[MERGED] DDOS Protection

ppc

Moderator
KH - Just curious if you guys are planning in implementing a real-time monitoring/detecting/mitigating DDOS system.

I think it would be a great addition to the KH network, I dont know if it would be even feasible to charge extra for it but in any event it would be a really nice thing to have, I am seeing more and more VPS providers offer it.

Regards,
 
Hiya Josh,

Aren't there firewalls available that can do DDoS monitoring? I can't believe there aren't and that KH wouldn't have them...
 
Hiya Josh,

Aren't there firewalls available that can do DDoS monitoring? I can't believe there aren't and that KH wouldn't have them...

Yeah absolutely their are firewalls that monitor (some even protect) against ddos. I was just curious if KH had such a hardware system in place.

Its always cool to hear what kind of equipment is used within your hosting network...;)
 
There are firewalls you can install on servers to "Help" with ddos attacks. But they wont stop them. They can make things manageable till you get it sorted out. I recently got hit with an attack. Spent about an hour banning Ips before I simply shut down httpd and waited for the attack to stop. This attack I encountered was simply too large for my VPS to handle. (Yes your server will make the difference in a DDOS attack)

They will stop the casual newbie that is attacking, but for someone that knows what they are doing, lets say loads up a few thousand proxies or sends 12 bots to ddos your site, then you would have about 12,000 ips hitting your site and taking down apache and driving up your bandwidth. Not much you can do on that one short of shutting down your apache or adding a htaccess login to your site.

such attacks would have to be handled host side.
 
There are firewalls you can install on servers to "Help" with ddos attacks. But they wont stop them. They can make things manageable till you get it sorted out. I recently got hit with an attack. Spent about an hour banning Ips before I simply shut down httpd and waited for the attack to stop. This attack I encountered was simply too large for my VPS to handle. (Yes your server will make the difference in a DDOS attack)

They will stop the casual newbie that is attacking, but for someone that knows what they are doing, lets say loads up a few thousand proxies or sends 12 bots to ddos your site, then you would have about 12,000 ips hitting your site and taking down apache and driving up your bandwidth. Not much you can do on that one short of shutting down your apache or adding a htaccess login to your site.

such attacks would have to be handled host side.

Interesting info. Thats why I was wondering if Knownhost had a HARDWARE firewall/ddos system in place on the network. For example the: TippingPoint Intrusion Prevention Systems. Here's a cool data sheet on it. Its amazing what a piece of hardware claims to do.
 
Josh,

We do not have TippingPoint devices in either DC and most likely we never will, at least unless we'll decide to triple our prices. It doesn't make much logical or financial sense to put application-layer intrusion detection/prevention device with price a tag of $100k+ in front of the $20 VPS...

Also, what kind of DOS attack are you referring to in this post? Small scale service-specific as computervitals is talking about? We do not monitor such things for very simple reason - if we'll do monitoring/filtering of traffic based on, say, number of connections some specific IP is establishing to the service running in customer's VPS we will a) have a lot of complaints ranging from "server being down" to "you're killing my business" and b) such things won't help with scenario described by computervitals. So, at the end we'll bring more harm and havoc with very low (if any) positive effect.
If you're referring to low/medium sized network attacks directed against one of our customers, then our position wasn't changed since last year: http://forums.knownhost.com/showpost.php?p=1363&postcount=7
If you're referring to DC-wide attacks that bring the whole DC's network down, then it doesn't matter at all what kind of equipment will be installed in front of your VPS. Even if a million-dollar device is put in front of the specific VPS it won't help at all if uplinks are completely saturated with traffic that, in some cases, isn't even reaching us.

Regards,
Paul
 
Josh,

We do not have TippingPoint devices in either DC and most likely we never will, at least unless we'll decide to triple our prices. It doesn't make much logical or financial sense to put application-layer intrusion detection/prevention device with price a tag of $100k+ in front of the $20 VPS...

Also, what kind of DOS attack are you referring to in this post? Small scale service-specific as computervitals is talking about? We do not monitor such things for very simple reason - if we'll do monitoring/filtering of traffic based on, say, number of connections some specific IP is establishing to the service running in customer's VPS we will a) have a lot of complaints ranging from "server being down" to "you're killing my business" and b) such things won't help with scenario described by computervitals. So, at the end we'll bring more harm and havoc with very low (if any) positive effect.
If you're referring to low/medium sized network attacks directed against one of our customers, then our position wasn't changed since last year: http://forums.knownhost.com/showpost.php?p=1363&postcount=7
If you're referring to DC-wide attacks that bring the whole DC's network down, then it doesn't matter at all what kind of equipment will be installed in front of your VPS. Even if a million-dollar device is put in front of the specific VPS it won't help at all if uplinks are completely saturated with traffic that, in some cases, isn't even reaching us.

Regards,
Paul

Thanks Paul for the detailed explanations. Much appreciated and helpful in understanding. I'm satisifed ;)
 
I've used the ConfigServer folks that Paul referenced in his linked post on another provider and it works well. Haven't had any breaches yet, although after getting it setup and started getting the daily and hourly system checks and sec. violation emails I was astounded as to how much the server was getting hit on a daily basis with these things. If they generally don't last very long I don't even bother with it. If I end up getting a security log email with several MB of entries in it over several hours, then I look into it and see what I can do to stop it including sending a note to the abuse contact for the IP space listed in whois. Suppose I could also report the IP to the right websites so it gets listed, not that it would do me much good at the time.

This brings up another question though for me. Most of the issues I've seen have been from either far east or middle east countries. Is there a way to completely deny a connection being established if it is determined the IP is not based in the US/Canada for example? I know things like mod_geoip and ip2location exist, just don't know much about what they WILL and WON'T do for you in this regard. At the very least would be good to have it so if the established connection to the server (on whatever port) was determined to be outside US/Canada to immediately kill the connection. Anyone know how best to accomplish something like this?
 
DDoS Mitigation

I know it's been discussed before that a hardware solution for DDoS mitigation is prohibitively expensive but I found something else that may be interesting:

http://www.prolexic.com/solutions/cleanpipe/
Unfortunately there's not any detail about pricing or technical requirements but hey, this is just a "suggestions" board. :)

As far as I am concerned, DDoS is the single largest remaining threat to my server. The technology to handle hacking and exploits is improving (albeit slowly) and clients are at the point now where they are at least minimally security-aware. However some joker with a botnet can still wipe me off the net.
 
While that link looks interesting, it is I am sure it's still very expensive.

If you are really getting hit hard, there are services(contact me via PM if you want to know) you can purchase for your domains only but to do something on a network level, is hard in this competitive VPS market.
 
It's not so much an issue of generating negative attention as that if anybody on the network for any reason happens to be hit by this (and an overview of the network status board should give you an idea of the frequency) then I am affected. Therefore a network-level solution is the only way to go.
 
if anybody on the network for any reason happens to be hit by this (and an overview of the network status board should give you an idea of the frequency) then I am affected. Therefore a network-level solution is the only way to go.

That is true. Do you know of any other provider that has such a system implemented? I'm certainly not knowledgeable in this area so I'm not sure.
 
This would more than likely be the datacenter's decision rather than knownhost's, and ironically enough, the prolexic web server appears to be having trouble filling requests in less than five minutes--almost like it's being attacked itself. Could be unrelated, but if you're going to market reliability, being able to demonstrate it is crucial.
 
Get some DDoS Protection...

Trying to fight DDoS attacks on a server sucks. The DDoS should be getting blocked at the hardware(router) level.
 
I totally agree with this!

Most of my problems/tickets that i have are related to "a high number of connections from an IP".
 
Adding some sort of DDOS protection as mentioned in the OP doesn't help in many cases. Also, if we did add it, this would justify a price increase but DDOS's would still potentially happen.

Joel
 
What do you do that attracts so much negative attention?


Dont know about the guy your asking, but I remeber when it first happen to me (first time on my very old hosts) all because I refused to give some maggot a copy of my vb.
The person practically joined asking for a copy, I refused. Days later my sites lagging and taken offline by old hosters due to ddos attacks. Some of these people with botnets just dont have anything better to do. They actually enjoy causing problems online just for the fun of it.
 
Top