How you handle DDOS Customer

Francisco

Company Lube
Verified Provider
If you don't care about null route now and then, then what does it matter?
Right. We've been mouthed off because we don't provide free filtering as well. We've had more

than a few tickets where a user is shocked that we won't eat their 1 1/2 million PPS syn flood

at no cost.

The problem with the handbreak solution you 'favor', is that if someone wants to keep slamming you or runs a multi hour flood, that nodes going to feel it be choppy every x minutes that the null sticks for.

We originally considered that way but the only person it was 'fair' to was the target, not to the other XX

customers on the node.

Francisco
 

perennate

New Member
Verified Provider
Well you do it for two hours, don't you? Pretty much the same..

Edit: like, especially if you just get a stream of attacks a month, the only thing you might care about is whether the service is terminated, since you want to keep your files. Even if it's 24 hours (like VaporNode) not a huge deal, obviously timing has tradeoff.

Edit2: okay that's probably different from what I was saying before, but I think RamNode does increase the time if it becomes a problem to the node (if it's a large attack).
 
Last edited by a moderator:

beast5

New Member
Verified Provider
When your client was targeted by ddos, and you force to nullroute the IP for may be few days if the ddos not stop. How you guy try to cool down the customer when their server get down for few days?
As there is no DDOS promise on your website it is very easy

you simply (Assertively) send him the DDOS log stating it is not included in the servers plan & if he wants DDOS protection he can get it in an external service. or you can get a small vps at OVH lets say that has good DDOS protection and install a squid on it (assuming his server is used for web sites only and if not then only an external service)

first check if the DDOS is on one of his website's if its targeting only one and not the ip then you can advise him to use cloud flare or he has to remove the domain as it is affecting other consumers.
 
When your client was targeted by ddos, and you force to nullroute the IP for may be few days if the ddos not stop. How you guy try to cool down the customer when their server get down for few days?
Remove the customer. Offering DDOS services attracts the people who will cost you money in the long run. 
 
This is why I like RamNode, someone can pay $5 and generate a network flood for a minute or so, and IP gets null routed for five minutes or so (unless it was a really large attack), but then it comes right back online and hardly affects me.

If you don't care about null route now and then, then what does it matter?
From the perspective of the host, it definitely matters. A customer that is the target of a DDoS attack on the level of 30-40 times per month is just bad for business -- auto-null or no auto-null. What happens if the attacker gets tired of seeing his target pop back online after an hour? He could start attacking upstream switches or attack a range of IP addresses all at once. These sorts of scenarios are starting to occur with more frequency and are exceedingly frustrating to deal with.

For us, it's common sense. Why are we going to host a $3 per month customer if he is the regular recipient of denial of service attacks. We could easily have the situation under control with auto-null, but having him on our network increases the risk that things could escalate and impact our other customers. For us, any customer who is attacked 30-40 times per month needs to purchase specialized DDoS protection or move elsewhere.
 
Last edited by a moderator:

perennate

New Member
Verified Provider
From the perspective of the host, it definitely matters. A customer that is the target of a DDoS attack on the level of 30-40 times per month is just bad for business -- auto-null or no auto-null. What happens if the attacker gets tired of seeing his target pop back online after an hour? He could start attacking upstream switches or attack a range of IP addresses all at once. These sorts of scenarios are starting to occur with more frequency and are exceedingly frustrating to deal with.
a) Obviously host is responsible for making sure that whatever they do doesn't cause issues for others. Neither RamNode nor BuyVM have issues because of this, they handle it in different ways (e.g. increasing time nulled if the attack was large). Anyway I was clearly saying from perspective of client so not sure why you thought that was relevant.

b) If you offer DDoS-filtered IP, then the attacker may do that in the same way, so...
 
Last edited by a moderator:

Shoaib_A

Member
I know some popular hosts who refund your last payment & say you good bye in case of an incoming DDOS & they are right in doing so as it should not impact other paying customers.These days many hosts either include DDOS protection by default or let you get it as an add on.
 
Customers do get panic and disturb when their website is under DDOS attack. BUt in such situation, we need to clearly explain client how did this happened and what we need to do. If we can explain them clearly, they would get relaxed and thus we can build a good rappo with customer.
 

HostSailor

Member
Verified Provider
There are many providers out there providing DDoS protection and guarantees of such protection, the best way is to find a suitable provider for your needs, if you're attracting DDoS intentionally over and over then that's your best way of dealing with the issue, on a side note there are several ways you can deal with such client, in the end of the day you want to try your best to keep your client, and try every possible option before asking them to politely leave your network.
 

Profuse-Jim

New Member
Verified Provider
Depends how large the DDoS attack is.  If it's under 1Gbps we'll filter it, anything over will be null-routed for 2-24 hours depending on the size of the attack.
 
Top