# Colocrossing Buffalo now offering 100Gbps DDoS Protection



## drmike (Dec 19, 2014)

So earlier tonight multiple sources on interesting Greenvaluehost email that went out.

The email is offering 100Gbps DDoS protection via Colocrossing's network in Buffalo, New York.

Anyone in the CC reseller downstream aware of such a feature on their network or plans for such?  Not saying this is the first I've caught of their intent to filter, but all others were tunneled services from filtering companies that were not CC themselves doing any filtering.

Posting the sales ad image below so folks see what was said, not as a promotion or endorsement of their filtering or services.



Spoiler


----------



## Aldryic C'boas (Dec 19, 2014)

Sounds like they're just following everyone onto the bandwagon trying to resell Vox.  Given the punishing incompetence from that group, should make for some interesting fireworks.


----------



## comXyz (Dec 19, 2014)

I don't trust anything from GVH anymore.

BTW I think the DDOS protection come from Vox, not CC.


----------



## HalfEatenPie (Dec 19, 2014)

I added spoiler tags simply because I don't want to advertise GVH on here.


----------



## MannDude (Dec 19, 2014)

c1bl said:


> I don't trust anything from GVH anymore.
> 
> BTW I think the DDOS protection come from Vox, not CC.


What is the minimum monthly commitment for Vox?


----------



## comXyz (Dec 19, 2014)

MannDude said:


> What is the minimum monthly commitment for Vox?


I don't know.


----------



## drmike (Dec 19, 2014)

HalfEatenPie said:


> I added spoiler tags simply because I don't want to advertise GVH on here.


Accept my apology.. I forget all the time about the spoiler tagging.   Mods can spoil tag whatever I post as they see fit - as needed - whenever.


----------



## drmike (Dec 19, 2014)

Hypothetically, let's go down the Vox rabbit hole...

What does Vox want per month for 100Gbps of filtering?


----------



## Francisco (Dec 19, 2014)

Vox is $2500/month for a BGP GRE tunnel with a small commit on clean. Their filtering isn't 'always on' so there's always a small window where bleeds happen before scrubbing occurs.

Once a test IP is had you can just pull a BGP route on lg.he.net and see who's filtering it.

Francisco


----------



## MannDude (Dec 20, 2014)

I don't believe the service exists, personally.

Anyone have a test IP or have used it? Seems like this weeks attempt at staying relevant more than anything else.


----------



## DomainBop (Dec 20, 2014)

MannDude said:


> I don't believe the service exists, personally.
> 
> Anyone have a test IP or have used it? Seems like this weeks attempt at staying relevant more than anything else.


Oh it exists alright, but what the promo email didn't tell you is that the new DDoS protected IPs are a limited time offer limited to the first 254 lucky customers!  Use 43.245.196.108 as a test IP because all of the DDoS protected IPs will be in the extra special 43.245.196.0/24 block! None of the IPs in this list are blacklisted by Spamhaus, check for yourself http://bgp.he.net/ip/43.245.196.108#_rbl  Enjoy this exclusive offer while you can!


----------



## Jack (Dec 20, 2014)

Lovely back haul to LA if that's it, Lolz


----------



## Francisco (Dec 20, 2014)

DomainBop said:


> Oh it exists alright, but what the promo email didn't tell you is that the new DDoS protected IPs are a limited time offer limited to the first 254 lucky customers!  Use 43.245.196.108 as a test IP because all of the DDoS protected IPs will be in the extra special 43.245.196.0/24 block! None of the IPs in this list are blacklisted by Spamhaus, check for yourself http://bgp.he.net/ip/43.245.196.108#_rbl  Enjoy this exclusive offer while you can!


Not sure why GVH would be getting the 43.x IP's when they aren't an APNIC provider. Plaza was paying for that space up until recently I think, but since they're closing they either got a partial refund from APNIC or whatever, hence whey they're in the unallocated pool i'm thinking.

When we were with CC they requested LOA's for every single subnet, even for ones that were covered by aggregated subnets in previous emails/etc. They were fairly strict on this, requiring signatures & it being emailed from the primary email of the ARIN handle.

Am I wrong?

Francisco


----------



## DomainBop (Dec 20, 2014)

Francisco said:


> Not sure why GVH would be getting the 43.x IP's when they aren't an APNIC provider. Plaza was paying for that space up until recently I think, but since they're closing they either got a partial refund from APNIC or whatever, hence whey they're in the unallocated pool i'm thinking.
> 
> 
> When we were with CC they requested LOA's for every single subnet, even for ones that were covered by aggregated subnets in previous emails/etc. They were fairly strict on this, requiring signatures & it being emailed from the primary email of the ARIN handle.
> ...


I was joking.about the IPs


----------



## drmike (Dec 20, 2014)

So someone insisted to me that their filtering IS NOT VOX.

They are supposedly launching their own filtering platform.

Mind you their cohorts/partners at Servermania have had multiple brands boasting DDoS filtering and have used everything from CNServers hauling whole of North America to OVH I do believe.

GVH pushing it out the door and all is asking them to swallow the biggest... nevermind... they are going to eat a crap sandwich when people get wind of filtering.  Should be interesting.  Luckily I have lots of corn for popping.


----------



## drmike (Dec 20, 2014)

(As I collect a list of all CC hosts that offer or will this filtering and accept Bitcoin - time for some fun attack victim sites)


----------



## Aldryic C'boas (Dec 20, 2014)

drmike said:


> They are supposedly launching their own filtering platform.


That's hilarious.  I suppose they think that all the time they spent trying to DDoS competitors (sorry Biloh, next time hire skids that won't sell you out) makes them experts on prevention and mitigation now as well.


----------



## drmike (Dec 21, 2014)

Well.. The filtering isn't being built in house.

It's purchased gear.

Supposedly it's already racked and live.

I probably know what it is   But umm I am unclear if they have the big model that would fit 200Gbps... Problem is the platform supports like 32 million PPS... which is nothing big picture with attacks today.


----------



## Kris (Dec 21, 2014)

That would be a RG-40... probably.

If they get chummy with their Cogent / XO reps and get 2x100 Gig drops plus what they already have could see it working. 

Remember once you get the equipment, you need to buy the 200 Gbps worth of BW drops that will hit the Riorey head-on. 

Could perhaps even give Buffalo some differentiation beyond... beyond good latency for Toronto? Will be interesting to see pan out.


----------



## drmike (Dec 21, 2014)

Kris said:


> That would be a RG-40... probably.
> 
> If they get chummy with their Cogent / XO reps and get 2x100 Gig drops plus what they already have could see it working.
> 
> ...


 

I doubt they are affording RG-40 platform.   N+1 = 3 units and well, someone have a price point on the RG-40's?   I'd say 3 of them likely is going to run $250k+ with likely being higher.

Dropping 200Gbps of bandwidth on a filtering platform means they'd be trying to run everything through it.  32 million PPS isn't going to work.   So segmenting the filtering is only sane route to go.

I am speculating here, but their filtering gear will likely be 10Gbps device(s). Why?  Price, size of common bandwidth pipes, ability to segment that perhaps even with own BW drops.

There's a reason why most providers don't offer filtering / DDoS stuff and it's almost always due to the high cost.  That's the barrier at the door.  Once up and going the technical know how and all isn't some pedestrian thing, but most never make it that far.


----------



## DomainBop (Dec 21, 2014)

> So earlier tonight multiple sources on interesting Greenvaluehost email that went out.
> 
> The email is offering 100Gbps DDoS protection via Colocrossing's network in Buffalo, New York.


Provider offers DDoS protection and yet can't keep their own site online...

From their Twitter tonight...



> *GreenValueHost* @GreenValueHost   ·   3h 3 hours ago
> 
> 
> Our client area is currently offline due to a large scale DDoS against our systems. We are working on mitigating the DDoS now.
> ...


----------



## drmike (Dec 21, 2014)

http://secure.greenvaluehost.com/



> Website is offline
> 
> 
> No cached version of this page is available.
> ...


Which has me going like huh?!?!?!?!

I mean GVH did advertise in that promo 100Gbps protection.... and they have long had their site nested behind meh, Ramnode and Cloudflare...

I expect some showmanship and some downtime, but they are getting punted and staying down.


----------



## DomainBop (Dec 21, 2014)

drmike said:


> I expect some showmanship and some downtime, but they are getting punted and staying down.


There's always the possibility that the skid who got pissed off when GVH (or someone claiming to be from GVH) spammed his LET PM box did more than just DDoS them...i.e. maybe they got hacked again.  Their followup tweet says they are _ "performing *very critical security* and DDoS maintenance"._

edit: and their home page says:

_"We are aware that our client area is currently inaccessible. We are working on very critical security maintenance right now and will be making it accessible again as soon as our maintenance is completed. We apologize for any inconveniences this may cause."_


----------



## MattKC (Dec 23, 2014)

According to the thread at let, they dumped a tar.gz file in the root directory while performing their "upgrade" that contained whmcs attachment files (inc scanned id copies) and left it there to be pulled by anyone who accessed the old url. Classic GVH screw up if true. I'm sure they have already notified the impacted clients...just like they did during the previous hacks (and for those unaware, they have not reported these breaches to the cc association's where you are required to report even suspected breaches so that impacted accounts can be flagged and monitored). Failure to do so will get you punted from the issuers immediately so they are obviously hoping they never find out.


----------



## raindog308 (Dec 24, 2014)

GVH either (1) never used this vaunted aegis of the net, or (2) switched to cloudflare after it let him down.

https://secure.greenvaluehost.com/announcements.php?id=29


----------



## drmike (Dec 24, 2014)

MattKC said:


> According to the thread at let, they dumped a tar.gz file in the root directory while performing their "upgrade" that contained whmcs attachment files (inc scanned id copies) and left it there to be pulled by anyone who accessed the old url. Classic GVH screw up if true. I'm sure they have already notified the impacted clients...just like they did during the previous hacks (and for those unaware, they have not reported these breaches to the cc association's where you are required to report even suspected breaches so that impacted accounts can be flagged and monitored). Failure to do so will get you punted from the issuers immediately so they are obviously hoping they never find out.


Bahaha.

Well, how many 'hacks' does this add up to for GVH?  His hero at ChicagoVPS had by my count three.   I think the lad has caught up with this one.



raindog308 said:


> GVH either (1) never used this vaunted aegis of the net, or (2) switched to cloudflare after it let him down.
> 
> https://secure.greenvaluehost.com/announcements.php?id=29


Oh the public facing stuff and grammar issues / sloppiness.

GVH customer area recently has been buried behind RamNode and Cloudflare.  Last check the client area was behind RamNode. Appears to be behind CF now.  Must be some issues with Ramnode allowing attacks through or nulling GVH to throw them over to CF now. Bound to be layer 7 attacks, which are pedestrian to mitigate, but I don't believe Ramnode does layer 7 stuff to that degree he'd need.

CF in contrast you can crank up to almost paywall restrict inbound visitors plus the big 5 second cooling CF does avoids overloaded server state.

A few ahh iptables rules and simple things and most layer 7 stuff is just not scary.   But for the amateurs, indeed CF works well to protect from such.


----------



## DomainBop (Dec 24, 2014)

> *Database data rolled back one day; Please resubmit tickets & submit ticket to Accounting for missing orders/invoice payments*
> We deeply apologize about the troubles that the last few days have caused. We know that we have been experiencing issues with accessibility of our client area. They were due to very large scale DDoS attacks of all attack vectors and layers against our systems, ongoing nonstop for days ...


Large scale DDoS attacks cause databases to be rolled back one day...I learn something new every day.


----------



## Nick_A (Dec 24, 2014)

drmike said:


> Bahaha.
> 
> Well, how many 'hacks' does this add up to for GVH?  His hero at ChicagoVPS had by my count three.   I think the lad has caught up with this one.
> 
> ...


I haven't been alerted to any issues specifically on our end, nor have we turned GVH away to CF. I don't know exactly what their setup is, but Staminus typically advises against mixing CloudFlare in.


----------



## drmike (Dec 24, 2014)

Nick_A said:


> I haven't been alerted to any issues specifically on our end, nor have we turned GVH away to CF. I don't know exactly what their setup is, but Staminus typically advises against mixing CloudFlare in.


Professor Youngblood had GVH customer panel straight Ramnode+Staminus a day or two ago.   Surely Layer 7 attacks  ran him off for now.

Of course I asked, GVH hasn't been behind any of the CC filtering stuff yet, so while I like to punt them, would be misplaced for me to do so, YET.



DomainBop said:


> Large scale DDoS attacks cause databases to be rolled back one day...I learn something new every day.


I am entirely unclear why someone EVER rolls a database back, unless that's date of last backup following a compromise, rm -rf'ing, or thoughts that someone manually input bad/malicious data in your database.

GVH is kind of special like that though.  Not straight retard level, but only brand outside of CVPS/BlueVM/123Systems where one can convert shitastic experience and customer abuse into more future sales.  Amazing what self mugging on prices can do.   Sad when enough companies actually put time in, work hard, plan, invest and aren't getting customer buys like they should.


----------



## Aldryic C'boas (Dec 24, 2014)

Roll backs typically happen because of _"whoops, we tested new code on production equipment again, and had no fucking idea what we were doing"_.


----------



## Francisco (Dec 24, 2014)

Aldryic C said:


> Roll backs typically happen because of _"whoops, we tested new code on production equipment again, and had no fucking idea what we were doing"_.


_Dammitfran_?

Anyway, I don't think CC has anyone skillful enough on staff to build their own platform and instead are going to use a RIOREY or something like that. Supposedly a fine unit, minus the fact the PPS is only 32M on their "Take out a mortgage" model. We all know if GVH actually puts out 100gbit filtering as "market breaking pricing" that people are going to go Chris Brown on it. I just don't see CC coughing up much past 10 - 20gbit for him at a reasonable price, especially when their upper limits aren't all that high.

A 20gbit NTP floods going to hit you for 15M PPS or so anyway. Does anyone think GVH is going to be coughing up enough cash for them to be willing to damn well near sacrifice their unit to them for it?

I also don't think Biloh is going to like GVH enough to say "here, go HAM". I'd almost say Ernie's the only reason GVH is still a client over there, and even that's only because he's just an extra way to sell dedicated servers.

Best of luck to them, but they better know how to cover their asses well.

Francisco


----------



## serverian (Dec 24, 2014)

They sell it for $25 per 10G per server.


----------

