one of our budget locations which are far less than that (even our most expensive location is less than that for anything but massive bandwidth plans). 2-5k r/s is nothing to us.

Sign In or Register to comment.