I suggest you ...

Improve customer experience during DDOS attacks

Currently if you get a DDOS attack your server loses all internet facing networking ability, effectively cutting off your access to the internet on your droplet. Other providers provide more direct protection rather than just shutting your net down. Such as OVH's technology and approach detailed here: http://www.ovh.com/us/anti-ddos/ I would prefer digital ocean over any other provider based on my experiences, but the DDOS issue is the last remaining concern. If other providers are providing protection to customers rather than just cutting their customers internet, then I believe with all the money digital ocean has they should be able to implement such a system.

195 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    I agree to the terms of service
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    MorthawtMorthawt shared this idea  ·   ·  Admin →

    12 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      Submitting...
      • MorthawtMorthawt commented  · 

        I would appreciate some official response to this. My customer experience during an attack was horrible, being completely cut off for 3 hours. I would like to hope this would have a high weight placed on it since it is a very negative experience for customers for something that is not their fault. Other providers have methods of halting most attacks in a few minutes without having to cut the customers network off entirely.

      • Anonymous commented  · 

        At the very least you should be able to access the admin console for the droplet so you can do something with it. Maybe back it up or whatever. I recently had my droplet be shut down, and I have no way to go in and clone up the droplet so I can get my website back up and running. In my opinion this is a very critical issue which prevents digital ocean from being a production ready platform.

      • Meletis FlevarakisMeletis Flevarakis commented  · 

        Dont forget that OVH (i am customer for almost 2 years) is trying to defend their servers since 1997 and they own some of the biggest portions of the web, so its normal for then to develop the "DDOS vaccum" Digital ocean on the other hand is a very young provider which trying to do the best for their customers. Im pretty sure that in 1-3 years DO will develop something like OVH's vaccum :)

      • JonathanJonathan commented  · 

        Definitely needs looking into. I would happily pay a little extra for a tiny bit more latency and a good defence rather than what for an attacker is a huge success.

      • njb_saidnjb_said commented  · 

        I use cloudflare with all my droplets, however cloudflare doesn't protect wildcards. Using wildcards is unfortunately required for the services I provide and if someone was in a bad mood they could DDoS my droplets :(

        I would love some kind of mitigation from DO <3

      • James RufferJames Ruffer commented  · 

        I would look into using Akamai and let them take on the DDoS attacks as I agree that DO could spend a lot of money attempting to help. I would rather see them spend the money on other things. If you google DDoS defense there are many ways to protect yourself without DO doing anything.

      • Anonymous commented  · 

        This sounds like it would be very helpful, especially with the growing amounts of script kiddies and wannabe hackers that run around the internet DDoSing everything these days pretending like it's hacking when in fact it's just using exploits found by real hackers and tools made by them as well to mess with developers and other users. The internet is just as much of a war zone as real life, however rather than losing lives we're only getting annoyed with the services that won't work. I know people rely on technology too much these days, but it's not life threatening in my opinion, unless it's being used in life threatening situations such as hospitals, space travel, etc.

        This would be nice to have a better setup of DDoS protection on here, however like Oleg said, cloudflare is probably your best bet. The only part I don't like about it is having to pay a monthly fee to use SSL on your site.

      • Anonymous commented  · 

        "Anti-DDoS" solutions are extremely expensive and complicated to implement. DO may not be intentionally cutting off access to your droplet, rather the hypervisor system's NIC is being saturated. In situations where the attack is large enough, it's possible that they null-route your droplet's IP address temporarily to take the impact off of other customers. The only effective way of mitigating DDoS attacks nowadays is with high volume infrastructure that's capable of filtering out the bad traffic and returning good traffic to your droplet with minimal impact to your applications (ie. low latency). Arbor Networks makes some great appliances that are capable of doing just this, though they are very expensive - to the tune of >$100k for a single one. In addition to the appliance, DO's network capabilities in each datacenter must exceed that of any attack hitting them. Some botnets using DRDDoS methods are capable of hitting >100Gbps levels which can easily saturate a network. This means that DO would need virtually >100Gbps of throughput across many different redundant links with different ISPs, and the core infrastructure to handle that traffic efficiently.

        I'm all for DDoS-protected droplets, but you should understand what's involved in providing that. I'm sure many people would be willing to pay a premium for it, I know I would.

      • MorthawtMorthawt commented  · 

        Any official word on this topic of improvement?

      • MorthawtMorthawt commented  · 

        Sure it is for 3 or 4 hours but still, being cut off for that long is a big problem for people who get an attack. People can purposefully trigger this automated cut off with a short and intense attack. It is just asking to be exploited if you ask me. I really hope this gets explored and alternative, better, solutions are employed to protect CUSTOMERS who are targeted.

      Feedback and Knowledge Base