All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Hosting Providers, what do you do for DDoS?
So I'm making a budget to start a hosting company offering unique and hard to find locations.
One of my biggest concerns is DDoS. Most of the datacenters I'm looking into doesn't offer DDoS protection at all. So I'm looking for a service, like Voxility or Corero Cloud, that offers remote infrastructure DDoS protection.
I was wondering what other hosting providers do about this. I'm sure others are interested in this as well, as everyone has different solutions from colocation DDoS protection to paying a third party reseller for cheaper DDoS protection from a major network service.
So what do you use for your solution and what are some suggestions?
Please be serious as I'm sure someone will comment "Don't get DDoSed" or something along those lines.
Comments
Don't get DDoSed
Sorry, couldn't resist!
Or pray to Gods?
nullroute china and russia.
How about I null route Africa, most of Europe and Asia. That should solve all 99% of DDoS attacks right?
That actually does solve quite a lot. For example in the last major attack against OVH that Oles talked about, literally like 80% were chinese ISP and the rest were cheap dedicated server hosts or cheap VPS hosts
One setup I helped with in a small country with very weak connectivity (we're talking one city has ~1Gbps total international connectivity type of shit), we had the network entirely unrouted globally, and only privately routed to specific residential ISPs in the country. That way locals could all access at fast speed while attacks would go nowhere, since that space wasn't even reachable outside of the country.
Most of the attacks I got was from France, Latvia etc.
Depends on who you pissed and what kind of budget they have.
If there is a possibility, you can tunnel all your traffic through Voxility but then again latency will be a bitch in those exotic ways locations...
Also separating regular customers and high possibility targets is not a bad idea either...
You realize these two don't work together, right? When you use remote DDoS protection, all your traffic is routed through the DDoS protection provider's network. Even if your servers are located in an exotic place like Pandora, your network will be routed through protection service's network points like Chicago.
The only upside can be that your server content can be legal (or illegal) depending on your server locations. But in that case your customers will be less than stellar guys looking for illegal hosting or something like that.
Kinda ruins the point of exotic locations if you're tunneling in traffic from DDoS protected PoPs - unless they're reasonably close.
An affordable option would be to setup a GRE tunnel from a protected host like @Francisco (using Voxility) - or maybe you can talk to him about a more custom solution.
Could also do this with @Clouvider, OVH, etc - but again, not the best solution for 'exotic' spots due to latency. And exotic spots don't usually have the available bandwidth coming in to be able to tank a standard sized attack nowadays.
You can always look into integrating routes via Anycast for regions and distribution links on all sides. If your exotic region is not a large component of DDoS attack. This is because often exotic regions have higher costs of transit (and hence remain exotic). Of course this is not the case, and it requires you to have a reasonable pipe to handle leakage on your end.
I get DDOS'd because I talk shit about shithosts.
Oh, what we do to deal with DDOS you mean. Voxility works well enough but is costly.
Francisco
kms-hosting with their l7 filter or use ovh and set your ip to perm mitigation and only allow cloudflare ips through. Then captcha countries that have alot of attacks coming from them or use a CF auto mitigation script. Captcha protection with good caching rules can stop many attacks
It's not for the website, it's for the virtualization server.
So what I decided to do is to only reroute traffic when a DDoS attack is detected. This isn't the best setup in the world, there are issues to it, but for now the plan is to install FastNetMon on the Virtualization server and when an attack is detected, trigger a BGP reroute to a scrubbing service, currently looking at Corero or Psychz. When attack is over another BGP reroute will be triggered to remove the scrubbing center.
This would solve the "latency" issue but the issue would also be installing FastNetMon to detect DDoS attacks on the server that is being DDoS is a terrible idea. For optimal results, we should be installing it on the Router instead and detecting it before it reaches the server.
This fundamentally ruins the attraction of an exotic location by making it centralized in a nonexotic location, though.
Reconsider if you want your unique selling point to be exotic locations or ddos protection, then optimize for that. Not both.
How does this ruin it? By doing this we can still offer DDoS protection for exotic locations. Latency is only added during DDoS attacks. This doesn't change the location of anything, and customers can choose to turn off DDoS protection if they wish to. That's just up to them. We'll just nullroute the traffic if it disturbs other customers.
Yeah I think that is the best option indeed.
You probably want to detect the attack away from the target - how will you trigger the reroute if the network on the HV is down?
Generally no one recommends remote protection because in most cases it will increase latency. If you NEED to have remote protection it would be preferable if you listed where you will be hosting g geographically because it would help to find close providers. X4b seems to be a good remote protection provider according to many reviews.
Anyone have ddos protection in Asia / HK?
That's why it's not "optimal' like i said. But if the attack isn't big enough, upon first detection FastNetMon will be able to trigger a reroute.
Another non-optimal way would be as a fallback, monitor all the IP addresses, and when one goes offline, check FastNetMon database and reroute. But then again non optimal
Alibaba offers DDoS protection on all their instances.
I believe what some people do is port mirror a sample which gets around the problem.
I meant for network wide protection. Not individual VPS/Dedicated servers.
Can you elaborate on that?
I've not done it myself so am not certain - but I believe you can set up a port mirror and run your fastnetmon on the mirrored port instead - allowing you to use various other techniques (possibly sampling) to prevent the fastnetmon box network going down - then using it to process the change despite the HV being down due to the ddos.
As before though - I've never configured this myself or seen a configuration myself, just a technique I heard about and have no first hand experience of. Might be worth investigating but might also be a dead end.
Interesting I"ll look into it.
By praying to DDoSers and ask some mercy.
I'll just be like Hetzner and ask them politely to stop!