You have two ISPs for any business-critical service that matters, and you switch between them either using BGP in your router or using DNS if you have not implemented BGP.
With a single provider, it's a gamble, although the expectation for any reasonable provider is that they just let you saturate your link speed with no questions asked, and block the offending traffic in their router if you can identify it for them.
Since this seems to be a problem for growing startups. Does anyone have any information on what other companies cater to the european market and will not hold you hostage if you get hit with a ddos attack?
I'm looking specifically for servers in Germany, if anyone has any clue.
This raises an attack vector for Hetzner's business itself. By finding their larger clients and DDOSing them, Hetzner's business itself becomes at stake.
Yeah exactly, that's what I thought. If this is the way Hetzner deals with even such small attacks, some competitor that has enough power could potentially take out a lot of their clients and Hetzner would get the bash.
I was also happy with Hetzner when I used them a few years back. But I didn't need their support other than for replacing hard drives, which they always handled quickly and without problems.
One of my servers were once used in a amplification attack (DNSSEC...) for a few days before I noticed. I guess Hetzner didn't detect this because just the uplink got saturated. Had to manually request a null route so I could SSH to another IP alias on the box. I wouldn't mind if they automatically did this for me since the offending IP would be unavailable either way. At least they don't charge you for DDoS traffic, like my current European budget provider does.
If you move to something like Cloudflare, make sure to at least firewall off everything but their IP addresses. Otherwise it will be trivial for the attacker to connect to all the port 80's in the IP allocation to the provider they know you were using, and compare the responses to what they get from Cloudflare, to obtain your service's origin.
One of the big political blogs in New Zealand recently had a similar problem with Linode.
They got DOSed so Linode shut them down, then they found a new provider but had problems moving to them since they couldn't get into the linode server to copy the data.
I run a social network that does 30m pageview per month. I had a similar problem with a Large host provider which for the sake of good taste I wont mention. When I got attacked the provider gave me a warning and shut things down for a bit but the attacks kept coming and coming eventually I moved ( im not advertising) to Rack911 got attacked again but the guys there proactively helped me deal with the attacks until the attackers backed off.
No story here. No budget provider I've looked at says they will help you withstand a DDoS attack. [Thanks to the commenter who says OVH does, I will look into them closely.]
I did this due diligence for a 10-user app. These guys have no excuse for not planning for a DDoS with a serious business.
I'm trying to think of the economic way to run a robust small scale service. I think you need a way to rapidly spin up a replica service on an entirely different provider.
I'm picturing a setup where you run on a cheap Hetzner host or similar with the DB synced to a slave replica on EC2 or other cloud provider and a build system so that you can spin up a whole replacement infrastructure on EC2 if there is a severe outage or failure in commercial relationship and switchover by changing the DNS settings.
23 comments
[ 60.9 ms ] story [ 1675 ms ] threadAs others have mentioned they've got DDOS protection on some of their newer plans.
With a single provider, it's a gamble, although the expectation for any reasonable provider is that they just let you saturate your link speed with no questions asked, and block the offending traffic in their router if you can identify it for them.
Doesn't sound like they have changed at all in the interim.
http://www.ovh.com/us/dedicated-servers/enterprise/
http://www.ovh.com/us/blog/a1171.protection-anti-ddos-servic...
And:
http://forum.ovh.co.uk/showthread.php?6661-URGENT-AND-IMPORT...
"Our surplus network has a capacity over 2 Tbps. We have three VAC in production, so we can manage up to 480 Gbps/480 Mpps."
I guess the original post perfectly explains how such low prices are attainable (no customer support, etc).
One of my servers were once used in a amplification attack (DNSSEC...) for a few days before I noticed. I guess Hetzner didn't detect this because just the uplink got saturated. Had to manually request a null route so I could SSH to another IP alias on the box. I wouldn't mind if they automatically did this for me since the offending IP would be unavailable either way. At least they don't charge you for DDoS traffic, like my current European budget provider does.
If you move to something like Cloudflare, make sure to at least firewall off everything but their IP addresses. Otherwise it will be trivial for the attacker to connect to all the port 80's in the IP allocation to the provider they know you were using, and compare the responses to what they get from Cloudflare, to obtain your service's origin.
http://www.youtube.com/watch?v=bmzHIB18XT8
They got DOSed so Linode shut them down, then they found a new provider but had problems moving to them since they couldn't get into the linode server to copy the data.
http://www.whaleoil.co.nz/2014/01/ferals-faults-fixes-co-pil...
I did this due diligence for a 10-user app. These guys have no excuse for not planning for a DDoS with a serious business.
I'm picturing a setup where you run on a cheap Hetzner host or similar with the DB synced to a slave replica on EC2 or other cloud provider and a build system so that you can spin up a whole replacement infrastructure on EC2 if there is a severe outage or failure in commercial relationship and switchover by changing the DNS settings.
cloudflare adds a direct.* subdomain that points to your actual IP.