Welcome to 96MB, please Login or Create an account to get full access to the forums.
 
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5

DDOS protection - How can providers do it at relatively cheap price?

Offline zhuanyi Posted 03-29-2013, 04:12 AM -
Post: #1
Senior Member
357 Posts
Reputation: 5
As far as I know, DDOS protection pretty much means the DDOS protection provider takes all the incoming hit and either drop the packets or reflect them back (somewhat like a blackhole?)

So in that case, I would assume all those DDOS protection providers must have tonnes of bandwidth, so that their pipes won't be saturated. And I assume they will need to buy those bandwidth which obviously don't come cheap.

So my question is, how did they managed to do it, particularly like those DDOS protected VPS at LEB price and Cloudflare which offer limited DDOS protection for free?
Back to top Find Quote
Offline jarland Posted 03-29-2013, 04:21 AM -
Post: #2
Moderator
52 Posts
Reputation: 3
Truth is anyone can protect against a DDOS for cheap. Problem is that DDOS comes in various forms so that statement doesn't hold a lot of weight. Some can be protected by just a half decent firewall with some good rules. I've fought off DOS attacks that I'm quite sure I could have handled just as well if it were distributed. I learned last night that a distributed SYN flood is not one of them.
(This post was last modified: 03-29-2013, 04:21 AM by jarland.)
Back to top Find Quote
Offline zhuanyi Posted 03-29-2013, 04:45 AM -
Post: #3
Senior Member
357 Posts
Reputation: 5
(03-29-2013, 04:21 AM)jarland Wrote: Truth is anyone can protect against a DDOS for cheap. Problem is that DDOS comes in various forms so that statement doesn't hold a lot of weight. Some can be protected by just a half decent firewall with some good rules. I've fought off DOS attacks that I'm quite sure I could have handled just as well if it were distributed. I learned last night that a distributed SYN flood is not one of them.

But your incoming pipe needs to be large enough so that you can take the hit without saturating your network, no?

And that would cost a lot of bandwidth right?
Back to top Find Quote
Offline jarland Posted 03-29-2013, 04:51 AM -
Post: #4
Moderator
52 Posts
Reputation: 3
(03-29-2013, 04:45 AM)zhuanyi Wrote:
(03-29-2013, 04:21 AM)jarland Wrote: Truth is anyone can protect against a DDOS for cheap. Problem is that DDOS comes in various forms so that statement doesn't hold a lot of weight. Some can be protected by just a half decent firewall with some good rules. I've fought off DOS attacks that I'm quite sure I could have handled just as well if it were distributed. I learned last night that a distributed SYN flood is not one of them.

But your incoming pipe needs to be large enough so that you can take the hit without saturating your network, no?

And that would cost a lot of bandwidth right?

Yeah, but the cost will be quite dependent on factors that are very much different in different places. Take for example that I rent from someone because I could not possibly afford their infrastructure and I want my clients behind it. That person I rent from will stand in front of me if it can be done without hurting others on the same lines. For example, if you threw at me a 200mbit attack that hit his filters, I probably wouldn't hear much about it. Thus I could technically say that I have DDOS protection.

So really I guess what I'm trying to say is that DDOS protection isn't a large statement in and of itself, though I hope anyone advertising it actually means that they are prepared for real and powerful floods with quality equipment. I trust Kujoe, Francisco, etc. I would be lying if I said I haven't seen people claim DDOS protection because they have a nice iptables config that is capable of fighting off the weakest of DDOS attacks. If it's a DDOS and you can protect against it, it's technically a true statement, but it can be quite misleading.

As for costs, definitely high to fight what is becoming average. I don't know how anyone fought off a 300gbit flood...
(This post was last modified: 03-29-2013, 04:54 AM by jarland.)
Back to top Find Quote
Offline pubcrawler Posted 03-29-2013, 08:07 AM -
Post: #5
Member
97 Posts
Reputation: 5
(03-29-2013, 04:12 AM)zhuanyi Wrote: So my question is, how did they managed to do it, particularly like those DDOS protected VPS at LEB price and Cloudflare which offer limited DDOS protection for free?

So, DDOS protection comes in 57 flavors...

@Jarland pointed to firewall and his backend "rules". That's one form.

The downside there, is inbound traffic comes in and gets stomped. It eats space in your allocated pipe/plan. Too much inbound and your server/kernel/sockets/whatever get swamped and down you go.

As I posted on LET (yeah I know, hard to follow), Cloudflare didn't squash 300Gbps.. Their upstream did. Their bandwidth providers.

No end client who is buying from a colo facility can handle an attack that big. Probably few datacenters that could. But the upstream higher Tier providers can and will and catch the traffic hops before coming to end customer and facility. Meaning end client isn't incurring $50k of additional bandwidth charges for the luxury of enduring an attack.

For end customers and small companies, most use software based rules and firewalls. Some have DDoS appliances, but they aren't cheap and surely limited in total throughput they handle.
Back to top Find Quote
Offline coreymanshack Posted 05-07-2013, 09:54 AM -
Post: #6
Member
79 Posts
Reputation: 0
I think overall, none of the small guys with pipes <=1-2Gbit can effectively thwart a flood without the help of one of the bigger guys with larger pipes passing clean traffic to us.
Back to top Find Quote


Forum Jump:

User(s) browsing this thread
1 Guest(s)

© 2012 96MB

Community software by MyBB

Premium Theme by ThemeFreak