I suggest you ...

Improve customer experience during DDOS attacks

Currently if you get a DDOS attack your server loses all internet facing networking ability, effectively cutting off your access to the internet on your droplet. Other providers provide more direct protection rather than just shutting your net down. Such as OVH's technology and approach detailed here: http://www.ovh.com/us/anti-ddos/ I would prefer digital ocean over any other provider based on my experiences, but the DDOS issue is the last remaining concern. If other providers are providing protection to customers rather than just cutting their customers internet, then I believe with all the money digital ocean has they should be able to implement such a system.

717 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    I agree to the terms of service
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    MorthawtMorthawt shared this idea  ·   ·  Admin →
    CiaroCiaro shared a merged idea: Some kind of ddos protection on hardware level  ·   · 

    23 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      Submitting...
      • MorthawtMorthawt commented  · 

        Can we get an update on this? It is almost a year later. Have the DDOS attack mitigation measures been improved with regards to the attacked customer's experience? Other VPS providers have measures which does not include null routing the customer. Think about it logically. The attacker has the goal of taking someone down, which means they need enough resources to sustain an attack. But if you are still doing what you were doing a year ago, you do the hacker/script kiddy's job for them by taking the customer down for 3 hours. Makes zero sense other than a stop-gap measure till you quickly come up with a better process for dealing with DDOS attacks. I look forward to your reply, I shall be bookmarking this page and checking.

      • SarmenSarmen commented  · 

        you can just use something like cloudflare and you'll be protected.

      • Nils Phoenix SummersNils Phoenix Summers commented  · 

        I owned ovh virtual servers and this "anti-ddos" is a big lie. No proctetion. Servers goes down with 10 seconds no matter is the anti ddos on.

      • David FarrellDavid Farrell commented  · 

        One of my droplets was on the receiving end of a DDoS attack a while back. A support ticket was automatically created notifying both me and DigitalOcean support of the issue. A DigitalOcean support representative replied to the ticket asking me what I was going to do to ensure this didn't happen in the future.

        I honestly didn't know how to answer this because there isn't really much that can be done to mitigate most DDoS attacks on the droplet or by the holder of the account at all. A further response I received recommended using CloudFlare's static content service to mitigate the attack but this would only work if the attack wasn't targeted at the IP and is also very impossible in the case of the droplet hosting non-static content.

      • Anonymous commented  · 

        The bottom line is that unless DigitalOcean gets the necessary network capacity, it's unfeasible. Note that the only way you can be completely resistant to ddos's of any kind is for your network connection to be faster than the sum of all (last-mile) internet connections in the world, so any protection offered would be only up to a certain level. Still I would like it if DigitalOcean had this. More customers would come.

      • MorthawtMorthawt commented  · 

        What does gathering feedback mean? Have you made some change that you are gathering feedback on? or are you gathering feedback about how it has been? Because there are already complaints and ex-customers commenting about it on this suggestion. There are also 410 votes. People, we, care about this a lot. Especially in a world with DDoS attacks and people developing amplification attacks to become even more effective. DO is a great company, the best I have been with and I have tried several... But this is one "issue" that really should be resolved, especially given the kind of money you are working with.

      • MorthawtMorthawt commented  · 

        I would appreciate some official response to this. My customer experience during an attack was horrible, being completely cut off for 3 hours. I would like to hope this would have a high weight placed on it since it is a very negative experience for customers for something that is not their fault. Other providers have methods of halting most attacks in a few minutes without having to cut the customers network off entirely.

      • Umair AslamUmair Aslam commented  · 

        how much time would it take more to have DDOS protection on digital ocean vps and kindly confirm whether their is plan for it not ?. I have moved my website, gaming servers and teamspeak servers to OVH due to their DDOS protection. Only thing which keeping me away from using DO service is just one thing that no DDOS protection

      • Anonymous commented  · 

        At the very least you should be able to access the admin console for the droplet so you can do something with it. Maybe back it up or whatever. I recently had my droplet be shut down, and I have no way to go in and clone up the droplet so I can get my website back up and running. In my opinion this is a very critical issue which prevents digital ocean from being a production ready platform.

      • Meletis FlevarakisMeletis Flevarakis commented  · 

        Dont forget that OVH (i am customer for almost 2 years) is trying to defend their servers since 1997 and they own some of the biggest portions of the web, so its normal for then to develop the "DDOS vaccum" Digital ocean on the other hand is a very young provider which trying to do the best for their customers. Im pretty sure that in 1-3 years DO will develop something like OVH's vaccum :)

      • JonathanJonathan commented  · 

        Definitely needs looking into. I would happily pay a little extra for a tiny bit more latency and a good defence rather than what for an attacker is a huge success.

      • njb_saidnjb_said commented  · 

        I use cloudflare with all my droplets, however cloudflare doesn't protect wildcards. Using wildcards is unfortunately required for the services I provide and if someone was in a bad mood they could DDoS my droplets :(

        I would love some kind of mitigation from DO <3

      • James RufferJames Ruffer commented  · 

        I would look into using Akamai and let them take on the DDoS attacks as I agree that DO could spend a lot of money attempting to help. I would rather see them spend the money on other things. If you google DDoS defense there are many ways to protect yourself without DO doing anything.

      • Anonymous commented  · 

        This sounds like it would be very helpful, especially with the growing amounts of script kiddies and wannabe hackers that run around the internet DDoSing everything these days pretending like it's hacking when in fact it's just using exploits found by real hackers and tools made by them as well to mess with developers and other users. The internet is just as much of a war zone as real life, however rather than losing lives we're only getting annoyed with the services that won't work. I know people rely on technology too much these days, but it's not life threatening in my opinion, unless it's being used in life threatening situations such as hospitals, space travel, etc.

        This would be nice to have a better setup of DDoS protection on here, however like Oleg said, cloudflare is probably your best bet. The only part I don't like about it is having to pay a monthly fee to use SSL on your site.

      • Anonymous commented  · 

        "Anti-DDoS" solutions are extremely expensive and complicated to implement. DO may not be intentionally cutting off access to your droplet, rather the hypervisor system's NIC is being saturated. In situations where the attack is large enough, it's possible that they null-route your droplet's IP address temporarily to take the impact off of other customers. The only effective way of mitigating DDoS attacks nowadays is with high volume infrastructure that's capable of filtering out the bad traffic and returning good traffic to your droplet with minimal impact to your applications (ie. low latency). Arbor Networks makes some great appliances that are capable of doing just this, though they are very expensive - to the tune of >$100k for a single one. In addition to the appliance, DO's network capabilities in each datacenter must exceed that of any attack hitting them. Some botnets using DRDDoS methods are capable of hitting >100Gbps levels which can easily saturate a network. This means that DO would need virtually >100Gbps of throughput across many different redundant links with different ISPs, and the core infrastructure to handle that traffic efficiently.

        I'm all for DDoS-protected droplets, but you should understand what's involved in providing that. I'm sure many people would be willing to pay a premium for it, I know I would.

      • MorthawtMorthawt commented  · 

        Any official word on this topic of improvement?

      • MorthawtMorthawt commented  · 

        Any word on this? Other providers have protection, yet the only thing left I dislike about digital ocean is that they cut the customer off for 3 hours (network cut off) and that, to me, is not acceptable when other providers are taking 2-5 minutes to get the server back up and running DDOS free. Even my TeamSpeak 3 server provider only goes down fore 2-5 minutes and pops back up.

      ← Previous 1

      Feedback and Knowledge Base