New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Affordable Remote DDOS Protection / Reverse Proxy
theblackesthat
Member
in Providers
I have a client looking for a possible alternative to CloudFlare. Right now they are just paying the 20$ CloudFlare package. It's just a smaller website at the moment, so they are trying to keep protection costs cheap. Like less than 100$ per month. I know it can cost thousands to have a legit anti DDOS setup. We are just looking at all the cheaper and more affordable options. Below are the ones I have found by Googling around myself. Are there any others out there that I'm missing? I want to know all the options before committing to one. Thank you.
https://javapipe.com/ddos/remote-protection/
https://ddos-guard.net/en/retail
https://www.hyperfilter.com/web-protection/
https://blazingfast.io/firewall
Comments
L7? If so mark out OVH as their L7 gateway isn't available yet.
How big is their site? Likely a good nginx config with limiting can do good unless they're running on a single core. The only ones on that list I have really seen anything about is Sucuri and Javapipe.
FYI, we are currently having an Australia day sale
https://www.lowendtalk.com/discussion/136180/x4b-australia-day-sale-anycast-remote-ddos-protection-6-pops-and-expanding
Bullshit, OVH does offer L7.
But the fuck, I do not get, why anyone would want send sensitive data over a fucking proxy that breaks TLS.
Get a DDOS protected VPS, your OWN reverse proxy on it.
Oh man, just get a ddos protected VPS or dedi, easy.
Link?
https://www.ovh.ie/ssl-gateway/
There is nothing that can be ordered with L7 protection there.
@Francisco might be able to help you out https://buyvm.net/ddos-protection/
Oh, there is a SCROLLBAR, I did not fully scrolled down, shame.
The Blackest Hat,
#dicks
@Neoon if you want mitigation of Layer 7 attacks (beyond what one single server can take) someone is going to have to be able to decode at best (encode likely) your traffic. Unless of course you have significant funds.
It's all about trust at the end of the day, if you don't trust your network and hardware providers your security is moot regardless. Physical access defeats all security.
On the plus side if it's just Layer 4 you can always do TCP forwarding. If supported by the filtering solution.
Well, obviously, since its encrypted, the thing is, if someone is abusing your search function with a GET request or post, whatsoever, why did you not put a cooldown on it?
Every resource intensive thing in your application should at least have a cooldown to prevent that.
I guess if someone does a Layer 7 STYLE attack, you may see also invaild requests, it may look like a valid GET/POST but for your application its nonsense, since they end in 404. Then just block it?
Its just a fix for a person who is a lazy fuck, and it even breaks TLS. no.
@Neoon that really depends on many factors.
While it might not be the the right solution for you, it is for thousands of others. That's why there is an industry built around it.
If the real ip of server is found,CDN is useless.
An OVH VPS with Open Resty might be enough, depending on the attack size.
https://www.kms-hosting.com/ ???
@Kabeldamagement in DE maybe can help.
I work for DDoS GUARD. Would like to make a better offer. Where are you/your client located?
There are tons of ways, to find a pattern in these requests.
The IP is just the beginning, you are running a AntiDDOS Company, you should know it.
Depends, if that method is causing a high load, while being DDoSed, its the first thing you do. While you looking for a pattern.
The Goal is, to keep the site alive.
Webservers like Nginx should handle that fine, if you are running your page on a toaster it may be different.
Do not use Shared Hosting? solved.
Sounds to me capitalism in the end state, reminds me of a bank, which did that, charged you like 0.05$ for each mouse click while you do online banking.
Cloud is mostly more expensive then a dedicated box, its a foolish idea to run things in the cloud. If people do that, there is no help.
Even then, no one needs to buy one of these shitty Proxy's that break TLS.
Usually if you talk to such API, you do caching and stuff, so thats fine.
If you plan mission critical stuff, you plan that in.
If you did not, thats your own fault, still does not mean that someone need to buy a Proxy which breaks TLS.
TLS was invented to ensure safety of the data between client and server, no reason to break it.
If you run a application like Vanilla on LET, which needs to be put behind Cloudflare, because its vulnerable to some stuff, do not use it?
If this is your way to combat symptoms rather than causes certainly.
Sure you will find people, who will use it. But its a dirty quick solution and should not be used for ever.
You are wrong. It's cost up to 100$ for decent protection level. Try x4b.net, they totally will solve your problem (I'm their client in past, not using for now anymore, but tried a lot in critical periods of my hobby projects, and only this guys helped me survive, not a bullshit "luxury" providers which offer protections by 200$ for very limited amount of protection, or "reputable providers with decent prices over LET". Just try x4b, they are ideally suitable for websites, my one under attack for many days non-stop, and x4b won the fight against really skilled guys who tried in different ways to break my hobby.
My experience related to 2013-2017 periods (up to April 2017), not sure if something really changed since that time until now, but I'm warning, that something can be wrong.
Need to test, for now, earlier they do not offer any protection at all. That means was possible to bypass the protection via customized botnets out any trash botnets, which bad people did against me for many many times... As for now, as I know, they have the https://blog.cloudflare.com/unmetered-mitigation/ thing, I have several projects which is running behind CF right now, not sure, no one of them got down at all on the free plan yet, but this is maybe just because no one is attack it.
This is enterprise level app. Not for a physical consumer. Very costly.
I have not used them and even heard. But I saw similar services for many years many services. As you understand, all of them already dead, or does not offer any quality of DDoS protection. It is just out the box pre-configured simple scripts or even worst -> just a tunnel...
Tried in 2014, because OVH antiddos were very unstable at the beginning, they are trash at the time and does not worth mentioning. Don't know what has changed since that time. Maybe they are good now.
This is the biggest piece of shit what can even be for me. I will not go with them anymore, tried them once, and never will try again (but some of my friends using them without too many issues). tl;tr story: hacker broke their filters, bypass everything and take it down and they null route me, and for returning me back asked paying extra money. But at the same time, they offer that their protection is very good and big mitigation capacity which attacker did not use for even 1\10 part... It was in 2014, trowed to shit after 3 days of using... Laggy network, constant issues. If some serious will decide to kick their ass, he will do it, no exceptions. Maybe something has changed for now, but I'm not sure... Because of butthurt after their mitigation I trying to read/talk with people who are using them, and see the same experience like me had.... Overpriced. As for support, it was very fast and quick.
Don't know who is it, and not tried, can't say anything.
Tried, several times saved my ass in most critical situations where my hobby was a blaze between life and death. This provider has middle prices if compare to others, some issues as far as I remember with support (I don't remember why, but I did not like their support at all because it was not really friendly or so (but answer fast)). But let's say the truth: these guys god damn good in what they are doing (in my own experience if compared to many others providers which I tried to protect my servers/sites in different network levels (L4, L7). The price can be a little painful, but this is still one of the cheapest quality DDoS protection oriented provider... If you will try many others providers, and they will fail for you, just back to x4b, these guys will cover your ass (at least mine several times did, when mostly 1 step before losing a hope).
One of the best support team what I have ever seen ever. Response mega fast, very informative, helpful and so on. Only positive emotions related to their support, plus not a bad price. But! Service quality and uptime to be clear - bad. I tried them in different periods of time and did not try yet at the end of 2017 and 2018, but when they were with Voxility network with extra filtering provider -> they were really bad. They offer L7 / L4 DDoS protection, their L7 DDoS protection not bad, plus they have custom filters and so on. As I remember, they have out the box much better protection if compare to any other provider built on Voxility network or pschihz network.
They do not offer any L7 DDoS protection for web apps. Only very basic and primitive. That why I writing: that they don't offer protection at all. As for L4 level, it's hard to find a better solution than OVH.
Don't know for now about them... Can't say anything.
Missing providers:
to be clear to me it is right now #1 DDoS protection budget provider in Europe for L4-L7. Used them for year, no issues, downtimes, performance degradation and so on. Very quality in terms of hardware and offered features provider. Just try them, they are in your budget.
Worst than blazingfast, same shit like blazing fast with customized filters, nothing special, can't recommend.
poland DDoS protection (forgot provider name) for ts3 servers not bad, for everything more serious - bad.
Link11 -> good provider with good DDoS protection. (overpriced as for me, but maybe you will find a good reseller)
SeFlow -> good provider with good prices in 2017, don't know what happened now with them... Did not saw...
Important
this is just MY and MY FRIENDS experience, this is totally subjective, don't want to offend or thread or blame any provider. Just sharing my personal opinion and experience in hope that maybe someone it will help. But the best thing what you can do, try to go through the road by yourself. Because very bad providers for me, at the same time are very good providers for some of my friends, and vice versa.
Set up your own Layer 7 filtering system. Try testing vDDoS Proxy Protection
And he can solve it by paying for a L7 reverse proxy service that terminates TLS, does the dirty work, makes him sleep well at night, provide his customers with uninterrupted service and pisses-off random people who can't stand the thought of TLS termination outside of the end server (which is not owned or physically accessed by the service provider, but the TLS weirdo does not care for such things - because he trusts the box provider but not the reverse proxy provider because reasons).
StackPath: https://www.stackpath.com/web-application-firewall/
looks very good. Have someone tried it? Any reviews?
Well, you do expose the private data between another company, that makes you sleep well?
My point was about not breaking a TLS connection, because its does exist to provide end to end transport encryption.
Its there for a reason.
Obviously you have to trust your provider, if you do not trust your provider, you will not run anything there.
I am paranoid, in the sense that I understand what security means and not gloss it around. Still if I want to do anything as a service, I have to trust my hosting provider (since I don't really have the means to own a DC). If I am making THAT concession, it's not a far leap to trust 2 providers instead of one. Obviously, I pick big providers because they don't have incentives to snoop around and I assume they have internal procedures that log everything so that's an incentive for their (bored?) employees to not snoop around for kicks and giggles either. At least compared to a single-person shop.
Thank Your for the review we are not using Voxility anymore we decided to invest in our own protection and it has been great overall! If anyone wants to test our services request a trial of the webhost plan or VPS.
@SplitIce you’re wasting your time with @Neoon.
Evolution, nature is magnificent.
Took a bit... 23 days but still, Clouvider is back!
It's not that easy to block Layer 7 floods. My current setup is a LUA module on nginx that blocks in iptables based on the following things.
Total allowed requests amount per request
Single resource request amount
Connections amount
Netstat checks
If they breach certain of those limits, they are banned up to 4 times before permanently blocked. The ban duration before that is ban time x ban score = ban duration. The score goes up to 4.
It can handle up to a 200K R/S flood which is botnet level on a single E3 processor so works great and works in tandem with nginx-cookie pages, it's more of a protection layer encase somebody has jsbypass etc.
Also, before anyone asks what script this is, it's private.
Back to the actual topic, HyperFilter takes the cake for both Layer 7 & 4 protection. X4B is also a very good provider however I haven't personally used them so I can't recommend them but I've spoken with X4B and he's knowledgeable so i'd assume his product is the same.
All good I was enjoying a rather pleasant beer at that time. No time being wasted
X4B is golden, happy to say that it has stopped any of these attacks. Sucuri is also good from my previous experience.
Hyperfilter advertise on suspicious websites and I don't think that would be good for any client looking to stay legit.
CloudFlare is my favourite personally and I don't think it could be beat any time soon (LET use them for a reason!).
Incapsula is great but will be out of your budget.