amuck-landowner

List of providers who offer DDoS protection.

HH-Abdullah

New Member
Verified Provider
We at HostHatch also offer protection through Staminus. $5/mo and in two locations - Amsterdam and Los Angeles.
 

OpticServers

New Member
Verified Provider
OpticServers LTD Provides 40Gbps DDoS Mitigation (Arbor Networks) and we use some extra steps at our edge such as a perimeter firewall to filter out TCP Based Floods as a standard on all IP's.
 

Kruno

New Member
Verified Provider
We at KnownSRV have DDoS protected servers and nginx-based proxies as well.

We utilize our own protection systems in the Netherlands which run on 2x 10gbps and can handle up to 20gbps(or up to 100gbps if we apply ACL on the core network) and 2M pps. It's not perfect but we are adding new rules and improving platform on a daily basis. We also use Voxility's DDoS protection as 2nd POP which can handle up to 500gbps with no pps limits according to them.

It's configured as anycast-based /24 on our ASN with NL and RO POPs, which allows us re-route traffic over RO/Voxility if attack is too big to handle in the NL. We aim to add more hardware and network capacity in the NL over time, so we can handle bigger attacks on our in-house platform rather than reselling Voxility.

No public offers at this time, but feel free to ticket us if you are interested. Note: Not really budget-friendly comparing to most of providers above. 
 

LimestoneNetworks

Member
Verified Provider
@LimestoneNetworks I am also interested in hearing what the free version of DDoS protection covers. Also do you do colocation yet?
Hi, I'm very sorry to have missed your inquiries. I've been seriously busy.

Our basic protection that comes with all of our services is a mix of automated and manual detection in which a pre-defined set of rules is used to mitigate small attacks.  If large attacks take place, we will disable the IP being attacked so that the rest of the IPs and services on your server continue to operate. It's good for attacks under 2Gbps.

We do not offer colocaction at this time, but it's being considered.
 

DomainBop

Dormant VPSB Pathogen
add this one to the list and the DDoS protection is free (and not from OVH)...

VPSBoard exclusive, I guarantee you will never see this one featured on LowEndBox. :p

from an email that just arrived...

End of Reality is pleased to announce a new level of DDoS protection now active on all of our services in Los Angeles, California at no extra cost!  We now offer up to 10gbps / 20million PPS of protection and onsite traffic scrubbing in our LA facility.

This truly a first for the hosting industry - we now have a 100% Premium Bandwidth (Internap Performance IP) DDoS protected network!
 

splitice

Just a little bit crazy...
Verified Provider
@Nett was just about to say the same. Gotta stop getting distracted when posting!
 
Last edited by a moderator:

drmike

100% Tier-1 Gogent
add this one to the list and the DDoS protection is free (and not from OVH)...

VPSBoard exclusive, I guarantee you will never see this one featured on LowEndBox. :p

from an email that just arrived...
End of Reality... who is doing their filtering?

And the reason why you won't see that on LowendGhetto is because of some odd tiff between EoR and Colocrossing.   Where CC couldn't and didn't deliver servers for contract for months.  While CC claims they were owed money.

It would be nice to get Jeremiah Shinkle back here for story telling time about what really went down as he and Robbie (owner of EoR) were/are supposedly best friends.
 

DomainBop

Dormant VPSB Pathogen
End of Reality... who is doing their filtering?
They're getting the filtering in LA through Internap and Internap is using Proxlexic.  The DC for the LA location is CoreSite, singled homed to Internap. The LA location is using AS63018 IPs (losangelesdedicated.net, also owned by Robbie) .

They're still using Ubiquity in Chicago/Dallas/NYC, Hetzner in Germany, Redstation in the UK, and AltusHost in Sweden.
 
Last edited by a moderator:

AThomasHowe

New Member
Honest question, is 2-10Gbps protection actually worth anything? I know shady characters lie but I feel like I could very easily and cheaply smash though that protection with a few $ on HackForums. What's adequate protection if you aren't a regular victim of DoS/DDoS attacks but would like to be well prepared?
 

splitice

Just a little bit crazy...
Verified Provider
Some estimations given tests performed and attacks seen.

Free stressers (e.g ipstresser) put out 500 - 2Gbps (up from last year). 

Some cheap ones 5-8Gbps.

Some decent/better cheap - moderate ones 10 - 25Gbps.

There are more private ones that are 40Gbps plus.

And some private / botnet attacks that are absolutely massive (e.g 100Gbps+) but those are rare / costly.

We don't see many nullroutes on our italian protection, and its burstable to 7.5Gbps. Most of those who did get null-routed on those services are Gameservers, which are natural DDoS magnets.
 

Aldryic C'boas

The Pony
It also depends on what you're running - certain types of attacks (L7, etc) can really wreck your day regardless of your filtering if you don't have competent techs ready to analyse and adjust to the attack.
 

splitice

Just a little bit crazy...
Verified Provider
less than 20Gbps is probably 80-90% of attacks. Perfectly fine if you aren't an attack magnet. More and more game servers, and similar attack magnets are needing >20Gbps now days. But not everyone needs it.

My recommendations would be:

2-4Gbps: Dont bother. Only people hitting this low are free stressers, might as well go for something a bit bigger, it wont cost much more.
4 - 10Gbps: Small Buisness / Small Service / Small personal site / etc - non attack magnet

10-20Gbps: Have been attacked before, or forsee it being likely. Anyone with a tech orientated audience should consider this (more likely to know strong stressers)

20-100Gbps: Popular Game servers, Popular Sites, Minecraft (!) etc

100Gbps+: If you are thinking about this, you probably wouldn't be asking on a public forum. Or you are unlucky.

Of course if you are reading this in the future factor in sizeable increases. 20Gbps is the 10Gbps of last year.

The US side of our site (we have two termination points) got hit with ~120Gbps last night (and a decent amount of Layer7). Usually attacks of that size are all amp (and this was), and if you have hardware ACLs and a decent amount of connectivity you can tank them.

Unfortunately the stressers only need say ~1gbps 10-20 servers (may even be less) and some decent amp lists.
 
Last edited by a moderator:

splitice

Just a little bit crazy...
Verified Provider
certain types of attacks (L7, etc) can really wreck your day regardless of your filtering
X4B was getting hit by some kind of PHP based L7 (UA pattern "PHP"), a cache buster pattern "/?=[num]" and a Joomla reflection attack earlier today. Not wrecking my day, couldn't care less. Aside from burning some bandwidth, pretty harmless. Its what we get for posting on LET these days. But yes, competent techs wrote that system :)

If you have the tools at your disposal it really shouldnt bother you. Things like: semanic filtering (slowloris, rudy etc), static patterns, dynamic mitigation and user verification. Combine that with a ACLs for repeat offenders in an attack incident and you can usually ride through L7. L7 is usually much more reduced than L4 attacks since actual compromised machines (or compromised web services) are needed, not spoofing. This also opens the door for all kinds of analysis that you couldn't normally perform at L4-

  • what client is it?
  • what does fingerprinting say? does it match?
  • what happens if we spit out some browser verification js, does the right result get returned?
  • is the IP a server?
  • does this traffic resemble what we saw yesterday?
  • has this ip previously been involved in L7 attacks? what about its neighbourhood?
  • is TOR?
The list goes on, you just need to think of all the factors and come up with algorithms to turn values into the correct result.
 
Last edited by a moderator:

AThomasHowe

New Member
It also depends on what you're running - certain types of attacks (L7, etc) can really wreck your day regardless of your filtering if you don't have competent techs ready to analyse and adjust to the attack.
I am just talking pre-emptive measures, something that might help me sleep at night should the worst happen.

And thank you @splitice good posts.
 

HalfEatenPie

The Irrational One
Retired Staff
less than 20Gbps is probably 80-90% of attacks. Perfectly fine if you aren't an attack magnet. More and more game servers, and similar attack magnets are needing >20Gbps now days. But not everyone needs it.

My recommendations would be:

2-4Gbps: Dont bother. Only people hitting this low are free stressers, might as well go for something a bit bigger, it wont cost much more.


4 - 10Gbps: Small Buisness / Small Service / Small personal site / etc - non attack magnet

10-20Gbps: Have been attacked before, or forsee it being likely. Anyone with a tech orientated audience should consider this (more likely to know strong stressers)

20-100Gbps: Popular Game servers, Popular Sites, Minecraft (!) etc

100Gbps+: If you are thinking about this, you probably wouldn't be asking on a public forum. Or you are unlucky.

Of course if you are reading this in the future factor in sizeable increases. 20Gbps is the 10Gbps of last year.

The US side of our site (we have two termination points) got hit with ~120Gbps last night (and a decent amount of Layer7). Usually attacks of that size are all amp (and this was), and if you have hardware ACLs and a decent amount of connectivity you can tank them.

Unfortunately the stressers only need say ~1gbps 10-20 servers (may even be less) and some decent amp lists.
X4B was getting hit by some kind of PHP based L7 (UA pattern "PHP"), a cache buster pattern "/?=[num]" and a Joomla reflection attack earlier today. Not wrecking my day, couldn't care less. Aside from burning some bandwidth, pretty harmless. Its what we get for posting on LET these days. But yes, competent techs wrote that system :)

If you have the tools at your disposal it really shouldnt bother you. Things like: semanic filtering (slowloris, rudy etc), static patterns, dynamic mitigation and user verification. Combine that with a ACLs for repeat offenders in an attack incident and you can usually ride through L7. L7 is usually much more reduced than L4 attacks since actual compromised machines (or compromised web services) are needed, not spoofing. This also opens the door for all kinds of analysis that you couldn't normally perform at L4-

  • what client is it?
  • what does fingerprinting say? does it match?
  • what happens if we spit out some browser verification js, does the right result get returned?
  • is the IP a server?
  • does this traffic resemble what we saw yesterday?
  • has this ip previously been involved in L7 attacks? what about its neighbourhood?
  • is TOR?
The list goes on, you just need to think of all the factors and come up with algorithms to turn values into the correct result.
Yep.  Yep.  Even more Yep.

Since vpsBoard was getting hit a few weeks back, I've been meaning to get into reading more about mitigation technology and just ways to handle it.  

So I'm assuming you guys get to have fun with people trying to "tank" your DDoS protection service?  I mean there's that other thread about someone DDoSing a test IP simply to "test it out"...
 

splitice

Just a little bit crazy...
Verified Provider
@HalfEatenPie

Its a regular occurrence for us. Often see people go through all the attack methods too trying to break it. Could be competitors, could be testers. Could even be both at the same time.

I doubt a single person was behind the 120Gbps peak yesterday (2.4k views on a thread so a few people probably "testing" or competitors being douchebags). Anyway didn't cause any real incident, fell over to a location where AMP is ACL'ed so we were laughing (US visitors just lost their speed boost from local ssl termination & caching).

Its also the reason we try not to give out test IPs. They just end up being constantly nulled (20Gbps) or we would end up tanking the attacks constantly (resource waste). That doesnt bother me too much any more since its just an accepted fact now days. I would rather a stressed test IP than our homepage... so releasing test IPs has been considered.
 
Last edited by a moderator:
Top
amuck-landowner