DDoS Filtering: CNServers VS Staminus VS BlackLotus VS CloudFlare

[MannDude]

I suppose not all of these are directly comparable, as the last two are generally more expensive options than the first two, though price doesn't mean they're better or worse.

As most of you know, the traffic here is filtered via CNServers. It does it's job well the vast majority of the time. I've never used Staminus, and I have heard mixed reviews on it that indicate some aren't completely happy with it. BlackLotus is known for being expensive, and while I worked for a company in the past that had our corporate site and billing server on a BlackLotus dedicated server, I can't comment if their setup was better or worse than the others. It had pretty graphs, though. And of course CloudFlare's $200/mo option, this seems to be quite popular outside the industry and used by a lot of different sites.

Anyone here with more experience than myself care to comment on what they like and dislike about each filtering option?

 

[Aldryic C'boas]

I have... quite a bit to say about CNServers.  And very little of it is pleasant.  Publicly, I'll state that they are adequate for a single user with a VERY specific project, but I absolutely cannot recommend them as a provider reselling the service.

Staminus we got off to a bumpy start with.. but after a good deal of frustration, we came to discover that a miscommunication on setup (dammit Fran >_>) was pretty much the culprit.  After getting things straightened out, it's been smooth sailing.  Support responses aren't always the quickest, but I rarely have to ask for elaboration or more information on an issue.  Everything with them is 100% professional (in a good way), and unlike dealing with some others I've never gotten "deal with it" as a response.

 

[Mun]

I have... quite a bit to say about CNServers.  And very little of it is pleasant.  Publicly, I'll state that they are adequate for a single user with a VERY specific project, but I absolutely cannot recommend them as a provider reselling the service.

Staminus we got off to a bumpy start with.. but after a good deal of frustration, we came to discover that a miscommunication on setup (dammit Fran >_>) was pretty much the culprit.  After getting things straightened out, it's been smooth sailing.  Support responses aren't always the quickest, but I rarely have to ask for elaboration or more information on an issue.  Everything with them is 100% professional (in a good way), and unlike dealing with some others I've never gotten "deal with it" as a response.

I have the exact opposite with Staminus, down time almost everyday, packet loss galore, and stuggling with them.

Mun

 

[Aldryic C'boas]

I have the exact opposite with Staminus, down time almost everyday, packet loss galore, and stuggling with them.

Mun

As far as the downtime / packet loss - are you testing based on ICMP?  They will frequently block all ICMP during attacks, which threw off our own tests for quite awhile until we figured out what was going on.  As far as testing loss, I rely on mtr's UDP setting now, and ensure that UDP is clear for the IP I'm testing.

 

[fizzyjoe908]

I've found Staminus' network to be sub-par when it comes to anything outside of the New York or Los Angeles regions. The outbound speeds definitely leave something to be desired.

 

[Mun]

As far as the downtime / packet loss - are you testing based on ICMP?  They will frequently block all ICMP during attacks, which threw off our own tests for quite awhile until we figured out what was going on.  As far as testing loss, I rely on mtr's UDP setting now, and ensure that UDP is clear for the IP I'm testing.

Mind giving me your test peramaters?

Mun

 

[MannDude]

What about BlackLotus and CloudFlare? Anyone have experience with those?

 

[fizzyjoe908]

BlackLotus offers a good service. It is more reasonable as well when you purchase their protection from your datacenter instead of directly through them.

 

[Aldryic C'boas]

Mind giving me your test peramaters?

Mun

Literally just mtr -u, with the -u flag telling MTR to use UDP instead of ICMP.  Really wish testing TCP was that simple.. but alas you're pretty much stuck resorting to doing tcpdumps on both ends for that.

 

[vampireJ]

Even the first two does not look like lowend / cheap for me at all.

Any cheaper alternatives on a remote per ip or per vps node filteing?

 

[Wintereise]

DDoS filtering is traditionally not 'cheap' territory due to the amount of bandwidth you usually need to dump on it -- so that'd be unlikely.

As to options, there's always the likes of Javapipe and such, not exactly bad -- but not the best either.

Our resident @kaniini from Tortoiselabs / Centarra is cooking something up too, as far as I know. It's going to be based in Dallas and provide proper BGP/transit based services for filtered data.

 

[Jack]

I have... quite a bit to say about CNServers.  And very little of it is pleasant.  Publicly, I'll state that they are adequate for a single user with a VERY specific project, but I absolutely cannot recommend them as a provider reselling the service.

I haven't taken a real look at them but aren't they the cheapest in the market at list pricings?

Due to that attract the ruffer end of the clients?

 

[Aldryic C'boas]

The problem isn't related to their other clients/etc, but with their staff.  Catch me on IRC or PM sometime tomorrow and I'll go more into detail.

 

[Nick_A]

We've had a pretty good experience with CNServers via cross connect. My understanding is that GRE tunnels from them are not as stable, but I might be completely wrong.

 

[drmike]

I can't stand CNServers.   Unsure why everyone is so married to them in the low-end segment.  Totally unbalanced on the far left US Coast.

Routes to Portland just suck usually.   At last check network stuff thereto is also blah.  I tend to see too much Cogent, well, have in the past.

Last oh, week or two, CNServers has been snafued.   VPSBoard has been flaky as a result.

I am fine with say RamNode hauling in via CNServers (Portland to Seattle).  But others are doing long hauls with big latency hikes.

As an outsider I get the feeling that CNServers is generally a black box.  Never felt providers and users have much if anything in the way of tools to babysit, monitor, see, learn, etc.

 

[KuJoe]

I've been happy with CNServers since day one when we had just a GRE tunnel from Portland to Tampa (I know, latency was high but for websites nobody noticed). I'm happy with our OpenVZ node we've got colocated there and the uptime has been very good (over 99.9% uptime each month which is really good considering the attacks we've seen a few times a month).

Some stats on our IPs with CNServers:


Monitored for: 406 days 06:15:53
Downtime while on GRE Tunnel (81 Days): 08:58:22
Downtime while in Datacenter (325 Days): 02:46:53

I also have to note that their network speeds improved drastically over the past 2 months.

 



# ./speedtest-cli
Retrieving speedtest.net configuration...
Retrieving speedtest.net server list...
Testing from Secure Dragon LLC. (198.57.47.2)...
Selecting best server based on ping...
Hosted by Integra Telecom Inc. (Portland, OR) [0.10 km]: 15.974 ms
Testing download speed........................................
Download: 535.09 Mbit/s
Testing upload speed..................................................
Upload: 165.98 Mbit/s

# ./speedtest-cli
Retrieving speedtest.net configuration...
Retrieving speedtest.net server list...
Testing from Secure Dragon LLC. (198.57.47.2)...
Selecting best server based on ping...
Hosted by Edge Networks (Portland, OR) [0.10 km]: 15.02 ms
Testing download speed........................................
Download: 435.83 Mbit/s
Testing upload speed..................................................
Upload: 97.40 Mbit/s

And for comparison sake I picked a server on the opposite side of the US:


# ./speedtest-cli --server=1771
Retrieving speedtest.net configuration...
Retrieving speedtest.net server list...
Testing from Secure Dragon LLC. (198.57.47.2)...
Hosted by Comcast (Jacksonville, FL) [3920.78 km]: 18.358 ms
Testing download speed........................................
Download: 207.90 Mbit/s
Testing upload speed..................................................
Upload: 30.38 Mbit/s

Not bad for a budget DDOS protection service that can handle stuff like this.

 

[Jack]

Some stats on our IPs with CNServers:


Monitored for: 406 days 06:15:53
Downtime while on GRE Tunnel (81 Days): 08:58:22
Downtime while in Datacenter (325 Days): 02:46:53

I hope that down should've been up and was a typo.. 

 

[peterw]

I hope that down should've been up and was a typo.. 

Downtime while on GRE Tunnel (81 Days): 08:58:22
Equals to downtime is 9 hours for the last 81 days.

 

[Jack]

Downtime while on GRE Tunnel (81 Days): 08:58:22
Equals to downtime is 9 hours for the last 81 days.

Oh I understand now, I thought he was saying down time was 81 days  08:58:22

 

[Magiobiwan]

@drmike Given my internet routes out through Portland, I agree that Portland routes can be lame.