Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Subscribe to our newsletter

Advertise on LowEndTalk.com

Latest LowEndBox Offers

    When owning a Dedicated Server with no DDOS protected IP...
    New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

    When owning a Dedicated Server with no DDOS protected IP...

    DillybobDillybob Member
    edited July 2015 in General

    You usually tunnel to it using a GRE tunnel, right? (Cannot really think of the point of having 1 with no protection)

    If not, what's the average amount of flooding that you experienced before being null routed?

    Please say the provider's name and what speeds your network/node sustained before the null.

    If the future of the webhosting industry is dictated by a corporate title tag.. we have a HUGE issue. Help make it stop by boycotting WebHostingTalk

    Comments

    • AlexBarakovAlexBarakov Member, Provider

      Pretty much, any reasonable provider would null a little over 1gbps (considering you've purchased 1gbps port, which is the most common one atm). Otherwise the overusage fees would most likely be huge.

      AlphaVPS - OpenVZ and KVM, DDoS Protected VPS in London, UK | Sofia, BG | Nuremberg, DE | NYC, US and LA, US. Cheap Dedicated servers with fast delivery!

    • DillybobDillybob Member
      edited July 2015

      AlexBarakov said: Otherwise the overusage fees would most likely be huge.

      Hmm. I'm a little worried about this. What would happen if you just paid them via paypal and didn't setup an automatic billing with them. Could they technically sue you for extra bandwidth usage if you don't pay the overusage fees? Or would they basically send you an invoice? What exactly happens when it gets to that point? I'm guessing the user agree's to that when signing up right?

      If the future of the webhosting industry is dictated by a corporate title tag.. we have a HUGE issue. Help make it stop by boycotting WebHostingTalk

    • Dillybob said: Hmm. I'm a little worried about this. What would happen if you just paid them via paypal and didn't setup an automatic billing with them. Could they technically sue you for extra bandwidth usage if you don't pay the overusage fees?

      Yes. You owe it to them.

      vrtz.net Cheap VPS Servers Offers - now with EXCLUSIVE offers! (all links are aff links)
      $12/year HostUS Deal (768MB RAM+768MB vSwap)$11.29/year GestionDBI Deal (768MB RAM)

    • KuJoeKuJoe Member, Provider

      Most data centers will tell you the overage costs up front either in their agreement or in their billing system, the good ones even have automated alerts when you reach XX% of your monthly bandwidth.

      I've seen a lot of data centers send client accounts to collections, hold data hostage, and in extreme cases they'll result to small claims court for bandwidth overages. In most cases the data centers are willing to work with the client if the overage is extreme also.

      It's also a really good idea for clients to monitor their own bandwidth also so they can see when they are getting close to their monthly limit or if the data center's bandwidth monitor is off you can contest it (I really should take my own advice on this, none of my personal servers have my own bandwidth monitors on them).

      -Joe @ SecureDragon - LEB's Powered by Wyvern in FL, CO, CA, IL, NJ, GA, OR, TX, and AZ
      Need backup space? Check out BackupDragon
    • KuJoe said: I've seen a lot of data centers send client accounts to collections, hold data hostage, and in extreme cases they'll result to small claims court for bandwidth overages. In most cases the data centers are willing to work with the client if the overage is extreme also.

      So, when a provider is null routing, it's actually helping their client's pockets. I didn't think of that way before. It does make a lot more sense. In essense, actual a null route is a way of a provider showing compassion towards a client. Because what if a Systems Admin didn't like a certain client and saw the flood started to happen. The flood didn't effect other nodes on that network, so he just let that flood keep going and going racking up insane amount of overage charges.. I know this seems like it would never happen, but do you think someone hasn't ever done this before? (Imagine Jonny or someone like that personality running a DC or renting out dedi servers).

      However, they are null routing the ip to protect other clients on the network too, right? So it's kind of a win win I'm guessing.

      I am just afraid of buying the dedi, and getting hit with some stupid hackforum ddos stress tester site and boom, it's over. That's why I'm thinking of doing a GRE tunnel through BuyVM to a main dedicated or just within BuyVM.

      If the future of the webhosting industry is dictated by a corporate title tag.. we have a HUGE issue. Help make it stop by boycotting WebHostingTalk

    • Dillybob said: The flood didn't effect other nodes on that network, so he just let that flood keep going and going racking up insane amount of overage charges.. I know this seems like it would never happen, but do you think someone hasn't ever done this before? (Imagine Jonny or someone like that personality running a DC or renting out dedi servers).

      They have no guarantees that the debt that will be generated will be paid for.

      vrtz.net Cheap VPS Servers Offers - now with EXCLUSIVE offers! (all links are aff links)
      $12/year HostUS Deal (768MB RAM+768MB vSwap)$11.29/year GestionDBI Deal (768MB RAM)

    • KuJoeKuJoe Member, Provider

      I've seen a "data center" go out of business because of bandwidth overages before. Nothing surprises me any more.

      -Joe @ SecureDragon - LEB's Powered by Wyvern in FL, CO, CA, IL, NJ, GA, OR, TX, and AZ
      Need backup space? Check out BackupDragon
    • HTMLHTML Member

      I have a dedi server (with no ddos protection) and 2 vpses both with ddos protections so how can i use one of those ddos protected vps to forward all requests (all ports) to the dedi server? I tried iptables but i am getting an error " can't initialize iptables table nat'" does that mean i can't do it because NAT is disabled at server level where the VPS is hosted?

      Is there any other way to achieve it? I want all ports traffic to be forwarded instead of just HTTP

    • @HTML said:
      I have a dedi server (with no ddos protection) and 2 vpses both with ddos protections so how can i use one of those ddos protected vps to forward all requests (all ports) to the dedi server? I tried iptables but i am getting an error " can't initialize iptables table nat'" does that mean i can't do it because NAT is disabled at server level where the VPS is hosted?

      Is there any other way to achieve it? I want all ports traffic to be forwarded instead of just HTTP

      that error would be because you're on openvz and the openvz iptables nat module wasn't loaded found that out recently.

      and furthermore @dillybob try cloudflare if you are that afraid.

      CubeData FraudRecord Module: https://cubedata.net/fraudrecord OpenNebula module: https://cubedata.net/opennebula now for blesta & whmcs

    • HTMLHTML Member

      @timnboys said:
      that error would be because you're on openvz and the openvz iptables nat module wasn't loaded found that out recently

      is there any way to fix it from my openvz vps? or only the server/node admin can do it? I heard it's because of the custom kernal that vpses use

    • @HTML said:
      is there any way to fix it from my openvz vps? or only the server/node admin can do it? I heard it's because of the custom kernal that vpses use

      well the server/node admin can do that you cannot though because it requires accessing the node and changing the kernel settings for openvz.

      I was able to fix it as I have my own nodes that I have root access to fix all of this.

      but anyway just contact your provider and see if they will enable it.
      otherwise if they won't you're mainly sunk as there is no way to fix it outside of editing the kernel config for openvz on the node itself.

      CubeData FraudRecord Module: https://cubedata.net/fraudrecord OpenNebula module: https://cubedata.net/opennebula now for blesta & whmcs

    • HTMLHTML Member

      @timnboys said:
      otherwise if they won't you're mainly sunk as there is no way to fix it outside of editing the kernel config for openvz on the node itself.

      oh ok thanks for the details response i will contact them and if they can't i can get a cheap small ddos protected vps that renew annually with less resources. If i am doing it for packet forwarding it don't need high config vps right? just good bandwidth is necessary ?

    • @HTML said:
      oh ok thanks for the details response i will contact them and if they can't i can get a cheap small ddos protected vps that renew annually with less resources. If i am doing it for packet forwarding it don't need high config vps right? just good bandwidth is necessary ?

      Okay well first of all let me just explain to you what I am getting at what you are trying to do
      what it seems like to me you are trying to do is proxy all traffic through the ddos protected vps correct? if that is correct then what you need is of course enough resources that the proxy server or system or whatever you're using to proxy the traffic doesn't choke
      and furthermore it would be best if you had enough amount of bandwidth to cover all of the traffic coming through including until either the vps's ddos protection activates or the ip is null routed depending on how the ddos protection of the vps works. for example on my ovh nodes some people have actually had some ddos coming into the vps(not going out as if you are sending or doing ddos that is another issue and probably wouldn't be tolerated by any provider) anyway if the ddos comes to one of the vps on my ovh nodes ovh's ddos protection automatically steps in and stops the ddos and then goes back onto "standby" when the ddos attacks stop waiting for the next ddos attack to take action again.
      anyway I would recommend maybe getting a ddos protected vps with a provider with ovh nodes as I think ovh has the best ddos protection for a lowend price though(well atleast they do on soyoustart where I have my ovh nodes from)
      anyway I could offer you a ovh ddos protected vps just open a ticket here:
      https://my.cubedata.net/client/plugin/support_manager/client_tickets/add/1/

      anyway I hope my page long response helps you out with your question.

      CubeData FraudRecord Module: https://cubedata.net/fraudrecord OpenNebula module: https://cubedata.net/opennebula now for blesta & whmcs

    • HTMLHTML Member

      @timnboys said:
      anyway I hope my page long response helps you out with your question.

      Yes that's right i was trying to do that. Is OVH and SYS ddor protection better than kimsufi (an ovh company). I had many ddos attacked on my kimsufi server 2 months ago and they were unable to handle it and provide me any support than i searched google and found that OVH can't detect the ddos attacks if they are coming from internal serverx so someone on OVH servers can ddos another OVH user without getting detected? I don't know what kind of attack that was but i was eating the whole 100mps that was given to me by Kimsufi i tried CSF and different methods but still was unable to stop it.

    • @HTML said:
      Yes that's right i was trying to do that. Is OVH and SYS ddor protection better than kimsufi (an ovh company). I had many ddos attacked on my kimsufi server 2 months ago and they were unable to handle it and provide me any support than i searched google and found that OVH can't detect the ddos attacks if they are coming from internal serverx so someone on OVH servers can ddos another OVH user without getting detected? I don't know what kind of attack that was but i was eating the whole 100mps that was given to me by Kimsufi i tried CSF and different methods but still was unable to stop it.

      I would believe so as ovh and sys is the higher tier of ovh's services as kimsufi is the lower first tier of their services.
      as sys and ovh are pretty much alike in the sense sys has more capabilities like for example more than one ip, etc.
      and also sys said if I am not wrong that they guarantee 250mbps on all of their dedicated servers so it isn't exactly a 1gbps like I was expecting but hey it has been working fine though.

      so yes to answer your question I would guess so since sys and ovh are about on the same tier with no tier left to climb to. as kimsufi is just the baby if you want to call it that compared to sys and ovh.

      CubeData FraudRecord Module: https://cubedata.net/fraudrecord OpenNebula module: https://cubedata.net/opennebula now for blesta & whmcs

    • HTMLHTML Member

      @timnboys said:
      so yes to answer your question I would guess so since sys and ovh are about on the same tier with no tier left to climb to. as kimsufi is just the baby if you want to call it that compared to sys and ovh.

      Thanks for the detailed replies tim! my love for LET is increasing every day by learning new things every day i should have joined LET early!

    • FrankZFrankZ Member

      @HTML By the by. IPtables can forward the protected VPS IP to the unprotected one, but you will also need a tunnel between the two, and routing table entries on the unprotected VPS to send the traffic back out through the protected VPS's IP.

    • HTMLHTML Member

      @FrankZ said:
      HTML By the by. IPtables can forward the protected VPS IP to the unprotected one, but you will also need a tunnel between the two, and routing table entries on the unprotected VPS to send the traffic back out through the protected VPS's IP.

      Can i send all type packets through all ports not only HTTP? and will i able get the real ip of user? i heard nginx and litespeed server can do reverse proxy but they only forward HTTP traffic

    • NexHostNexHost Member
      edited July 2015

      KuJoe said: It's also a really good idea for clients to monitor their own bandwidth also so they can see when they are getting close to their monthly limit or if the data center's bandwidth monitor is off you can contest it (I really should take my own advice on this, none of my personal servers have my own bandwidth monitors on them).

      I had 30 machines with LSN several years ago. had 1 box not use anywhere close to the amount of Bandwidth I had. But due to the estimated Bandwidth usage being so High. They decided to charge me a $12,000 overage fee and shutdown every single machine..

      So now I'm in a $12,000 + Debt with LSN.

    • @jmckeag12 said:
      So now I'm in a $12,000 + Debt with LSN.

      Trolling or serious? Proof? (s/s of collections or something)

      If the future of the webhosting industry is dictated by a corporate title tag.. we have a HUGE issue. Help make it stop by boycotting WebHostingTalk

    • FrankZFrankZ Member
      edited July 2015

      HTML said: Can i send all type packets through all ports not only HTTP? and will i able get the real ip of user? i heard nginx and litespeed server can do reverse proxy but they only forward HTTP traffic

      Yes. If you need help PM me and I will set you up. As setting it up the first time, if you are unfamiliar with it, can be kind of a PITA. That maybe why many just suggest cloudflare.

      EDIT: You will need a KVM or openVZ with GRE enabled for it to work.

    • DillybobDillybob Member
      edited July 2015

      HTML said: Can i send all type packets through all ports not only HTTP? and will i able get the real ip of user? i heard nginx and litespeed server can do reverse proxy but they only forward HTTP traffic

      Yeap even teh websockets <3 GRE Tunneling

      Edit: Cloudfare doesn't support websockets that's why I cannot use :(

      If the future of the webhosting industry is dictated by a corporate title tag.. we have a HUGE issue. Help make it stop by boycotting WebHostingTalk

    • @Dillybob said:

      Trolling or serious? Proof? (s/s of collections or something)

      Being serious..

      They won't even get back to me anymore. so if you can get a REP to check against my name they can confirm it. why would I be trolling?

    • madtbhmadtbh Member

      Try using a GRE Tunnel, BuyVM have a good write up @ http://wiki.buyvm.net/doku.php/gre_tunnel

    • HTMLHTML Member

      @madtbh said:
      Try using a GRE Tunnel, BuyVM have a good write up @ http://wiki.buyvm.net/doku.php/gre_tunnel

      Thanks for sharing! So Nat is necessary for GRE Tunneling right?

    • @jmckeag12 said:

      $12,000 seems like a small claims court type of deal, have they gone that far? What have they done to you, like legally? Or have they just told you over WHCMS invoices? :P

      If the future of the webhosting industry is dictated by a corporate title tag.. we have a HUGE issue. Help make it stop by boycotting WebHostingTalk

    • NexHostNexHost Member
      edited July 2015

      @Dillybob said:
      $12,000 seems like a small claims court type of deal, have they gone that far? What have they done to you, like legally? Or have they just told you over WHCMS invoices? :P

      I'm not sure how much the debt is. It was either $12,000 or to upgrade the Bandwidth Allocation. so they was forcing me to upgrade it by 10TB Additional Traffic but there was no option there as it was 2TB away from resulting in overages. would of rather them of shut that machine offline but they would not.

      Anyway it's over and done with. we are talking 8 years ago and Bandwidth was costly back then.

    • madtbhmadtbh Member

      @HTML said:
      Thanks for sharing! So Nat is necessary for GRE Tunneling right?

      NAT is used to pass data over the GRE Tunnel.

    • HTMLHTML Member

      @madtbh said:
      NAT is used to pass data over the GRE Tunnel.

      Thanks for explaining

    • catalystiumcatalystium Member
      edited July 2015

      Just done a gre tunnel yesterday on a BuyVM openvz vps, had to contact support to have them enable that part (iptables nat). Something about it being a bug in openvz and they can enable it with a reboot for you.

      LowEndHelpDesk | Find help to simple questions :-)

    • FranciscoFrancisco Top Provider

      @catalystium said:
      Just done a gre tunnel yesterday on a BuyVM openvz vps, had to contact support to have them enable that part (iptables nat). Something about it being a bug in openvz and they can enable it with a reboot for you.

      Half true, it's actually a stallion bug where it isn't getting applied at provision time - sorry!

      Francisco

      Thanked by 1catalystium
      BuyVM - Dedicated KVM Slices / Anycast Support! / Stallion Control Panel / Windows 2008, 2012, & 2016! / Unmetered Bandwidth!
      BuyShared - Shared & Reseller Hosting / cPanel + Softaculous + CloudLinux / Pure SSD! / Free Dedicated IP Address
    • raza19raza19 Member

      You can also use haproxy to forward almost everything from your ddos protected vps to the dedi, thereby keeping the identity of your dedi a secret. However you must be watchful e.g. Ensure your other services do not give your dedi ip away, I've seen it happen with Transactional email, where the actual dedi was hid using a ddos protected dedi but the attacker identified the real dedi ip in minutes. So, be careful. This implementation requires a little finesse.

      We are star-stuff. We are the Universe, made manifest, trying to figure itself out.

    • @Francisco said:
      Francisco

      Gotcha, just went by what support said :-P.

      LowEndHelpDesk | Find help to simple questions :-)

    Sign In or Register to comment.