amuck-landowner

How you handle DDOS Customer

hostemo.com

New Member
Verified Provider
When your client was targeted by ddos, and you force to nullroute the IP for may be few days if the ddos not stop. How you guy try to cool down the customer when their server get down for few days?
 

MannDude

Just a dude
vpsBoard Founder
Moderator
When your client was targeted by ddos, and you force to nullroute the IP for may be few days if the ddos not stop. How you guy try to cool down the customer when their server get down for few days?
Just explain to him that he's attracting bad traffic to his website, for whatever reason that may be. It's having a negative impact on other paying customers, and while you understand it's an inconvenience for him that he is nullrouted, that you will not allow any individual customer (him) to impact the quality of other's services because of it.

Honestly, I'd place a note in the customer's profile to keep a log of when this happens. If it happens more than a couple times, I'd probably refer him to 3rd party filtering services like Cloudflare or x4b that would allow him to remain your customer but with filtering in between or provide him a full backup of his container and tell him he's a high risk client and you don't want him on your network... good luck in your search and good bye.
 
Last edited by a moderator:

blergh

New Member
Verified Provider
Basically what's been said above, possibly assist in helping the customer find a suitable solution or alternative.
 

Francisco

Company Lube
Verified Provider
When your client was targeted by ddos, and you force to nullroute the IP for may be few days if the ddos not stop. How you guy try to cool down the customer when their server get down for few days?
I'm usually a smartass and say "Quit pissing people off on EFNET".

Before we got our autonull we had to take a "You can't be hosting with us anymore" route, but with our

autonull we do a 1 hour automated nullroute. We have some customers too cheap to buy filtered IP's so

they get nullrouted 30 - 40 times a month, not even kidding.

If your datacenter doesn't provide filtering or an autonull you'll likely have to take the same

stance to protect the rest of your customers.

Francisco
 

Thelen

New Member
Verified Provider
The bigger problem is spammers, and twitchy networks who null/pull the power from your server... :p

Maybe I should make a new thread, but how do people handle outbound spam? I've tried blocking IP and allow only the ones that ask (maybe even better is to route through my own MTA?), but SolusVM seems to mess up iptables :/
 

KuJoe

Well-Known Member
Verified Provider
We just keep extending the nullroute until they switch to one of our DDOS Protected VPSs, it doesn't make sense that other clients on the node/network should suffer from attacks directed at one client and any amount of downtime caused by a single client is unacceptable.

One time a client told me "you're going to make me wait 24 hours for only a 5 minute outage" but 5 minutes multiplied by the number of clients on the switch was just unacceptable.

My biggest issue with DDOS attacks isn't how our clients react to the downtime, it's how the clients would react if we got booted from a data center as the result of the attacks (past experience has me very cautious with this subject).
 

hostemo.com

New Member
Verified Provider
We just keep extending the nullroute until they switch to one of our DDOS Protected VPSs, it doesn't make sense that other clients on the node/network should suffer from attacks directed at one client and any amount of downtime caused by a single client is unacceptable.

One time a client told me "you're going to make me wait 24 hours for only a 5 minute outage" but 5 minutes multiplied by the number of clients on the switch was just unacceptable.

My biggest issue with DDOS attacks isn't how our clients react to the downtime, it's how the clients would react if we got booted from a data center as the result of the attacks (past experience has me very cautious with this subject).
yup....they is no other alternative way to do it if customer not going to spend for better security. so i will only keep nullroute the ip if they attack is continue.
 

drmike

100% Tier-1 Gogent
I call the kid's mother and ask if she is familiar with her son being the star of this game called DDoS.

;)

DDoS happens and sucks.

Nulls are the typical routine and hard to find fault with.  The downside is you can per se target your enemies/competitors/whoever and put them down and out   In the dirtend segment this tactic is as common as Sunday.  

DDoS in general seems to be popular.  Just search Twitter for DDoS and you might be surprised about how much chatter around it and who is dropping that word and why.
 

KuJoe

Well-Known Member
Verified Provider
If you have an online company, then operating a website without DDOS protection is a gamble. IMO, it's worth spending a few extra dollars as an insurance policy. Like other forms of insurance, you hope to never have to use it, but it's worth having if you do.
 

hostemo.com

New Member
Verified Provider
You see, in fact a lot of users do not manage their vm security properly, and by the end the server was being compromised. Sometime really dont know how to say about the customer.
 
Last edited by a moderator:

coreyman

Active Member
Verified Provider
If you have an online company, then operating a website without DDOS protection is a gamble. IMO, it's worth spending a few extra dollars as an insurance policy. Like other forms of insurance, you hope to never have to use it, but it's worth having if you do.
I'm trying to convince my brother of that right now. I've been hit with DDOS before because someone didn't like me and I lost a lot of income.
 

hellogoodbye

New Member
Somewhat off-topic, but how strongly would you guys recommend DDoS protection for non-businesses? Particularly for hobbyists who are running personal websites like blogs and fan communities. Are there instances where you feel DDoS protection would be overkill because the likelihood of it happening is very low?
 

drmike

100% Tier-1 Gogent
Somewhat off-topic, but how strongly would you guys recommend DDoS protection for non-businesses? Particularly for hobbyists who are running personal websites like blogs and fan communities. Are there instances where you feel DDoS protection would be overkill because the likelihood of it happening is very low?
If you have visibility in low end land and any competitor or haters, you will eventually get your DDoS experience.

I think with cost from the common cheap DDoS offerers (BuyVM, RamNode, SecureDragon) it's minimal enough cost and fairly easy to justify.

The hassle comes in with some of the configurations and things that break over the DDoS protect as well as traffic issues when two public interfaces.  Typically, I just disable the non filtered IP and do build from there outward to remove any wonkiness.
 

DomainBop

Dormant VPSB Pathogen
I think with cost from the common cheap DDoS offerers (BuyVM, RamNode, SecureDragon)
DDoS filtered IP offerers would be a better description.  Prometeus also offers filtered IPs in Italy (filtering done by SeFlow).

If you need something stronger there's always OVH's free DDoS protection (slow reaction times).  Heavy duty DDoS protection isn't cheap (for example: SeFlow's top protection is 240 euros per server).
 

KuJoe

Well-Known Member
Verified Provider
DDoS filtered IP offerers would be a better description.
I know that BuyVM and RamNode offer filtered IPs, but we do not (our VPS nodes are colocated inside the data center). Just wanted to point that out since it's a common misconception about our service since we used to do it that way over a year ago. :)

As for DDOS protection for a "non-business" site, it all depends. If the site is for something that may attract unwanted attention (i.e. a controversial, religious, or political site) or the site becomes very popular to the point that a skid would want to brag about taking it offline then yes, you should get DDOS protection for it. If the site has a small niche community (i.e. basket weaving, post-it note artwork, tissue blowers anonymous, etc...) then you probably don't need it so maybe something like Cloudflare's free service would be plenty for distributing small attacks from a single person with a large home upload speed and no life.

My rule of thumb is if it has the potential to generate income it gets protected even if it doesn't need to be. Like for my free web hosting service website, it doesn't generate any income but it might in the future so I throw it behind Cloudflare and have it hosted on a DDOS protected server. My personal websites are hosted on a non-protected cPanel server since they are such a small target and downtime is not a factor as long as the MX servers stay online (they sites can be offline for a month and nobody except Google and the 200 or so monthly visitors would notice).
 

OffshoreBox

New Member
Verified Provider
We nullroute the IP and if the attacks are common we refer the customer to a 3rd party filtering service or explain we don't want them as customer anymore. Downtime because of a customer is unnaceptable.
 

hostemo.com

New Member
Verified Provider
In asia we are unable to compare with those provider in usa and europe. In order to filter the ip, you must have a very big capacity to against the dos.

Like in asia, 1gbps = multiple 10G in usa or europe. 1gbps capacity is totally not enough for us to against the dos. This is why we have no options to keep null route the ip. 
 
It's great to have a pre-defined ticket reply message ready for these types of abuse issues. You run into the same recurring discussion over and over:

1. Customer gets hit with DDoS.

2. Net admin null routes customer.

3. Customer gets on trouble ticketing system in a rage.

4. Back and forth explanation of why it is necessary to nullroute ones service when they have not purchased DDoS protection.

You can save yourself a lot of time with a well-crafted ticket reply template.
 

perennate

New Member
Verified Provider
This is why I like RamNode, someone can pay $5 and generate a network flood for a minute or so, and IP gets null routed for five minutes or so (unless it was a really large attack), but then it comes right back online and hardly affects me.

We have some customers too cheap to buy filtered IP's so
they get nullrouted 30 - 40 times a month, not even kidding.
If you don't care about null route now and then, then what does it matter?
 
Last edited by a moderator:
Top
amuck-landowner