Improve customer experience during DDOS attacks
Currently if you get a DDOS attack your server loses all internet facing networking ability, effectively cutting off your access to the internet on your droplet. Other providers provide more direct protection rather than just shutting your net down. Such as OVH's technology and approach detailed here: http://www.ovh.com/us/anti-ddos/ I would prefer digital ocean over any other provider based on my experiences, but the DDOS issue is the last remaining concern. If other providers are providing protection to customers rather than just cutting their customers internet, then I believe with all the money digital ocean has they should be able to implement such a system.
Title says it all :)
Jay Stevenson commented
Just adding my voice to this, as recommended by Support :-)
We chose Digital Ocean due to it's great prices, reviews and how perfectly simple it is to use. Having built-in (or even optional) DDoS protection would be great.
Without sounding too cliché, as it is, we are having to rethink the sites and services we would like to migrate to DO. Having fallen foul of DDoS'ers trying to extort us (and the increase in DDoS'ing in general), DDoS protection is at the forefront now of our requirements.
Jacob Wheeler commented
This needs to be their #1 priority. How can you want anything else more than uptime? If I keep going down like this (and yes I use Cloud Flare) I might have to switch VPS providers, which I hate to say because I love DO's price by the hour.
Nuno Jardim commented
The security service DigitalOcean is providing to it's customers it's shameful!
No DDOS protections whatsoever! And it's not my system that they attack it's the DigitalOcean VM's!!!
Which means that we are going down because DigitalOcean is going down!
Shameful for not providing any type of protection!
Can we get an update on this? It is almost a year later. Have the DDOS attack mitigation measures been improved with regards to the attacked customer's experience? Other VPS providers have measures which does not include null routing the customer. Think about it logically. The attacker has the goal of taking someone down, which means they need enough resources to sustain an attack. But if you are still doing what you were doing a year ago, you do the hacker/script kiddy's job for them by taking the customer down for 3 hours. Makes zero sense other than a stop-gap measure till you quickly come up with a better process for dealing with DDOS attacks. I look forward to your reply, I shall be bookmarking this page and checking.
you can just use something like cloudflare and you'll be protected.
Nils Phoenix Summers commented
I owned ovh virtual servers and this "anti-ddos" is a big lie. No proctetion. Servers goes down with 10 seconds no matter is the anti ddos on.
David Farrell commented
One of my droplets was on the receiving end of a DDoS attack a while back. A support ticket was automatically created notifying both me and DigitalOcean support of the issue. A DigitalOcean support representative replied to the ticket asking me what I was going to do to ensure this didn't happen in the future.
I honestly didn't know how to answer this because there isn't really much that can be done to mitigate most DDoS attacks on the droplet or by the holder of the account at all. A further response I received recommended using CloudFlare's static content service to mitigate the attack but this would only work if the attack wasn't targeted at the IP and is also very impossible in the case of the droplet hosting non-static content.
The bottom line is that unless DigitalOcean gets the necessary network capacity, it's unfeasible. Note that the only way you can be completely resistant to ddos's of any kind is for your network connection to be faster than the sum of all (last-mile) internet connections in the world, so any protection offered would be only up to a certain level. Still I would like it if DigitalOcean had this. More customers would come.
What does gathering feedback mean? Have you made some change that you are gathering feedback on? or are you gathering feedback about how it has been? Because there are already complaints and ex-customers commenting about it on this suggestion. There are also 410 votes. People, we, care about this a lot. Especially in a world with DDoS attacks and people developing amplification attacks to become even more effective. DO is a great company, the best I have been with and I have tried several... But this is one "issue" that really should be resolved, especially given the kind of money you are working with.
I would appreciate some official response to this. My customer experience during an attack was horrible, being completely cut off for 3 hours. I would like to hope this would have a high weight placed on it since it is a very negative experience for customers for something that is not their fault. Other providers have methods of halting most attacks in a few minutes without having to cut the customers network off entirely.
Umair Aslam commented
how much time would it take more to have DDOS protection on digital ocean vps and kindly confirm whether their is plan for it not ?. I have moved my website, gaming servers and teamspeak servers to OVH due to their DDOS protection. Only thing which keeping me away from using DO service is just one thing that no DDOS protection
At the very least you should be able to access the admin console for the droplet so you can do something with it. Maybe back it up or whatever. I recently had my droplet be shut down, and I have no way to go in and clone up the droplet so I can get my website back up and running. In my opinion this is a very critical issue which prevents digital ocean from being a production ready platform.
Meletis Flevarakis commented
Dont forget that OVH (i am customer for almost 2 years) is trying to defend their servers since 1997 and they own some of the biggest portions of the web, so its normal for then to develop the "DDOS vaccum" Digital ocean on the other hand is a very young provider which trying to do the best for their customers. Im pretty sure that in 1-3 years DO will develop something like OVH's vaccum :)
Definitely needs looking into. I would happily pay a little extra for a tiny bit more latency and a good defence rather than what for an attacker is a huge success.
I use cloudflare with all my droplets, however cloudflare doesn't protect wildcards. Using wildcards is unfortunately required for the services I provide and if someone was in a bad mood they could DDoS my droplets :(
I would love some kind of mitigation from DO <3
James Ruffer commented
I would look into using Akamai and let them take on the DDoS attacks as I agree that DO could spend a lot of money attempting to help. I would rather see them spend the money on other things. If you google DDoS defense there are many ways to protect yourself without DO doing anything.
This sounds like it would be very helpful, especially with the growing amounts of script kiddies and wannabe hackers that run around the internet DDoSing everything these days pretending like it's hacking when in fact it's just using exploits found by real hackers and tools made by them as well to mess with developers and other users. The internet is just as much of a war zone as real life, however rather than losing lives we're only getting annoyed with the services that won't work. I know people rely on technology too much these days, but it's not life threatening in my opinion, unless it's being used in life threatening situations such as hospitals, space travel, etc.
This would be nice to have a better setup of DDoS protection on here, however like Oleg said, cloudflare is probably your best bet. The only part I don't like about it is having to pay a monthly fee to use SSL on your site.
Use http://cloudflare.com - this is free CDN
"Anti-DDoS" solutions are extremely expensive and complicated to implement. DO may not be intentionally cutting off access to your droplet, rather the hypervisor system's NIC is being saturated. In situations where the attack is large enough, it's possible that they null-route your droplet's IP address temporarily to take the impact off of other customers. The only effective way of mitigating DDoS attacks nowadays is with high volume infrastructure that's capable of filtering out the bad traffic and returning good traffic to your droplet with minimal impact to your applications (ie. low latency). Arbor Networks makes some great appliances that are capable of doing just this, though they are very expensive - to the tune of >$100k for a single one. In addition to the appliance, DO's network capabilities in each datacenter must exceed that of any attack hitting them. Some botnets using DRDDoS methods are capable of hitting >100Gbps levels which can easily saturate a network. This means that DO would need virtually >100Gbps of throughput across many different redundant links with different ISPs, and the core infrastructure to handle that traffic efficiently.
I'm all for DDoS-protected droplets, but you should understand what's involved in providing that. I'm sure many people would be willing to pay a premium for it, I know I would.