Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Review of DDoS Mitigation Solutions/Providers
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Review of DDoS Mitigation Solutions/Providers

Hi,

There are a lot of service providers out there offering DDoS mitigation solutions in the VPS hosting space. I have used many of them - and am constantly evaluating new ones to determine their effectiveness. I wanted to share my experience and offer this review for the benefit of the community. As I make new observations over time, I may update this - consider this version 1.

First, some background... I run primarily DNS, Web, and Mail services so my review is limited to these protocols - if you are running something else, this review may not be as useful. For me, the DNS servers get attacked a lot more than the Web or Mail servers - as a result, this review will be slanted towards the ability of mitigation providers to mitigate UDP attacks. It should be noted that DDoS attacks can vary greatly - some hit at layer 7 and others hit lower - some hit at multiple layers - some are big (and hence noticed immediately) and some are small (come in small enough that they don't trigger auto-mitigation right away) but big enough to consume lots of server resources. I spread my VPS nodes out across multiple providers - this does a couple things that are noteworthy: 1) it increases the attack surface since there are more addresses to attack (dividing the attack size), 2) there are more data centers/equipment/NICs/routes soaking up the attack and 3) it puts you in a unique position to gauge mitigation effectiveness since you can look and see which nodes are still up and running during an attack. If you are able to host your application on multiple providers like this, I highly recommend it - it makes it more resilient to attacks and it also helps you sort through scenarios where one provider immediately null routes claiming a 75Gbps attack and the other tells you the attack was small or that there was no attack at all (i.e. spot the BS more easily). So you are probably asking yourself "why does this guy get attacked so often?" "why do people dislike him so much?" - they are not attacking me personally - they are attacking my customers - and I have lots and lots of customers - enough that I receive attacks every couple months - for years.

So what do you want to look for when shopping DDoS mitigation solutions (in the context of DDoS protected VPS hosting)? Mitigation providers have limits (that they should publish) - there are two limits that are important: 1) how many Gbps and 2) how many PPS before they null route your address. In other words, once the attack size goes above these limits - they are going to blackhole your traffic to protect their infrastructure. However, in the VPS space, its not quite that simple a lot of the time when it comes to limits because the advertised limits are either 1) an aggregate limit that applies to all of the hosting provider's customers (less expensive) or 2) a dedicated limit set aside specifically for your account (more expensive) - you should ask which it is. When the hosting provider is advertising 400Gbps protection for your VPS starting at $5/month - its a safe assumption that this is a shared pool of protection for all of their customers. These DDoS attacks can be very large - even for a medium size hosting provider they can cause major problems for their infrastructure. As a result, a lot of them (the small to medium sized ones) outsource that aspect to a provider who specializes in DDoS. This is typically done via two methods - 1) the hosting provider allows you to purchase an add-on IP that routes through the mitigation provider via some GRE tunnel or 2) the VPS provider simply colocates their gear at a DC where the DC network is run by a mitigation provider. Both of these scenarios can work great, just keep in mind that this typically means whatever limits they have published are shared for all VPSes. So to summarize you want to ask: 1) Do these limits apply for just me or are these shared for all of your customers? 2) Do these limits apply for each data center where you offer service or across all of your data centers? 3) Are you using a 3rd party for mitigation? If so whom? 4) Do the limits/mitigation-techniques vary by mitigation provider/location/data center? If so, what are those differences? 5) If you are doing filtering in-house, what gear are you using? How much bandwidth do you have provisioned? How often do you receive attacks? 5) Once an attack goes over the limits, how long does the null route remain in place?

Limits are not the only thing that matter. Lets define DDoS filtering on a spectrum of ideal to terrible. The ideal scenario is that all good traffic is let through seamlessly and all bad traffic is stopped before it ever reaches your server. The terrible scenario can either be that the filter kicks in and starts blocking all traffic - both good and bad or, it simply lets through most or all of the bad traffic. Most DDoS providers fall somewhere between these two. You need to get an idea about where your provider falls before an attack. You really need to understand how they deal with attacks specifically targeting your application. Lets say you are running a Mail server - how do they go about blocking bad connections on port 25 and letting good ones through (maybe they have no plan at all)? If they are running filtering in-house - they should have answers. If they are outsourcing, they should at least be able to refer you to where you can get answers - or better yet get them for you from the provider they are using. Don't wait until you are attacked to find out that the first thing they do during an attack is drop all UDP traffic and you are running a name server - they might as well just null route your address at this point - any limits they have are irrelevant if they are totally ill-prepared to handle an application layer attack targeting your application.

Ok - finally on to reviewing providers. Rather than point out VPS providers that I dumped because they sucked before or during attacks (there are many), I will mostly just stick to options that I think are good.

Cloudflare
Ever see that commercial from that office supplies vendor that has that big red "Easy" button that you can hit and simply solve the problem. Cloudflare is probably the closest thing to an Easy button in the DDoS mitigation space. I should point out that Cloudflare has competitors like Amazon selling their own Easy buttons - I just like Cloudflare the most. If all you are trying to protect are some web sites that you run - do yourself a favor and at least consider hitting the CF Easy button. Even when I do not use their reverse proxy service, their DNS service is fast and resilient to attacks with its anycast design. But BEWARE... there is a big fat caveat that many fail to consider when considering/using CF (or CF competitor) - while a DDoS against CF will be very difficult - they don't have to - the attacker can just use the backdoor - they only need to figure out where the origin server(s) are - then they can just bypass CF altogether and take you out. How? Is there something on your web site that will result in an email being sent to end-users? Any DNS records out there that reference your web server (i.e. scenario where the web server and mail server address is the same)? You need to make sure there is no way the attacker can figure out where the origin server(s) are - it can be trivial for them to figure this out - if they do, using CF will not help you sine they will just take the path of least resistance. Of course, you can't always use CF due to requirements - which is too bad (no easy button for you) - it is in these scenarios that this is review is mostly useful.

Voxility
There are a lot of VPS hosting providers who's DDoS solution is to route your traffic through Voxility's network. I can tell you that Voxility does a very good job of filtering DDoS attacks - they are impressive because they can take on big attacks and even more so because of their ability to magically filter out the bad traffic for application layer attacks. My favorite VPS provider using Voxility for DDoS so far is BuyVM (just wish BuyVM would add support for Paypal subscriptions so I didn't have to be on the outlook for their email invoices). With BuyVM, Voxility filtering is provided via an add-on protected IP. I have also tried BlazingFast (not terrible) and just fired up some nodes with UltraVPS (not enough experience to render a verdict). Unfortunately, I have also used quite a few VPS hosting providers that have their gear at Voxility (especially the DC in Romania), that despite having a great filtering network like Voxility, provide subpar service. Know of a good VPS provider using Voxility? Let me know - I may give them a shot and see how they do when it matters most.

BlackLotus
There are not as many VPS hosting providers offering to route your traffic through the BL network - and that's too bad since they also do a great job of filtering DDoS attacks. Honestly, its a toss up between Voxility and BlackLotus - someone one does better than the other, but both are very good. My favorite VPS provider using BL is Ramnode (I really like Ramnode). Strangely, I have tried other providers like Globalfrag who utilize BL some - including VPS providers over there like Clamhost and Raptornode and have not experienced the same results (I should point out here that this is based on UDP application layer attacks). I am on the lookout for another VPS provider who can offer Ramnode like service/pricing with BlackLotus protected IPs - let me know if you know of them so I can see how they fair during attacks.

OVH
I am sure others have had a different experience than me, but I hate dealing with OVH directly - their customer service has always SUCKED big time for me. That being said, the OVH VAC system does an admirable job at DDoS mitigation - its does block more good traffic than I would like, but it is an incredible value IMO. Despite my negative experiences dealing with OVH, I give them props for taking a firm stance on DDoS and protecting their whole network - you have to respect that. Also, even though I still have several nodes at OVH (where I directly deal with OVH), all new nodes I have been creating with LunaVPS - and those guys rock! You get OVH VAC protection, good support, and I nave noticed for whatever reason that during attacks, the LunaNode VPS instances hold up better that the OVH VMware ones - go figure. There are lots of VPS providers reselling OVH - I have tried several - but none come close to LunaNode for my needs at least. I am sure there are some other ones as well - feel free to point out.

Staminus
I have used a couple VPS providers selling Staminus protected IPs. For Staminus, I only have experience with them mitigating DNS application layer attacks (no HTTP GET flood experience for example). In this role, they support DNS truncation for example - but I personally found their auto-mitigation not all that great - I had to run in constant filtering mode - which adds latency. Ramnode used to use them, but switched to Blacklotus (a good move in my opinion). Hosthatch uses them - but I did not have a very good experience with them - just dumped those guys. Currently I have no nodes using Staminus nor immediate plans to do so. However, I would be willing to try them again to see if things have improved - especially if someone like Ramnode picked them up - let me know if you know of one.

Rivalhost
These guys do a good job taking on several attacks. They run a lot of filtering in-house. I had a very positive experience and still have one node there. They are a bit pricey - but you are buying dedicated capacity with them - not shared pools of protection. Their support is knowledgeable in dealing with attacks and has direct communication with the makers of their mitigation gear and will work to make sure their network supports your application protection needs.

Firehost
These guys also do a decent job. Its worth mentioning that the first big attack I got while using them took down their whole TX data center for almost an hour - but they made subsequent improvements and did much better on other attacks. They do a good job overall but I left because they started raising their prices which were already pricey - you are buying dedicated capacity with them.

HostVirtual
When I used them, they relied on BlackLotus. These guys are great - awesome support. You will pay more - but you are buying dedicated capacity. The only reason I don't use them anymore is because Ramnode offers BlackLotus (not dedicated capacity limits though) and is much more economical. They went above and beyond on multiple attacks. I would use them again.

Currently I am reviewing the following providers and do not yet have enough experience to render a verdict:

Vultr
So far so good - they are like Digital Ocean (I like DO) except that for 5 of their data centers you get a checkbox to enable DDoS protection during VM creation. According to them this is in beta. I have a node in all 5 of those DCs with DDoS protection enabled, so at some point I will have enough information to report back on well they do at filtering. So far I really like these guys - would also use for my stuff that does not require DDoS protection.

Psychz Networks
I had one node on a VPS reseller with these guys that was taken out immediately on my last attack (ExtraVM); however, I don't think I gave them a fair shot. I now have 3 nodes (one for each of their DCs) at PhotonVPS (which is a brand that Psychz Networks uses to sell low cost VPS hosting - so not using a reseller this time). I should know more about these guys after I get more attacks.

Incloudibly
Runs in house filtering. Very good pricing. I am not sure what to expect. Will know soon enough. So far so good.

UltraVPS
Resells Voxility as protected IPs. Not as good as BuyVM (kind of slow to set things up - currently waiting on a ticket right now for them to properly set up the Voxility IP), but... you have to remember though that you have to look at the big picture in terms of attack surface. BuyVM and UltraVPS will each have their own limits protection pools with Voxility - the Voxility limits do not increase by buying more VMs with BuyVM, but do if you buy from someone else using Voxility.

TrentaHost
So far, I have to say - these guys seem to suck - they do get back to you quickly - just not with anything useful. One of the DCs they sell in uses CNServers for DDoS - I used to have a node there that was taken out immediately on attack (not a fair assessment since CNServers sucks at mitigating UDP attacks - my bad for choosing them). They recently started selling in 4 of the PhoenixNAP DCs (I colocate in the PhoenixNAP DC in AZ and really like the network there). PhoenixNAP advertises their own inhouse DDoS mitigation system which sounds pretty cool when you read their ad verbiage. However, I never run likely attack targets on my colocated gear so I cannot say how well PhoenixNap does at mitigating attacks. When I saw that TrentaHost was selling KVM VPSes in 4 PhoenixNAP DCs - I decided to give them another shot and bought 12 months worth with a node in the 4 PhoenixNAP DCs that they offer. I have been waiting a week now for them to get my VPSes up so I can login and set them up - everytime I inquire they say billing is reviewing my account - I have yet to hear from billing - WTF guys? If anyone knows of a VPS hosting provider with multiple PhoenixNAP locations that is passing on the PhoenixNAP DDoS filtering as part of their VPS solution - please let me know - really anyone other than TrentaHost would be great at this point.

Well - that's it for now. I have often wished that someone could have compared DDoS providers - so I could just read up in one place - so I took it upon myself to do so. I will update my review over time as I find out new things. I welcome any advice/feedback/leads that anyone here has to offer on this.

«13

Comments

  • JonchunJonchun Member
    edited February 2016

    Also something to note is with Psychz filtering I've noticed you may experience a couple minutes of downtime on occasion before the filtering kicks in. You can enable permanent mitigation, but it costs extra.

    Your IP being knocked offline immediately might have had to do with this?

    Thanked by 1PhotonVPS
  • CF: Can be bypassed by a lot of booters if you do not purchase the business plan at least.

    Thanked by 1nalply
  • +1 for OVH DDoS Protection. Never have to worry about attacks anymore.

  • Kudos on the review.

    Nice to see one done for DDos filtering companies.

  • Wow, this is real high quality content! Thanks a lot!

  • Can an admin space out the wall of text a bit more so its easier to read?

    Thanked by 2vpsGOD zafouhar
  • caffeinejolt said: I now have 3 nodes (one for each of their DCs) at PhotonVPS

    Please let me know how this goes :) I have a VPS with PhotonVPS that I'm absolutely loving so far and I'm curious how their 10 Gbps of protection holds up.

  • Waiting to hear more about vultr/choopa mitigation strengths/weaknesses.

    Good content.

  • Good job

    Thanked by 1inthecloudblog
  • I have experience with a lot of ddos attacks against my services since 2013 up to current date. There are my few cents about each network.

    L3 - L7 (partically)

    1.) Voxility

    Not usable for game-server.
    Because some part of network is very good, some part is very poor. Some big part of players will have no lags, and bigger part will have a lot of lags, and packetloss. This guys do job very good, really, i like how they tank attacks, but there is few problems with detection and mitigation, overall i will mark them in my personal top on #3 place.

    2.) Hosteam.pl

    WTF? Tr1cky was tell me about them, and i like them a lot. I never got down with them, really, this guys do some custom amazing job. If i will have no choise between ddos mitigation services, i will back to them. In my personal top, i will mark them at #2 place.

    3.) OVH

    Oles done really good job, i always return to this guys when have no ways how to mitigate attacks. They always beats any ddos mitigation solutions in quality, and in price. My services usually use tcp, and i do not need rest proto (icmp / udp), and i can easy turn off them, and even close all ports and open only few for my services, and it's more then enough for large amount of ddos attacks. If i under force mitigation, there is no ways how to down me. And i like this behavior very much.

    Fails of mitigation trigger sometimes make me feel bad, and when i get this shit, i usually turn off permament mitigation and i remove all firewall rules from IP (just to make big flow of attack, and trigger OVH mitigation).

    ===================================

    L7 only

    1.) CF -> will be good, and easy to setup. (+ i have custom scripts with their API to force mitigation when i have problems) if you using any remote mail services, and hide all of your webserver ips, and do not have fails with proxifing your images at forum, and block all unauthorized connections to remote hosts from your server -> you will be safe, but not always. Time to time they have problems with detection of advanced L7 attacks with cookies & js. (not stupid get / post requests) And here usually L7 failed.

    2.) blazingfast.io L7 mitigation (these guys have home-builded protection). Works very well for me. Need to apply the same rules to webserver, like it applied above for CF.

    3.) x4b.net. This guys not really cheap, but still avaiable for my wallet. My website never got down with this guys, i have only AWESOME experience with them against L7 ddos attacks. As about L3-L4 - i have not really good experience, because few of attacks >40 Gbits/s make my IP nullrouted (at their NL location, where is mentioned 40gb + 100gb burst), but it's ok, because i have a lot of haters, who can easy buy botnet and make very big attacks (up to 100gbit+).

    4.) OVH! You will laught, but this guys with custom rules at webserver can save your ass much better then CF in some situations.

    5.) Voxility, not so good against L7 attacks, easy to down with get / post requests.

    6.) Hosteam.pl, not used for web-services, but my ddos protected TS3 server never got down or even lag.

    Other used networks:

    1.) Psychz Networks, not so good as mentiod by a lot of people here. Got down very easy, good against L7, but bad against L3-L4 ddos attacks (due to limited amount of filtering for good price). Poor network from Europe to their LA location. But a lot of pinoys & asians said: "you have awesome latency & network for me", (c) guy from PH.

    Did't tried their dallas DC, but my friends already did. And they not satisfied because of them same issues with them, as i mention above (very small power (GBps, pps, of ddos attacks they can absorb)

    2.) qrator. I was young, and i was stupid, i will never trow again so big money for air.

    3.) ddos-guard.net.

    Few cents about this guys (i'm talking about 2014 - 2015 years (summer), i do not know how it is right now.

    1.) i was use their network in russia -> shit. Lags, always maintenances, different problems with network, at evenings (after 19:00) you will have a lot of packetloss.
    I was use them direct (200$ for VPS). And i can't recommend them just because of my personal experience, but maybe they improve their network right now, dunno.

    as about ddos attacks against their network -> when i was damaged very hard, they was make for me a ticket, to upgrade my VPS to another level, if no -> they will cancel me.
    I was stop to use them directly. And i hate them because of such potilitc (they want not small amount of money, for the +- same quality, which i can get with ovh or voxility for much smaller price).

    My russian friend, which hosts his game-server in NL, never get any issues with their network, or even lags. I've tried reseller account in 2015 (summer) in NL, and i really lag to much, and i was have ton's of packetloss. Maybe i'm just unlucky.

    Summary:

    OVH ddos protection & price > any ddos protected network.

  • Hi,

    I'm missing some first hand experience on online.net's standard DDOS protection. Anyone any experience ?

    Thanks

  • RhysRhys Member, Host Rep
    edited February 2016

    @wlambrechts said:
    Hi,

    I'm missing some first hand experience on online.net's standard DDOS protection. Anyone any experience ?

    Thanks

    Takes a good 2-5 minutes to kick-in but when it does it works well. As of late it has been mitigating larger volumetric attacks but not attacks such as SYN floods.

  • What is really the need for a DDOS protected server ? I'm currently running a personal server (http, SMTP/POP) and plan to have some service I can offer in the future.

    What is in fact the need for DDOS protection in that case ? What happens in case of a nullroute ?

    Tx

  • @wlambrechts said:

    If your server is null routed, you have no access to your server.

    Thanked by 1wlambrechts
  • PhotonVPSPhotonVPS Member, Host Rep

    caffeinejolt said: Psychz Networks I had one node on a VPS reseller with these guys that was taken out immediately on my last attack (ExtraVM); however, I don't think I gave them a fair shot. I now have 3 nodes (one for each of their DCs) at PhotonVPS (which is a brand that Psychz Networks uses to sell low cost VPS hosting - so not using a reseller this time). I should know more about these guys after I get more attacks.

    If you have permanent mitigation you shouldn't be knocked off. PhotonVPS services all have permanent mitigation.

    sin said: Please let me know how this goes :) I have a VPS with PhotonVPS that I'm absolutely loving so far and I'm curious how their 10 Gbps of protection holds up.

    You should be fine up to 10Gbps then you'll probably go down.

    desperand said: 1.) Psychz Networks, not so good as mentiod by a lot of people here. Got down very easy, good against L7, but bad against L3-L4 ddos attacks (due to limited amount of filtering for good price). Poor network from Europe to their LA location. But a lot of pinoys & asians said: "you have awesome latency & network for me", (c) guy from PH.

    Did't tried their dallas DC, but my friends already did. And they not satisfied because of them same issues with them, as i mention above (very small power (GBps, pps, of ddos attacks they can absorb)

    You'll probably have better latency to Ashburn from Europe.

    These issues in Dallas have been resolved, feel free to try us again.

    Next time you have an issue, please open a ticket as our engineers are pretty responsive when an attack is not mitigated.

    Thanked by 2Rhys sin
  • Nick_ANick_A Member, Top Host, Host Rep

    @caffeinejolt - Thank you for your kind words. However, we stopped using Black Lotus around December of last year. We had some significant issues with the attack detection delay as well as support problems which were compounded when they began moving us to the Level 3 filtering system. I would be interested to know what time period your evaluation comes from to see which provider was involved.

  • @Nick_A said:
    caffeinejolt - Thank you for your kind words. However, we stopped using Black Lotus around December of last year. We had some significant issues with the attack detection delay as well as support problems which were compounded when they began moving us to the Level 3 filtering system. I would be interested to know what time period your evaluation comes from to see which provider was involved.

    For a second I saw "Nick" posted on the ddos thread and thought it was that nicklim dude... thank god it was you instead...

  • @Nick_A said:
    caffeinejolt - Thank you for your kind words. However, we stopped using Black Lotus around December of last year. We had some significant issues with the attack detection delay as well as support problems which were compounded when they began moving us to the Level 3 filtering system. I would be interested to know what time period your evaluation comes from to see which provider was involved.

    Hi Nick - thanks for the heads up - I see you guys switched back to Staminus. So BlackLotus filtering capabilities went downhill after they were acquired by Level3? That's too bad. I have not had any decent size attacks since December - just a small one a couple weeks ago. At Ramnode I have DNS and Web servers (reverse proxies) - both covered by Staminus - I may have to update my Staminus opinion after the next attack. BTW - thanks for RamNode!

  • Nick_ANick_A Member, Top Host, Host Rep

    caffeinejolt said: So BlackLotus filtering capabilities went downhill after they were acquired by Level3?

    Well, the main problems were there before the Level 3 move. We were hoping they would be fixed by the move, but things just got worse. Support at Black Lotus was always quick and tried to do their best, but there were inherent difficulties getting their system to match up to what we needed as a VPS host with a variety of services requiring protection.

  • raindog308raindog308 Administrator, Veteran

    image

    Wait...am I seeing...quality content on LET...?

    Thanked by 1vimalware
  • ntorgantorga Member
    edited June 2016

    Has anyone tested any provider who uses RioRey in-house?

  • fetzfetz Member

    Nice. Currently using OVH DDoS mitigation. I love it.

  • CloudxtnyHostCloudxtnyHost Member, Host Rep

    This is a great review man, thanks.

  • superb review!

  • FlamesRunnerFlamesRunner Member
    edited June 2016

    @ntorga

    What I find funny is that LET (backed by RioRey) is sometimes down, because I don't know, DDoS attacks? :p

  • ntorgantorga Member

    @Jack thanks, indeed it'd be great. I do use Voxility, OVH and Staminus, but I'd like to try some in-house. However, the one I could find offers 20Gbps tops, which is not enough room to swing a cat.

    @FlamesRunner maybe it's on maintenance or with route problems, no?

  • FlamesRunnerFlamesRunner Member
    edited June 2016

    @ntorga

    I don't think a 504 gateway timeout error is maintenance ;)

  • ntorgantorga Member

    @FlamesRunner said:
    @ntorga

    I don't think a 504 gateway timeout error is maintenance ;)

    If it's reverse proxied and the main VM/server is rebooting or being repairred, 504 can show up, dont you think?

  • @ntorga said:

    @FlamesRunner said:
    @ntorga

    I don't think a 504 gateway timeout error is maintenance ;)

    If it's reverse proxied and the main VM/server is rebooting or being repairred, 504 can show up, dont you think?

    afaik, LET hasn't been "rebooted" in months (if not years).

    2) LET doesn't simply get "repaired"

  • SplitIceSplitIce Member, Host Rep
    edited June 2016

    @desperand Thank you for the review.

    Just For clarification, we also do our own Layer 4 mitigation. If you want to test the Layer 4, feel free to hit me up via PM. Always happy to help with research.

    We hope also to be increasing the base protection offered in the US from 20G to perhaps 40G in the near future, we also have some very big news regarding 100G pricing & changes coming very shortly (next week).

    FYI, NL is now 100Gbps Guarunteed (and 1.4-1.5Tbps burst). Our agreement with the upstream network allows us to take any attack (which does not saturate any peering/transit link) for a reasonably long time up to near the full capacity of the network. Only attacks >100G will be nullrouted at a certain point when it obviously starts becoming too costly (95th). Havent had the need to null anyone in NL in well over a year (might even be 2).

Sign In or Register to comment.