How to destroy someone who hosts stuff at Hetzner dedicated server

It's worth putting this in context. Hetzner provides really beefy dedicated servers for ridiculously low prices [1].

You get great support (always had phone calls answered pretty much instantly and emails answered within a few minutes and all the techs I've dealt with knew what they were doing).

You can issue automated hardware resets and even get a remotely-controlled KVM attached to tweak the BIOS or regain access to your machine if you messed up the networking config (usually only takes a few minutes to get the KVM attached).

Orders for new hardware are also really fast - dealt with within the hour and often in under 15 minutes.

But there's no such thing as a free lunch. If you host at Hetnzer, you have to be aware of the reasons why they're so cheap, namely:

1) The servers are 100% unmanaged. They'll install new hardware for you if you ask them but everything else is up to you.

2) A lot of their hardware is desktop-grade, e.g. Intel Core i7 CPUs and non-ECC RAM. They do have some server-grade hardware in their high-end range however.

3) Their servers are in Germany. So you get quite a bit of latency if accessed from Asia or the West Coast of the US (see [2]).

4) They don't have any DDoS protection. In case of a DDoS, your server will get null-routed (but they tell you first). Again: 100% unmanaged. Up to you to deal with it. I've been lucky enough to not have to deal with a DDoS but my first port of call would probably be CloudFlare it it happened.

Provided that you're happy to do some sys admin, Hetzner is brilliant for a personal server, a CI server or even a prod server for a bootstrapped startup.

For literally next to nothing, you get a really powerful machine that will easily handle big traffic spikes without a breaking a sweat. And dedicated machine means that you get excellent and consistent CPU performance and disk I/O. If and when your startup takes off and you get funding, you can then choose between hiring a sys admin or moving to a more expensive host that offers a more managed setup.

[1] http://www.hetzner.de/en/hosting/produktmatrix/rootserver-pr...

[2] https://news.ycombinator.com/item?id=3898714

A lot of the people commenting don't seem to understand how hard it is to fend off such DDoS attacks. You either need some serious infrastructure (cloudflare style) or you need to buy equipment to mitigate attacks (like radware devices) or route it via a DDoS mitigation service (prolexic style). The one thing all these solutions have in common is that they are insanely expensive. People can buy a 1 gigabit DDoS for only a few bucks, whereas mitigating a 1 gigabit DDoS will cost you either $20K+ dollars for a mitigation device or some stupid amount of money to have a service like prolexic mitigate it for you. Services like cloudflare are a whole load cheaper but only provide basic reverse proxy protection and still leave your server vulnerable for attacks directed at it's IP instead of DNS name.

I can't say I've ever heard of Hetzner, but from the comments I'm reading they apparently offer servers for cheap. Bearing in mind how much money DDoS mitigation costs I don't see how they could handle this any other way without having to make some pretty serious investments (which in turn would make their hosting less cheap as the money has to come from somewhere, right?)

IRCCloud had to move off hetzner for this reason. We were continually getting ddos'ed, and hetzner showed no interest in working with us to try and mitigate.

At one point they just suggested we "ask the responsible parties to stop", and closed the ticket.

Now we are on Black Lotus. Expensive, but the regular 50mb-10gbit ddos attacks are mitigated just fine.

Yup, pretty much. Those attacks have become a real problem because they can be ordered so cheaply and easily that even kids use them in Minecraft feuds. The channel takeovers of the 21st century.

OVH's much more tolerant in that regard (ie. they keep your server online if battered) and all their servers now include a mandatory anti-ddos protection[1]. Unfortunately, they're fighting turn-over and don't accept new orders.

[1] http://forum.ovh.co.uk/showthread.php?t=6661

So I manage quite a few servers at Hetzner and we were DDOS'ed quite a few times. First, they warn you and if you don't get back to them in 12-24 hours, then they will shut down your server.

Sounds like you were unfortunate, but this is not generally what they do.

That sucks. I have moved many websites recently from EC2 to Hetzner. what they offer is really impressive and the difference is clear (probably 5x more resources/power for 25% of the Amazon price).

I guess I will still keep the server, but will have to work on a quick migration/failover plan in case I encounter something similar.

I have also started using cloudflare as my default DNS host, so that could also be a possible solution.

Here is a simple solution and everybody is happy: re-enable it every hour, if DDoS continues, disable again.

Everybody is probably "happy" then: Customer-> their unusable DDoSed server is disconnected, but wasn't reachable anyway. But once the DDoS is over, it's back online. Provider -> they have their traffic routed to null. However, they will have to do some more work to get this working too. And not to mention happier customers.

Here is a forum that sells DDoS attacks. Attacks are much cheaper than protection.

http://www.hackforums.net/forumdisplay.php?fid=232

I had to do deal with DDOS attacks in the past and DDOSArrest worked like a charm to mitigate the problem.

How can DDoS mitigation devices distinguish between legit and malicious traffic? I'm not a networking expert, but it seems to me that if you're a website hosting a big file like the latest Ubuntu release, a legitimate client will say:

    GET /ubuntu-13.10-server-amd64.iso

and cost you 500 MB of traffic (or however big the ISO file is).

A DDoS is nothing more than thousands or millions of machines saying:

    GET /ubuntu-13.10-server-amd64.iso

How do the solutions others are talking about in this thread (DDoS mitigation provider or specialized hardware) tell the difference between DDoS traffic and legitimate requests?

Wow, they detect the DDoS, but instead of blocking this they take off the servers?? Sounds ingenious..

Or are they unable to properly detect a DDoS and would also take off a server that hosts a web page mentioned on Hacker News?

How do other hosters handle this situation?

Use cloudflare or a similar service provider to mitigate such attacks?

We had the same problem at Hetzner, the server was attacked on Saturday. We moved out. Hetzner is very cheap and you get what you pay for.

Great tip. Does anyone know who Hetzner's largest customers are? Or at least major web services that host with Hetzner?

Does this apply to servers that do NOT host websites? I host databases in Hetzner that aren't hosted in the same server as the website(they're in another provider)

well this is good timing, just moved to hetzner last month and server mysteriously went awol yesterday until a reset...

FWIW, This is fairly standard.

Linode for example will null-route your linode for 24 hours if it's attacked.

It's quite irritating that hosting companies seem to see null-routing as a solution to a DDoS attack.

   > This is fairly standard.

   > It's quite irritating that hosting companies
   > seem to see null-routing as a solution to 
   > a DDoS attack.

If they can detect the DDOS, they should be able to mitigate it, right?

(EDIT: of course Hetzner could choose to mitigate the DDOS by any number of methods - but they choose not to, because they have made a conscious decision based on cost.)