> You will be charged up to 20% based on your total monthly resource usage covered by DDoS Protection with a total monthly maximum of $1000/mo.
I get that someone has to pay for this, but if I had 50 servers here and they all got shit on, I'd be on the hook for a lot of money through no fault of my own.
I have some cheap(east) VPS with OVH that I didn't even know had DDoS protection until I got the emails that my host was temporarily migrated to mitigation infrastructure during a DDoS, and back a few minutes later. Was pretty impressed especially since I don't pay extra for it or even know I had it!
it benefits them, since DDoS will take down not just your VPS, but more infrastructure along the way. there are probably downsides as well, like blocking crawlers from search engines
Very vague. Doesn’t specify if it is in-line or offload. Linode, with some research you can figure out they use Corero appliances that will cover 40 gbps floods.
Also didn’t see what their policy on tweaks are and or expectation on mitigating a more advanced attack.
I.e. DNS, NTP floods are low hanging fruit but it doesn’t take much nowadays to do something more custom.
DO killed 2 of our production server some weeks ago erroneously due to an issue on their end that claimed we were part of a ddos attack. Took us an entire week to recover properly... maybe this might have helped... also was promised credits for the downtime but never received them, minor after the fact as we're pretty happy with the service overall.
> The Incident:
Beginning at 17:10 UTC, May 9th, multiple DigitalOcean customers experienced Droplet network outages due to an action on Droplets by an automated mechanism. This mechanism has been in place at DigitalOcean since 2019. It helps us ensure that any potentially compromised Droplet seen participating in an outbound Denial of Service attack is quickly taken offline. This is in place to assist in protecting all DO customers by ensuring we have a network focused on delivering legitimate traffic at speed and scale, unencumbered by illegitimate traffic. When triggered, this mechanism suspends networking capabilities on the Droplet or Droplet-based services temporarily to allow the owner to investigate the issue. Users are informed via a support ticket and email that details the paths to recovery. This incident was triggered by an unannounced data change made by a third-party, which DigitalOcean uses to assist in analyzing traffic flow and metrics, as well as detecting malicious traffic patterns.
Due to this mechanism constantly running and no changes being made directly by DigitalOcean, our teams were delayed in beginning an incident response. After multiple reports from customers that they believed the notification of outgoing Denial of Service attacks from their Droplets were false positives, an internal incident was declared to investigate the issue and start remediation efforts.
After a thorough investigation by the DigitalOcean Security and Networking teams, the root cause was discovered to be an erroneous change made by a third-party service that reports data on traffic. Contact was established with the third-party, and they confirmed a change had been made. Investigation began on their side, and they confirmed there was a bug causing bad data to be returned from their API.
Remediation of this incident was done through multiple paths. Complete resolution was achieved once the third-party rolled back the change that was made, which was causing bad data to be reported to DigitalOcean systems. Before that rollback was able to be put in place, DigitalOcean took direct action to take the automated mechanism that disables Droplet networking offline, given the suspected bad data. The support teams also worked throughout this incident to directly address customer tickets and re-enable networking on impacted Droplets.
At the risk of sounding like the "why do you need DropBox if you have rsync herr derr" guy, why... do I need DDoS protection from my VPS provider if I have Cloudflare anyway?
Why do you need DDoS protection from Cloudflare if your VPS provider has it anyway?
Some people prefer all-in-one solutions, otherwise things like AWS wouldn't exists. Others prefer to spread out their eggs. One is not absolutely right and the other absolute wrong.
This is very tangentially related, some comments here made me think of this:
What happened to the DDoS Open Threat Signaling (RFC 8811) protocol? Do any of the many service providers, most of which include some sort of DDoS protection, use this system at all?
You pay for it at a price of 20% of your plan's price. If you have a $25/mo plan, it'll be a $5 add-on. You can enable/disable it so that it's only on when you want it and it is pro-rated in that case. If you want to respond to an attack for 2 weeks of the month, it'll cost $2.50. So you can manually turn it on if you're under attack and only pay for that time, but if you want it to automatically handle an attack you have to pay for the month.
I think most people would just turn it on if they were a likely attack target. You don't want your site to go down and either get paged or find out about it hours later. If you're an unlikely attack target or a site that can stand some downtime, you could leave it off and just enable it when under attack.
Sometimes DDoS is 'layer 7', running you out of CPU etc on requests that are easy to make and hard to service. Try to avoid that?
Otherwise, DDoS is usually volumetric: send you more packets than will fit on your network interface. The only prevention is larger interfaces, but 1Gbps of DDoS was readily available when I was dealing with it in 2018ish and it was pretty clear that people were using the site I ran as a test target for DDoS as a service (always exactly 90 seconds of junk traffic on our www, very rarely a real service host, etc). There was a recent crackdown on DDoS as a service, but I'd be surprised if 10Gbps isn't easily available now.
D/DOS protections mostly have to happen before the network packet reaches the OS. Handling the incoming data request requires enough OS resources to be used for DOS. There are some things you can do application wise, such as avoiding reflection and amplification attacks. https://blog.cloudflare.com/reflections-on-reflections/
Nothing, if your self hosting in your home. Volumetric floods will saturate your ISP link.
If you’re hosting with a provider, your maximum factor will be how much your provider will “tank” for you.
Otherwise harden your ports, drop anything via IPTables, turn on NOTRACK. Better but more advanced would be to use tc (traffic control) to drop bad packets before they enter the net filter lifecycle
nubinetwork|2 years ago
I get that someone has to pay for this, but if I had 50 servers here and they all got shit on, I'd be on the hook for a lot of money through no fault of my own.
robbiemitchell|2 years ago
belter|2 years ago
https://aws.amazon.com/shield/features/#AWS_Shield_Advanced
johnklos|2 years ago
nazgulsenpai|2 years ago
taskforcegemini|2 years ago
lxchase|2 years ago
Also didn’t see what their policy on tweaks are and or expectation on mitigating a more advanced attack.
I.e. DNS, NTP floods are low hanging fruit but it doesn’t take much nowadays to do something more custom.
iKlsR|2 years ago
> The Incident:
Beginning at 17:10 UTC, May 9th, multiple DigitalOcean customers experienced Droplet network outages due to an action on Droplets by an automated mechanism. This mechanism has been in place at DigitalOcean since 2019. It helps us ensure that any potentially compromised Droplet seen participating in an outbound Denial of Service attack is quickly taken offline. This is in place to assist in protecting all DO customers by ensuring we have a network focused on delivering legitimate traffic at speed and scale, unencumbered by illegitimate traffic. When triggered, this mechanism suspends networking capabilities on the Droplet or Droplet-based services temporarily to allow the owner to investigate the issue. Users are informed via a support ticket and email that details the paths to recovery. This incident was triggered by an unannounced data change made by a third-party, which DigitalOcean uses to assist in analyzing traffic flow and metrics, as well as detecting malicious traffic patterns.
Due to this mechanism constantly running and no changes being made directly by DigitalOcean, our teams were delayed in beginning an incident response. After multiple reports from customers that they believed the notification of outgoing Denial of Service attacks from their Droplets were false positives, an internal incident was declared to investigate the issue and start remediation efforts.
After a thorough investigation by the DigitalOcean Security and Networking teams, the root cause was discovered to be an erroneous change made by a third-party service that reports data on traffic. Contact was established with the third-party, and they confirmed a change had been made. Investigation began on their side, and they confirmed there was a bug causing bad data to be returned from their API.
Remediation of this incident was done through multiple paths. Complete resolution was achieved once the third-party rolled back the change that was made, which was causing bad data to be reported to DigitalOcean systems. Before that rollback was able to be put in place, DigitalOcean took direct action to take the automated mechanism that disables Droplet networking offline, given the suspected bad data. The support teams also worked throughout this incident to directly address customer tickets and re-enable networking on impacted Droplets.
janejeon|2 years ago
capableweb|2 years ago
Some people prefer all-in-one solutions, otherwise things like AWS wouldn't exists. Others prefer to spread out their eggs. One is not absolutely right and the other absolute wrong.
jonathantf2|2 years ago
andersa|2 years ago
whitepoplar|2 years ago
lifelong|2 years ago
https://docs.aws.amazon.com/waf/latest/developerguide/ddos-s...
capableweb|2 years ago
DoItToMe81|2 years ago
remram|2 years ago
What happened to the DDoS Open Threat Signaling (RFC 8811) protocol? Do any of the many service providers, most of which include some sort of DDoS protection, use this system at all?
https://www.rfc-editor.org/rfc/rfc8811
skilled|2 years ago
Do you only have to pay if you have been exposed to an attack?
mdasen|2 years ago
You pay for it at a price of 20% of your plan's price. If you have a $25/mo plan, it'll be a $5 add-on. You can enable/disable it so that it's only on when you want it and it is pro-rated in that case. If you want to respond to an attack for 2 weeks of the month, it'll cost $2.50. So you can manually turn it on if you're under attack and only pay for that time, but if you want it to automatically handle an attack you have to pay for the month.
I think most people would just turn it on if they were a likely attack target. You don't want your site to go down and either get paged or find out about it hours later. If you're an unlikely attack target or a site that can stand some downtime, you could leave it off and just enable it when under attack.
re-thc|2 years ago
It's like insurance. Do you buy it after an accident or before?
revskill|2 years ago
toast0|2 years ago
Otherwise, DDoS is usually volumetric: send you more packets than will fit on your network interface. The only prevention is larger interfaces, but 1Gbps of DDoS was readily available when I was dealing with it in 2018ish and it was pretty clear that people were using the site I ran as a test target for DDoS as a service (always exactly 90 seconds of junk traffic on our www, very rarely a real service host, etc). There was a recent crackdown on DDoS as a service, but I'd be surprised if 10Gbps isn't easily available now.
GartzenDeHaes|2 years ago
lxchase|2 years ago
If you’re hosting with a provider, your maximum factor will be how much your provider will “tank” for you.
Otherwise harden your ports, drop anything via IPTables, turn on NOTRACK. Better but more advanced would be to use tc (traffic control) to drop bad packets before they enter the net filter lifecycle
bombcar|2 years ago
Depending on what you’re using it for you could “cloak” it.
unknown|2 years ago
[deleted]