DO Ideas 2

Improve customer experience during DDOS attacks

Currently if you get a DDOS attack your server loses all internet facing networking ability, effectively cutting off your access to the internet on your droplet. Other providers provide more direct protection rather than just shutting your net down. Such as OVH's technology and approach detailed here: http://www.ovh.com/us/anti-ddos/ I would prefer digital ocean over any other provider based on my experiences, but the DDOS issue is the last remaining concern. If other providers are providing protection to customers rather than just cutting their customers internet, then I believe with all the money digital ocean has they should be able to implement such a system.

  • Morthawt
  • Sep 11 2018
  • Attach files
  • Steve commented
    September 11, 2018 17:26

    Suggestion behind this entry is not only something like website protection, it is more about network protection L4-L7 to be able to cover any service/protocol through proactive mitigation without null-routing as typically applied to partially secure environment in general.

  • Naud commented
    September 11, 2018 17:26

    A big amount of hosting providers are working together to have a DDoS protection system. This system is called NaWas. Everyone pays a bit for this service, and the more providers are coming how less the price will be.

    Maybe it's a good idea for DigitalOcean to provide this extra service to the customers. Even better is the price for the system, this won't be big because of the amount of the hosting parties whom are already in!

    The site for more info is reachable at http://www.nbip.nl/diensten/nawas-demand-beveiliging-tegen-ddos/ (the site is written in Dutch)

  • Daniel Kauffman commented
    September 11, 2018 17:26

    Please consider upgrading the automatic DoS detection routines to be more specific. In a recent DDoS attack on one of my Droplets, a relatively simple analysis of the attack would have identified the appropriate response: drop all UDP traffic originating from the source ip address range. This would likely have mitigated the attack while having little or no impact on legitimate users. Instead, Digital Ocean dropped all traffic from all sources for three hours.

    Automatic DoS detection routines should check indicators such as the source ip address range, use of TCP vs UDP, target ports, along with any other criteria that lend themselves to analysis, and then automatically create suitable rules to black hole only the attack traffic.

  • Jay Stevenson commented
    September 11, 2018 17:26

    Just adding my voice to this, as recommended by Support :-)

    We chose Digital Ocean due to it's great prices, reviews and how perfectly simple it is to use. Having built-in (or even optional) DDoS protection would be great.

    Without sounding too cliché, as it is, we are having to rethink the sites and services we would like to migrate to DO. Having fallen foul of DDoS'ers trying to extort us (and the increase in DDoS'ing in general), DDoS protection is at the forefront now of our requirements.

  • Jacob Wheeler commented
    September 11, 2018 17:26

    This needs to be their #1 priority. How can you want anything else more than uptime? If I keep going down like this (and yes I use Cloud Flare) I might have to switch VPS providers, which I hate to say because I love DO's price by the hour.

  • Nuno Jardim commented
    September 11, 2018 17:26

    The security service DigitalOcean is providing to it's customers it's shameful!

    No DDOS protections whatsoever! And it's not my system that they attack it's the DigitalOcean VM's!!!

    Which means that we are going down because DigitalOcean is going down!

    Shameful for not providing any type of protection!

  • Morthawt commented
    September 11, 2018 17:26

    Can we get an update on this? It is almost a year later. Have the DDOS attack mitigation measures been improved with regards to the attacked customer's experience? Other VPS providers have measures which does not include null routing the customer. Think about it logically. The attacker has the goal of taking someone down, which means they need enough resources to sustain an attack. But if you are still doing what you were doing a year ago, you do the hacker/script kiddy's job for them by taking the customer down for 3 hours. Makes zero sense other than a stop-gap measure till you quickly come up with a better process for dealing with DDOS attacks. I look forward to your reply, I shall be bookmarking this page and checking.

  • Sarmen commented
    September 11, 2018 17:26

    you can just use something like cloudflare and you'll be protected.

  • Nils Phoenix Summers commented
    September 11, 2018 17:26

    I owned ovh virtual servers and this "anti-ddos" is a big lie. No proctetion. Servers goes down with 10 seconds no matter is the anti ddos on.

  • David Farrell commented
    September 11, 2018 17:26

    One of my droplets was on the receiving end of a DDoS attack a while back. A support ticket was automatically created notifying both me and DigitalOcean support of the issue. A DigitalOcean support representative replied to the ticket asking me what I was going to do to ensure this didn't happen in the future.

    I honestly didn't know how to answer this because there isn't really much that can be done to mitigate most DDoS attacks on the droplet or by the holder of the account at all. A further response I received recommended using CloudFlare's static content service to mitigate the attack but this would only work if the attack wasn't targeted at the IP and is also very impossible in the case of the droplet hosting non-static content.

  • Anonymous commented
    September 11, 2018 17:26

    The bottom line is that unless DigitalOcean gets the necessary network capacity, it's unfeasible. Note that the only way you can be completely resistant to ddos's of any kind is for your network connection to be faster than the sum of all (last-mile) internet connections in the world, so any protection offered would be only up to a certain level. Still I would like it if DigitalOcean had this. More customers would come.

  • Morthawt commented
    September 11, 2018 17:26

    What does gathering feedback mean? Have you made some change that you are gathering feedback on? or are you gathering feedback about how it has been? Because there are already complaints and ex-customers commenting about it on this suggestion. There are also 410 votes. People, we, care about this a lot. Especially in a world with DDoS attacks and people developing amplification attacks to become even more effective. DO is a great company, the best I have been with and I have tried several... But this is one "issue" that really should be resolved, especially given the kind of money you are working with.

  • Salvatore commented
    September 11, 2018 17:26

    Up!!!

  • Morthawt commented
    September 11, 2018 17:26

    I would appreciate some official response to this. My customer experience during an attack was horrible, being completely cut off for 3 hours. I would like to hope this would have a high weight placed on it since it is a very negative experience for customers for something that is not their fault. Other providers have methods of halting most attacks in a few minutes without having to cut the customers network off entirely.

  • Umair Aslam commented
    September 11, 2018 17:26

    how much time would it take more to have DDOS protection on digital ocean vps and kindly confirm whether their is plan for it not ?. I have moved my website, gaming servers and teamspeak servers to OVH due to their DDOS protection. Only thing which keeping me away from using DO service is just one thing that no DDOS protection

  • Anonymous commented
    September 11, 2018 17:26

    At the very least you should be able to access the admin console for the droplet so you can do something with it. Maybe back it up or whatever. I recently had my droplet be shut down, and I have no way to go in and clone up the droplet so I can get my website back up and running. In my opinion this is a very critical issue which prevents digital ocean from being a production ready platform.

  • Meletis Flevarakis commented
    September 11, 2018 17:26

    Dont forget that OVH (i am customer for almost 2 years) is trying to defend their servers since 1997 and they own some of the biggest portions of the web, so its normal for then to develop the "DDOS vaccum" Digital ocean on the other hand is a very young provider which trying to do the best for their customers. Im pretty sure that in 1-3 years DO will develop something like OVH's vaccum :)

  • Jonathan commented
    September 11, 2018 17:26

    Definitely needs looking into. I would happily pay a little extra for a tiny bit more latency and a good defence rather than what for an attacker is a huge success.

  • James Ruffer commented
    September 11, 2018 17:26

    I would look into using Akamai and let them take on the DDoS attacks as I agree that DO could spend a lot of money attempting to help. I would rather see them spend the money on other things. If you google DDoS defense there are many ways to protect yourself without DO doing anything.

  • Anonymous commented
    September 11, 2018 17:26

    This sounds like it would be very helpful, especially with the growing amounts of script kiddies and wannabe hackers that run around the internet DDoSing everything these days pretending like it's hacking when in fact it's just using exploits found by real hackers and tools made by them as well to mess with developers and other users. The internet is just as much of a war zone as real life, however rather than losing lives we're only getting annoyed with the services that won't work. I know people rely on technology too much these days, but it's not life threatening in my opinion, unless it's being used in life threatening situations such as hospitals, space travel, etc.

    This would be nice to have a better setup of DDoS protection on here, however like Oleg said, cloudflare is probably your best bet. The only part I don't like about it is having to pay a monthly fee to use SSL on your site.

  • Oleg commented
    September 11, 2018 17:26

    Use http://cloudflare.com - this is free CDN

  • Anonymous commented
    September 11, 2018 17:26

    "Anti-DDoS" solutions are extremely expensive and complicated to implement. DO may not be intentionally cutting off access to your droplet, rather the hypervisor system's NIC is being saturated. In situations where the attack is large enough, it's possible that they null-route your droplet's IP address temporarily to take the impact off of other customers. The only effective way of mitigating DDoS attacks nowadays is with high volume infrastructure that's capable of filtering out the bad traffic and returning good traffic to your droplet with minimal impact to your applications (ie. low latency). Arbor Networks makes some great appliances that are capable of doing just this, though they are very expensive - to the tune of >$100k for a single one. In addition to the appliance, DO's network capabilities in each datacenter must exceed that of any attack hitting them. Some botnets using DRDDoS methods are capable of hitting >100Gbps levels which can easily saturate a network. This means that DO would need virtually >100Gbps of throughput across many different redundant links with different ISPs, and the core infrastructure to handle that traffic efficiently.

    I'm all for DDoS-protected droplets, but you should understand what's involved in providing that. I'm sure many people would be willing to pay a premium for it, I know I would.

  • Morthawt commented
    September 11, 2018 17:26

    Any official word on this topic of improvement?

  • Morthawt commented
    September 11, 2018 17:26

    Any word on this? Other providers have protection, yet the only thing left I dislike about digital ocean is that they cut the customer off for 3 hours (network cut off) and that, to me, is not acceptable when other providers are taking 2-5 minutes to get the server back up and running DDOS free. Even my TeamSpeak 3 server provider only goes down fore 2-5 minutes and pops back up.

  • William David Edwards commented
    September 11, 2018 17:26

    I completely agree.

  • Anonymous commented
    September 11, 2018 17:26

    I've actually had to move VoIP servers away from DO because you were not able to mitigate DDoS attacks quickly enough. I have moved my VoIP to OVH.

  • Morthawt commented
    September 11, 2018 17:26

    Sure it is for 3 or 4 hours but still, being cut off for that long is a big problem for people who get an attack. People can purposefully trigger this automated cut off with a short and intense attack. It is just asking to be exploited if you ask me. I really hope this gets explored and alternative, better, solutions are employed to protect CUSTOMERS who are targeted.

  • Moisey Uretsky commented
    September 11, 2018 17:26

    The only place to effectively deal with DDOS attacks is on the edge network layer and we're reviewing all of the data from today and will be taking steps to improve our service as a result.

    Thanks.