Improve customer experience during DDOS attacks
Currently if you get a DDOS attack your server loses all internet facing networking ability, effectively cutting off your access to the internet on your droplet. Other providers provide more direct protection rather than just shutting your net down. Such as OVH's technology and approach detailed here: http://www.ovh.com/us/anti-ddos/ I would prefer digital ocean over any other provider based on my experiences, but the DDOS issue is the last remaining concern. If other providers are providing protection to customers rather than just cutting their customers internet, then I believe with all the money digital ocean has they should be able to implement such a system.
A big amount of hosting providers are working together to have a DDoS protection system. This system is called NaWas. Everyone pays a bit for this service, and the more providers are coming how less the price will be.
Maybe it's a good idea for DigitalOcean to provide this extra service to the customers. Even better is the price for the system, this won't be big because of the amount of the hosting parties whom are already in!
The site for more info is reachable at http://www.nbip.nl/diensten/nawas-demand-beveiliging-tegen-ddos/ (the site is written in Dutch)
Daniel Kauffman commented
Please consider upgrading the automatic DoS detection routines to be more specific. In a recent DDoS attack on one of my Droplets, a relatively simple analysis of the attack would have identified the appropriate response: drop all UDP traffic originating from the source ip address range. This would likely have mitigated the attack while having little or no impact on legitimate users. Instead, Digital Ocean dropped all traffic from all sources for three hours.
Automatic DoS detection routines should check indicators such as the source ip address range, use of TCP vs UDP, target ports, along with any other criteria that lend themselves to analysis, and then automatically create suitable rules to black hole only the attack traffic.
Jay Stevenson commented
Just adding my voice to this, as recommended by Support :-)
We chose Digital Ocean due to it's great prices, reviews and how perfectly simple it is to use. Having built-in (or even optional) DDoS protection would be great.
Without sounding too cliché, as it is, we are having to rethink the sites and services we would like to migrate to DO. Having fallen foul of DDoS'ers trying to extort us (and the increase in DDoS'ing in general), DDoS protection is at the forefront now of our requirements.
Jacob Wheeler commented
This needs to be their #1 priority. How can you want anything else more than uptime? If I keep going down like this (and yes I use Cloud Flare) I might have to switch VPS providers, which I hate to say because I love DO's price by the hour.
Nuno Jardim commented
The security service DigitalOcean is providing to it's customers it's shameful!
No DDOS protections whatsoever! And it's not my system that they attack it's the DigitalOcean VM's!!!
Which means that we are going down because DigitalOcean is going down!
Shameful for not providing any type of protection!
Can we get an update on this? It is almost a year later. Have the DDOS attack mitigation measures been improved with regards to the attacked customer's experience? Other VPS providers have measures which does not include null routing the customer. Think about it logically. The attacker has the goal of taking someone down, which means they need enough resources to sustain an attack. But if you are still doing what you were doing a year ago, you do the hacker/script kiddy's job for them by taking the customer down for 3 hours. Makes zero sense other than a stop-gap measure till you quickly come up with a better process for dealing with DDOS attacks. I look forward to your reply, I shall be bookmarking this page and checking.
you can just use something like cloudflare and you'll be protected.
Nils Phoenix Summers commented
I owned ovh virtual servers and this "anti-ddos" is a big lie. No proctetion. Servers goes down with 10 seconds no matter is the anti ddos on.
David Farrell commented
One of my droplets was on the receiving end of a DDoS attack a while back. A support ticket was automatically created notifying both me and DigitalOcean support of the issue. A DigitalOcean support representative replied to the ticket asking me what I was going to do to ensure this didn't happen in the future.
I honestly didn't know how to answer this because there isn't really much that can be done to mitigate most DDoS attacks on the droplet or by the holder of the account at all. A further response I received recommended using CloudFlare's static content service to mitigate the attack but this would only work if the attack wasn't targeted at the IP and is also very impossible in the case of the droplet hosting non-static content.
The bottom line is that unless DigitalOcean gets the necessary network capacity, it's unfeasible. Note that the only way you can be completely resistant to ddos's of any kind is for your network connection to be faster than the sum of all (last-mile) internet connections in the world, so any protection offered would be only up to a certain level. Still I would like it if DigitalOcean had this. More customers would come.
What does gathering feedback mean? Have you made some change that you are gathering feedback on? or are you gathering feedback about how it has been? Because there are already complaints and ex-customers commenting about it on this suggestion. There are also 410 votes. People, we, care about this a lot. Especially in a world with DDoS attacks and people developing amplification attacks to become even more effective. DO is a great company, the best I have been with and I have tried several... But this is one "issue" that really should be resolved, especially given the kind of money you are working with.
I would appreciate some official response to this. My customer experience during an attack was horrible, being completely cut off for 3 hours. I would like to hope this would have a high weight placed on it since it is a very negative experience for customers for something that is not their fault. Other providers have methods of halting most attacks in a few minutes without having to cut the customers network off entirely.
Umair Aslam commented
how much time would it take more to have DDOS protection on digital ocean vps and kindly confirm whether their is plan for it not ?. I have moved my website, gaming servers and teamspeak servers to OVH due to their DDOS protection. Only thing which keeping me away from using DO service is just one thing that no DDOS protection
At the very least you should be able to access the admin console for the droplet so you can do something with it. Maybe back it up or whatever. I recently had my droplet be shut down, and I have no way to go in and clone up the droplet so I can get my website back up and running. In my opinion this is a very critical issue which prevents digital ocean from being a production ready platform.
Meletis Flevarakis commented
Dont forget that OVH (i am customer for almost 2 years) is trying to defend their servers since 1997 and they own some of the biggest portions of the web, so its normal for then to develop the "DDOS vaccum" Digital ocean on the other hand is a very young provider which trying to do the best for their customers. Im pretty sure that in 1-3 years DO will develop something like OVH's vaccum :)
Definitely needs looking into. I would happily pay a little extra for a tiny bit more latency and a good defence rather than what for an attacker is a huge success.
I use cloudflare with all my droplets, however cloudflare doesn't protect wildcards. Using wildcards is unfortunately required for the services I provide and if someone was in a bad mood they could DDoS my droplets :(
I would love some kind of mitigation from DO <3
James Ruffer commented
I would look into using Akamai and let them take on the DDoS attacks as I agree that DO could spend a lot of money attempting to help. I would rather see them spend the money on other things. If you google DDoS defense there are many ways to protect yourself without DO doing anything.
This sounds like it would be very helpful, especially with the growing amounts of script kiddies and wannabe hackers that run around the internet DDoSing everything these days pretending like it's hacking when in fact it's just using exploits found by real hackers and tools made by them as well to mess with developers and other users. The internet is just as much of a war zone as real life, however rather than losing lives we're only getting annoyed with the services that won't work. I know people rely on technology too much these days, but it's not life threatening in my opinion, unless it's being used in life threatening situations such as hospitals, space travel, etc.
This would be nice to have a better setup of DDoS protection on here, however like Oleg said, cloudflare is probably your best bet. The only part I don't like about it is having to pay a monthly fee to use SSL on your site.