6

first of all, I understand that it's better to have DDoS protections on data center level. But our DC is not ready to provide good quality of protection. So we thinking about using some external DDoS protections service.

I have googled several, like (sorry can not post many links):

  • http ://blockdos.net/
  • http ://www.armoraid.com/
  • http ://www.blacklotus.net/
  • http ://ddosprotection.com/
  • http ://www.level3.com/index.cfm?pageID=555

The general idea, is that you are changing DNS to point on DDoS protection service. They filter traffic for you, and then redirect it to your backend. So, it adds some small time overhead, but let you site be alive even under DDoS.

But it's really easy to write something on site. My question is: do anybody have experience with such service? Is it really helping against DDoS?

Tonik
  • 61
  • 2
  • Sounds interesting but if the DDoS'ers know the target ip how those service will help you ? – Prix Sep 26 '10 at 05:36
  • From what i understood, those service will use a proxy server to redirect clean traffic to your server IP that only YOU and the company you hire for Remote DDoS protection know but still if your IP is revealed you would have to switch it. Moving to another host inst an option to you ? – Prix Sep 26 '10 at 05:48
  • Attacker can know you server IP. But you need to setup you server? to allow traffic only from "anti-ddos" company servers IP. In this case attacker can do nothing bad to you web server – Tonik Sep 26 '10 at 08:56
  • It doesn't matter so much if your 'real' IP address is exposed. You usually define something like a GRE tunnel between yourself and the DDoS protection service. Anything not coming via the GRE tunnel can be dropped without inspection. You can even ask your upstream suppliers to do this for you if they are feeling helpful. – Mitch Miller Sep 27 '10 at 07:34
  • it will still hit you if your dc does not provide you with proper support like u said. @mitch if the currently data center he is at has no protection or mitigation making him the need of using an external service and some one gets his real ip address they can overload his server just by knowing the real ip. – Prix Oct 04 '10 at 15:43

5 Answers5

2

These types of services can be quite expensive, and unless you have the cash to absorb it, the script kiddies can just increase their fire-power quickly by increasing the attack into the multi-gbps zone, which will cost you quite a bit. Most of these tend to require you to have it running before you encounter problems, as they work by analysing patterns in traffic.

gekkz
  • 4,219
  • 2
  • 20
  • 19
0

I've managed to fend off a mid-grade DDoS attack (10K req/sec) a year ago by setting up NGINX as a reverse-proxy in front of apache. Nearly all DDoS traffic has something in common, often the User-Agent string. Just identify the commonality and use a c10k-capable proxy like NGINX to drop that attack traffic while forwarding the real traffic to the normal web server.

FWIW: My experience was using 10-year-old hardware running Fedora Core 1 on a 100Mbit internet uplink. Attack traffic rate was sustained for 1 week, but real customers never noticed any drop in site performance. Just be careful of bandwidth charges.

As for commercial operations that presumably do pretty much that same thing, I can't imagine why they wouldn't work. It's not rocket surgery.

tylerl
  • 14,885
  • 7
  • 49
  • 71
  • My question is exactly about experience with such external DDoS protections service. We use Nginx and firewall. That was not enough in out case. – Tonik Sep 26 '10 at 09:01
0

Thumbs up for prolexic - they do a good job. - it's pricey, but they were early to the game and from my experience provide good service.

gabbelduck
  • 329
  • 1
  • 3
0

I've never used such services but it depends on the types of attacks you're getting. If they're purely bandwidth style attacks and just filling up your pipe, the only way to go is to hire a service like them or to distribute your servers across many pipes and data centers.

If they are exploiting an application or protocol then I would handle that with configuration changes on your end.

Jim
  • 398
  • 2
  • 9
0

I have experience with Verisign's DDoS Mitigation Services. They are pricey, but it works well.

up_the_irons
  • 321
  • 1
  • 2