Review of DDoS Mitigation Solutions/Providers
There are a lot of service providers out there offering DDoS mitigation solutions in the VPS hosting space. I have used many of them - and am constantly evaluating new ones to determine their effectiveness. I wanted to share my experience and offer this review for the benefit of the community. As I make new observations over time, I may update this - consider this version 1.
First, some background... I run primarily DNS, Web, and Mail services so my review is limited to these protocols - if you are running something else, this review may not be as useful. For me, the DNS servers get attacked a lot more than the Web or Mail servers - as a result, this review will be slanted towards the ability of mitigation providers to mitigate UDP attacks. It should be noted that DDoS attacks can vary greatly - some hit at layer 7 and others hit lower - some hit at multiple layers - some are big (and hence noticed immediately) and some are small (come in small enough that they don't trigger auto-mitigation right away) but big enough to consume lots of server resources. I spread my VPS nodes out across multiple providers - this does a couple things that are noteworthy: 1) it increases the attack surface since there are more addresses to attack (dividing the attack size), 2) there are more data centers/equipment/NICs/routes soaking up the attack and 3) it puts you in a unique position to gauge mitigation effectiveness since you can look and see which nodes are still up and running during an attack. If you are able to host your application on multiple providers like this, I highly recommend it - it makes it more resilient to attacks and it also helps you sort through scenarios where one provider immediately null routes claiming a 75Gbps attack and the other tells you the attack was small or that there was no attack at all (i.e. spot the BS more easily). So you are probably asking yourself "why does this guy get attacked so often?" "why do people dislike him so much?" - they are not attacking me personally - they are attacking my customers - and I have lots and lots of customers - enough that I receive attacks every couple months - for years.
So what do you want to look for when shopping DDoS mitigation solutions (in the context of DDoS protected VPS hosting)? Mitigation providers have limits (that they should publish) - there are two limits that are important: 1) how many Gbps and 2) how many PPS before they null route your address. In other words, once the attack size goes above these limits - they are going to blackhole your traffic to protect their infrastructure. However, in the VPS space, its not quite that simple a lot of the time when it comes to limits because the advertised limits are either 1) an aggregate limit that applies to all of the hosting provider's customers (less expensive) or 2) a dedicated limit set aside specifically for your account (more expensive) - you should ask which it is. When the hosting provider is advertising 400Gbps protection for your VPS starting at $5/month - its a safe assumption that this is a shared pool of protection for all of their customers. These DDoS attacks can be very large - even for a medium size hosting provider they can cause major problems for their infrastructure. As a result, a lot of them (the small to medium sized ones) outsource that aspect to a provider who specializes in DDoS. This is typically done via two methods - 1) the hosting provider allows you to purchase an add-on IP that routes through the mitigation provider via some GRE tunnel or 2) the VPS provider simply colocates their gear at a DC where the DC network is run by a mitigation provider. Both of these scenarios can work great, just keep in mind that this typically means whatever limits they have published are shared for all VPSes. So to summarize you want to ask: 1) Do these limits apply for just me or are these shared for all of your customers? 2) Do these limits apply for each data center where you offer service or across all of your data centers? 3) Are you using a 3rd party for mitigation? If so whom? 4) Do the limits/mitigation-techniques vary by mitigation provider/location/data center? If so, what are those differences? 5) If you are doing filtering in-house, what gear are you using? How much bandwidth do you have provisioned? How often do you receive attacks? 5) Once an attack goes over the limits, how long does the null route remain in place?
Limits are not the only thing that matter. Lets define DDoS filtering on a spectrum of ideal to terrible. The ideal scenario is that all good traffic is let through seamlessly and all bad traffic is stopped before it ever reaches your server. The terrible scenario can either be that the filter kicks in and starts blocking all traffic - both good and bad or, it simply lets through most or all of the bad traffic. Most DDoS providers fall somewhere between these two. You need to get an idea about where your provider falls before an attack. You really need to understand how they deal with attacks specifically targeting your application. Lets say you are running a Mail server - how do they go about blocking bad connections on port 25 and letting good ones through (maybe they have no plan at all)? If they are running filtering in-house - they should have answers. If they are outsourcing, they should at least be able to refer you to where you can get answers - or better yet get them for you from the provider they are using. Don't wait until you are attacked to find out that the first thing they do during an attack is drop all UDP traffic and you are running a name server - they might as well just null route your address at this point - any limits they have are irrelevant if they are totally ill-prepared to handle an application layer attack targeting your application.
Ok - finally on to reviewing providers. Rather than point out VPS providers that I dumped because they sucked before or during attacks (there are many), I will mostly just stick to options that I think are good.
Ever see that commercial from that office supplies vendor that has that big red "Easy" button that you can hit and simply solve the problem. Cloudflare is probably the closest thing to an Easy button in the DDoS mitigation space. I should point out that Cloudflare has competitors like Amazon selling their own Easy buttons - I just like Cloudflare the most. If all you are trying to protect are some web sites that you run - do yourself a favor and at least consider hitting the CF Easy button. Even when I do not use their reverse proxy service, their DNS service is fast and resilient to attacks with its anycast design. But BEWARE... there is a big fat caveat that many fail to consider when considering/using CF (or CF competitor) - while a DDoS against CF will be very difficult - they don't have to - the attacker can just use the backdoor - they only need to figure out where the origin server(s) are - then they can just bypass CF altogether and take you out. How? Is there something on your web site that will result in an email being sent to end-users? Any DNS records out there that reference your web server (i.e. scenario where the web server and mail server address is the same)? You need to make sure there is no way the attacker can figure out where the origin server(s) are - it can be trivial for them to figure this out - if they do, using CF will not help you sine they will just take the path of least resistance. Of course, you can't always use CF due to requirements - which is too bad (no easy button for you) - it is in these scenarios that this is review is mostly useful.
There are a lot of VPS hosting providers who's DDoS solution is to route your traffic through Voxility's network. I can tell you that Voxility does a very good job of filtering DDoS attacks - they are impressive because they can take on big attacks and even more so because of their ability to magically filter out the bad traffic for application layer attacks. My favorite VPS provider using Voxility for DDoS so far is BuyVM (just wish BuyVM would add support for Paypal subscriptions so I didn't have to be on the outlook for their email invoices). With BuyVM, Voxility filtering is provided via an add-on protected IP. I have also tried BlazingFast (not terrible) and just fired up some nodes with UltraVPS (not enough experience to render a verdict). Unfortunately, I have also used quite a few VPS hosting providers that have their gear at Voxility (especially the DC in Romania), that despite having a great filtering network like Voxility, provide subpar service. Know of a good VPS provider using Voxility? Let me know - I may give them a shot and see how they do when it matters most.
There are not as many VPS hosting providers offering to route your traffic through the BL network - and that's too bad since they also do a great job of filtering DDoS attacks. Honestly, its a toss up between Voxility and BlackLotus - someone one does better than the other, but both are very good. My favorite VPS provider using BL is Ramnode (I really like Ramnode). Strangely, I have tried other providers like Globalfrag who utilize BL some - including VPS providers over there like Clamhost and Raptornode and have not experienced the same results (I should point out here that this is based on UDP application layer attacks). I am on the lookout for another VPS provider who can offer Ramnode like service/pricing with BlackLotus protected IPs - let me know if you know of them so I can see how they fair during attacks.
I am sure others have had a different experience than me, but I hate dealing with OVH directly - their customer service has always SUCKED big time for me. That being said, the OVH VAC system does an admirable job at DDoS mitigation - its does block more good traffic than I would like, but it is an incredible value IMO. Despite my negative experiences dealing with OVH, I give them props for taking a firm stance on DDoS and protecting their whole network - you have to respect that. Also, even though I still have several nodes at OVH (where I directly deal with OVH), all new nodes I have been creating with LunaVPS - and those guys rock! You get OVH VAC protection, good support, and I nave noticed for whatever reason that during attacks, the LunaNode VPS instances hold up better that the OVH VMware ones - go figure. There are lots of VPS providers reselling OVH - I have tried several - but none come close to LunaNode for my needs at least. I am sure there are some other ones as well - feel free to point out.
I have used a couple VPS providers selling Staminus protected IPs. For Staminus, I only have experience with them mitigating DNS application layer attacks (no HTTP GET flood experience for example). In this role, they support DNS truncation for example - but I personally found their auto-mitigation not all that great - I had to run in constant filtering mode - which adds latency. Ramnode used to use them, but switched to Blacklotus (a good move in my opinion). Hosthatch uses them - but I did not have a very good experience with them - just dumped those guys. Currently I have no nodes using Staminus nor immediate plans to do so. However, I would be willing to try them again to see if things have improved - especially if someone like Ramnode picked them up - let me know if you know of one.
These guys do a good job taking on several attacks. They run a lot of filtering in-house. I had a very positive experience and still have one node there. They are a bit pricey - but you are buying dedicated capacity with them - not shared pools of protection. Their support is knowledgeable in dealing with attacks and has direct communication with the makers of their mitigation gear and will work to make sure their network supports your application protection needs.
These guys also do a decent job. Its worth mentioning that the first big attack I got while using them took down their whole TX data center for almost an hour - but they made subsequent improvements and did much better on other attacks. They do a good job overall but I left because they started raising their prices which were already pricey - you are buying dedicated capacity with them.
When I used them, they relied on BlackLotus. These guys are great - awesome support. You will pay more - but you are buying dedicated capacity. The only reason I don't use them anymore is because Ramnode offers BlackLotus (not dedicated capacity limits though) and is much more economical. They went above and beyond on multiple attacks. I would use them again.
Currently I am reviewing the following providers and do not yet have enough experience to render a verdict:
So far so good - they are like Digital Ocean (I like DO) except that for 5 of their data centers you get a checkbox to enable DDoS protection during VM creation. According to them this is in beta. I have a node in all 5 of those DCs with DDoS protection enabled, so at some point I will have enough information to report back on well they do at filtering. So far I really like these guys - would also use for my stuff that does not require DDoS protection.
I had one node on a VPS reseller with these guys that was taken out immediately on my last attack (ExtraVM); however, I don't think I gave them a fair shot. I now have 3 nodes (one for each of their DCs) at PhotonVPS (which is a brand that Psychz Networks uses to sell low cost VPS hosting - so not using a reseller this time). I should know more about these guys after I get more attacks.
Runs in house filtering. Very good pricing. I am not sure what to expect. Will know soon enough. So far so good.
Resells Voxility as protected IPs. Not as good as BuyVM (kind of slow to set things up - currently waiting on a ticket right now for them to properly set up the Voxility IP), but... you have to remember though that you have to look at the big picture in terms of attack surface. BuyVM and UltraVPS will each have their own limits protection pools with Voxility - the Voxility limits do not increase by buying more VMs with BuyVM, but do if you buy from someone else using Voxility.
So far, I have to say - these guys seem to suck - they do get back to you quickly - just not with anything useful. One of the DCs they sell in uses CNServers for DDoS - I used to have a node there that was taken out immediately on attack (not a fair assessment since CNServers sucks at mitigating UDP attacks - my bad for choosing them). They recently started selling in 4 of the PhoenixNAP DCs (I colocate in the PhoenixNAP DC in AZ and really like the network there). PhoenixNAP advertises their own inhouse DDoS mitigation system which sounds pretty cool when you read their ad verbiage. However, I never run likely attack targets on my colocated gear so I cannot say how well PhoenixNap does at mitigating attacks. When I saw that TrentaHost was selling KVM VPSes in 4 PhoenixNAP DCs - I decided to give them another shot and bought 12 months worth with a node in the 4 PhoenixNAP DCs that they offer. I have been waiting a week now for them to get my VPSes up so I can login and set them up - everytime I inquire they say billing is reviewing my account - I have yet to hear from billing - WTF guys? If anyone knows of a VPS hosting provider with multiple PhoenixNAP locations that is passing on the PhoenixNAP DDoS filtering as part of their VPS solution - please let me know - really anyone other than TrentaHost would be great at this point.
Well - that's it for now. I have often wished that someone could have compared DDoS providers - so I could just read up in one place - so I took it upon myself to do so. I will update my review over time as I find out new things. I welcome any advice/feedback/leads that anyone here has to offer on this.