DDoS attack - 3gbps - Need a good solution!! - Knowledgebase

Portal Home > Knowledgebase > Articles Database > DDoS attack - 3gbps - Need a good solution!!

DDoS attack - 3gbps - Need a good solution!!

Posted by AzzidReign, 05-19-2010, 09:13 PM
The last 4 days we have been under heavy DDoS attacks. I've read what some people have said about getting a good sysadmin and I have a great one now for the last 3 years (admingeekz). They've kept me from having to find a "real" solution and have kept server prices down and I'd highly recommend them to anyone...but these attacks are something that they can't mitigate. The last 4 days we have been getting hit with 1gb/s attacks throughout the whole day and at particular times it will peak up to 3gb/s with 320,000 PPS. I'm using ServerOrigin right now but the package I bought ($400/month) was for only 1gbps and 75,000 PPS. The next one up is to block 2gbps and 250,000 PPS which will cost me $1500/month which if they burst it I might be able to get away with this package. Then the next package is 8gbps with 700,000 PPS costing $8500/month. That's a HUGE difference...and I don't and can't spend that much. I wanted to see if there was a better solution that would either cost cheaper than the 1500/month, or one that would cost the same but could block the attacks I'm currently under. All the DDoS protection sites I go to, I can't find pricing...so I'm wondering if anyone can help me out here. PLEASE HELP
Posted by MikeTrike, 05-19-2010, 09:41 PM
You may want to just buy your own hardware instead of $8500/mo http://www.riorey.com/products/ Hardware is not cheap, but in the long run would pay for itself
Posted by server prodigy, 05-19-2010, 10:09 PM
go here: http://www.blacklotus.net and use the link provided to get a quote. If you can make use of the remote protection proxy you could be up and going again in a few hours. There's really no way around getting those cost quotes, unfortunately. Either that or null route your IPs and shut down for a few days or so and hope they move on to another target. Your alternative would be to purchase a few cheap servers and set up your own firewall and filtering solution.
Posted by FiberFy, 05-19-2010, 11:11 PM
I'd try to contact a few more companies that provide DDoS Protection. Good luck though!
Posted by Richard, 05-19-2010, 11:58 PM
I would recommend GigeNET (http://www.gigenet.com). Once known as Creative Internet Techniques and FOONET, GigeNET is one of the premier DDoS protective networks and "high-risk" server hosting providers. I've had servers with them since 2001.
Posted by ddosguru, 05-20-2010, 03:07 AM
RioRey sells 1 and 10 Gbps appliances. The 10 Gbps model is over $300,000. The OP would be better off paying ServerOrigin $8500/mo in that case.
Posted by BXmanagement, 05-20-2010, 03:42 AM
Contact your datacenter and ask if they have a cisco guard available.
Posted by MikeTrike, 05-20-2010, 08:16 AM
That depends, does he only need DDoS protection for a few months? Because if he pays $8500 for 35+ months he could have bought an appliance. 10Gbps gives growing room for protection as well. So like I said, long term, it's worth it. Long term to me means 60-72 months, what would be a product life cycle. Not less than a year. 60 months @ $8500 = $510,000 and $8500 @ 72 months = $612,000 so that's basic math for you. Even if you include consultation, maintenance, support on an appliance like that. It's still cheaper in the long term. It just has that heavy up front investment cost.
Posted by ddosguru, 05-20-2010, 08:22 AM
8500 is not the market price for 3 Gbps, i'm just using the OP's own example. The math still does not work because $300,000 is not the total cost of ownership for that device. There is a very large annual maintenance fee. Also, as of Q4 2009 sale of the RG10000 series was restricted to the Washington, D.C. area (the company is in Bethesda and they want to be able to access the site quickly in order to render support).
Posted by PeakVPN-KH, 05-20-2010, 06:42 PM
I have to agree and since we were mentioned, I will say that we offer custom plans. If you want to email sales. Otherwise, the other providers mentioned, it wouldn't hurt to check with them. The issue is basically resources. We originally used Staminus for much of our back-end filtering but have slowly moved much of our services to our own filtering facilities. In doing so, our prices are a bit more expensive. The high PPS rates are the worst since bandwidth is a static cost and could sometimes be stretched across multiple customers. However, sharing 'your plan' with other customers on a 300,000PPS+ attack would be very unfair to the other customers. As you may notice, Riorey/Intruguard/Arbor all base their protection limits around PPS. That's what the appliance limitations usually reside in and based on the 'type' of attack, the max PPS limit could be higher or lower for the appliance. Buying an appliance is a great way of spending a ton of money and still needing the infrastructure and likely MORE equipment (money) to put it in place. Our cost on 300,000PPS is around $2200/month. We are generally more expensive than some of our competitors but we're now using full Tier1 bandwidth and all plans come with full-datacenter redundant failovers. Doing so is expensive. **We have started offering free burst protection on current customers. In such cases, we may allow 100% burst of your plan for x # of seconds. As long as it isn't sustaining high rates then we may could do it for free. Just drop us an email. Otherwise, check with BlackLotus or Staminus. Both have good pricing, we never want to lose a customer but we don't want you to be unhappy with your services. If there is anything we can do to help, we will gladly do it. Last edited by PeakVPN-KH; 05-20-2010 at 06:53 PM. Reason: Stated price wrong
Posted by usmanbsd, 05-20-2010, 06:55 PM
When something will be deployed at your part in network, will datacenter not count as traffic?? Lets suppose you are getting a udp dos attack. Data center is paying itself for traffic. So it doesnt matter for them if you protect your server for DOS attack by using any thing, traffic has entered into their network. Yes server can be protected which doesn't mean traffic can be reduced (in 3gbps dos attacks i dont think any device can help you to reduce incoming traffic it can just block it to reach your servers) Regards usman Last edited by usmanbsd; 05-20-2010 at 07:03 PM.
Posted by server prodigy, 05-20-2010, 07:08 PM
It depends n your arrangement with the provider. Providers who offer DDOS protection will place filters at the top layer and will work that traffic into the cost of the protection in some way. Other DDOS protection vendors set up a proxy at their location for the Internet facing side to hit and then relay or tunnel clean traffic to your server. Of course the cost of that traffic is going to be paid for one way or another. You bring up a question I've wondered myself though - does the datacenter make these guys pay for "invalid" traffic? Does the traffic involved in an attack cost the DC money as well or do DC connections come as "unmetered" for the size of their pipe from the peering providers?
Posted by PeakVPN-KH, 05-20-2010, 07:14 PM
You're correct and that's the common misconception people have. I can't count the times we have to explain why a null-route was placed due to attacks exceeding the PPS or max Gbps rates. For example: The base Riorey device the 1U/2U small device (can't think of the model off the top of my head) is 1Gbps with up to 300,000PPS of protection. This is great but most datacenters place this device at their edge and all traffic configured to pass through it will use up that PPS rate. It doesn't mean "attack" traffic. It means the max PPS allowed to pass through it at any given time before it fails open. Multiple things to consider with that is that if a datacenter were to have 10x servers passing IP's through it then each server could be getting 1-2,000PPS each. Yes, small number - combined say: 2000PPS per server x 10 = 20,000PPS. Now add an attack which simple UDP floods can hit 300k PPS then you have just surpassed the protection of you $13,000 device. Now consider that the PPS rate is based on the size of the packet and if it's malformed packets set to max size then the PPS rate may very well be 100,000PPS. Just be careful when you start throwing devices at things or considering prices. The reason there are so few of us that do DDoS mitigation (and do it well) is because of the investment we have in this business. Most of, us larger companies, are not reselling services. We own the bandwidth, equipment, or facilities. The investment has been made in the infrastructure, appliances, clusters, etc. However it's done, it's a large investment and this is what we do. DDoS Protection. We hear customers all the time state that they want to move to xxxx datacenter because they have a Cisco Guard or whatever appliance. Yes, they do, but in most cases they aren't selling ddos protection. They may let you take an attack and they will do their best to help but it's rare to find a datacenter that will welcome such attacks. It's even more rare to find one that will go out of their way to try and mitigate it. The reason you spend the money for good protection is two things: 1) Stability 2) Assurance (Knowing we aren't going to throw you out when an attack hits 10Gbps. We won't even charge you for it, but we may null-route it if you don't pay us to handle that size of attack.) PPS + Bandwidth is VERY expensive to just burn through it for attacks. Companies like us have to handle x# of 300,000PPS attacks daily. Attacks normally come in bursts, several sites all at once and then they drop off. 'Overselling' resources is not something any good ddos provider does and that's why the cost is there. We have to guarantee those resources will be there when you need them and not being used by someone else. As per the example: 1000Mbps / 300,000PPS device = $12,000-$15,000 Very expensive service to offer in a market with high turnover and exceeding high amounts of fraud. ------------------------------- In most cases, yes. We offer unmetered to all ddos customers but in actuality, we pay for the bandwidth inbound and outbound. Of course, inbound being the largest amount of traffic. This is why most providers do null-routes on attacks exceeding protection. It has to be blackholed somewhere so the cost is not incurred. Therefore x customer buys 1Gbps of protection and takes a 12Gbps attack, can you imagine the incredible loss that would be incurred otherwise? ***Some providers who have their own datacenter facilities will not pay for the bandwidth itself. It's just like colocation - if you buy a 10Gbps link then you can saturate that link for the cost of the 10Gbps link. Buy a 1Gbps, you are allowed to push as much as you want down the 1Gbps link. In either case, the traffic is expensive. This means you need to have that much traffic available for attacks that you have set-aside for that customer. If a customer wants 1Gbps of protection then you need to be able to offer them a full 1Gbps. However, if you were to only have a 10Gbps link and 1 customer was getting an 8Gbps attack and they paid for 1Gbps, then your other customers would suffer. This is why you have to be able to dedicate specific resources. This is also why the ddos world is so much different than regular hosting. People say, "I can get a 100Mbps unmetered for $99/month". You can but it's shared. You may get 40mbps peak but 10mbps the rest of the time. In our case, people need every bit of what they order or else you're going to really hurt everyone else. Last edited by PeakVPN-KH; 05-20-2010 at 07:24 PM.
Posted by server prodigy, 05-20-2010, 07:17 PM
Did your company build it's own filtering routers using servers or purchase commercial appliances? If you developed your own was it done using custom router configs or did you use some form of open source program as a foundation? I ask because I'm considering funding an OS project to build a DDOS filtering IDS which would be packaged in a light weight distro (similar to Vyatta but without the routing functions beyond in -> filter -> out) and the only existing OS programs I can find to use as a starting point look to have been abandoned for a few years. The end goal would be for anyone with a spare server w/ capable resources to deploy a DDOS filter that can handle a particular amount of traffic, adding more if the size of the attack warrants. The cost of existing appliances seems extremely high, IMO and leaves the smaller victims SOOL.
Posted by PeakVPN-KH, 05-20-2010, 07:33 PM
At this time we use a mix. I won't go into how the ddos mitigation works but what you will find is that most providers may have x number of appliances and several filtering clusters that do their custom piece. This is similar to how we do it, there are servers that do a lot of the work. Servers with custom builds, software, etc. The issue with appliances are two things: 1) New attacks come out weekly. Appliances are outdated quickly. Updates are slow. 2) Lack of scalability. 3) Lack of internal modification to the software. (Closed Source) 4) Too Generalized So in our case, 80% of what we do is fully custom to the customer's need. Some customers can handle more residual than others. In those cases, we leave the buffer different to keep from ever getting legit blocks. The purpose of having servers or server-type appliances and custom configurations is the ability to update rulesets, modules, etc. Any time a new attack comes out, it can be coded in. The other piece is the customizable part. Appliances give you x amount of filtering for a specific type of flood. Sure, you can tighten it up or loosen it but it's not custom to the type of attack. When I state 'too generalized', most appliances are built to drop in and work everywhere. This equates to it being a solution that works for most things or attacks but may completely fail on others. It may not even see some attacks. Riorey has serious issues with specific SYN floods, for example. The customized protection would have to overlay that kind of appliance to pickup slack. I would say that most denial of service providers have several appliances or LOTS of custom back-end clusters/configurations. There simply isn't an appliance out there that blocks all attacks. If there were, it'd be nice, but we wouldn't be in business That's why companies like us, Prolexic, BlackLotus, Staminus, etc. That's why we're here is because we do what that appliance will not.
Posted by koddos, 05-21-2010, 02:51 PM
for 3gbs proxying Id recommend blockdos.net for that one. They are the only ones I know that offer the protection in so many different areas worldwide. I'd say it would be a lot cheaper then $8500 too. Plus they been doing that kind of ddos protection about longer then anyone besides gigenet. For a datacenter with 3gbs protection you can probably get a decent deal at staminus.net for that much, My only issue with staminus though is they do not have big enough servers, need more powerful servers. We do use them for a great deal of our hosting though but have to use more servers then normally due to the available resources. I dont know of any other datacenter that would do 3gbs protection and offer a high end server for a decent price.
Posted by PeakVPN-KH, 05-21-2010, 03:55 PM
If you're going to buy from Blockdos then go to the source. Buy from Staminus, BlockDos is simply a reseller.
Posted by koddos, 05-21-2010, 04:17 PM
They dont resell staminus exclusively, they have a few different networks they use. I know because we recommended a Russian client to them and they was able to get a proxy with pretty good amount of protection in their area. Plus staminus just dont outright sell a proxy do they? And if you noticed in the latter half of my post I did recommend staminus if they was willing to move their server there. Not trying to debate with you here just pointing out what I know. They do have a few alternate locations they can proxy from. I guess would be best if someone from blockdos would clarify this.
Posted by server4sale, 05-23-2010, 09:04 AM
GiGeNet will be the best choice but not sure if they do it for under your price or not. Just a clarification that if the site is hosted on staminus doesnt mean that we sale all of our solution from one vendor. We have contracts with multiple service provider and have our own solutions implemented as well. I dont know how much provider here can offer 20+gbps attack protection here at a single location :p Gige we recommend mainly because i personally consider them above Prolexic with the limitation of location only.
Posted by nessic, 05-23-2010, 09:48 AM
I dont recommend them. It was only a few months back where I had received a HUGE, I mean HUGE ddos attack. Anyway, Gigenet decided to null route my server's DNS. What kind of protection is that?
Posted by PeakVPN-KH, 05-26-2010, 02:02 AM
Depends. Did you have a gigeserver server or a gigenet server? Did you buy the Proxy Shield service? I'm definitely not going to defend a competitor but the limitations (as described extensively above) on protection are in place to protect you and the provider. The only reason we can put a price on ddos mitigation plans are because of the limits. If they were not in place, we would be Prolexic Hitting you with $30k/month bills. (Except in their case, $30k only equates to around 4Gbps of attack traffic.)
Posted by ameen, 05-26-2010, 02:33 AM
We do not provide protection for DNS. SO I have no idea what your talking about.
Posted by brianoz, 05-30-2010, 10:10 AM
Has anybody asked the question here - why are they getting DDOSed? What's the site in question, and why is it getting attacked? We're all talking about the technology here, and sometimes there's a simpler solution. If you're being targeted at this level on a sustained basis you (or one of your sites) have to have annoyed some significant folks, posibly even warranting Federal involvement. While you may not want to answer that question in a public forum, it may be the simplest way of solving the problem.

Add to Favourites Print this Article