6

first of all, I understand that it's better to have DDoS protections on data center level. But our DC is not ready to provide good quality of protection. So we thinking about using some external DDoS protections service.

I have googled several, like (sorry can not post many links):

  • http ://blockdos.net/
  • http ://www.armoraid.com/
  • http ://www.blacklotus.net/
  • http ://ddosprotection.com/
  • http ://www.level3.com/index.cfm?pageID=555

The general idea, is that you are changing DNS to point on DDoS protection service. They filter traffic for you, and then redirect it to your backend. So, it adds some small time overhead, but let you site be alive even under DDoS.

But it's really easy to write something on site. My question is: do anybody have experience with such service? Is it really helping against DDoS?

Tonik
  • 61

5 Answers5

2

These types of services can be quite expensive, and unless you have the cash to absorb it, the script kiddies can just increase their fire-power quickly by increasing the attack into the multi-gbps zone, which will cost you quite a bit. Most of these tend to require you to have it running before you encounter problems, as they work by analysing patterns in traffic.

gekkz
  • 4,229
0

I've managed to fend off a mid-grade DDoS attack (10K req/sec) a year ago by setting up NGINX as a reverse-proxy in front of apache. Nearly all DDoS traffic has something in common, often the User-Agent string. Just identify the commonality and use a c10k-capable proxy like NGINX to drop that attack traffic while forwarding the real traffic to the normal web server.

FWIW: My experience was using 10-year-old hardware running Fedora Core 1 on a 100Mbit internet uplink. Attack traffic rate was sustained for 1 week, but real customers never noticed any drop in site performance. Just be careful of bandwidth charges.

As for commercial operations that presumably do pretty much that same thing, I can't imagine why they wouldn't work. It's not rocket surgery.

tylerl
  • 15,245
0

Thumbs up for prolexic - they do a good job. - it's pricey, but they were early to the game and from my experience provide good service.

gabbelduck
  • 329
0

I've never used such services but it depends on the types of attacks you're getting. If they're purely bandwidth style attacks and just filling up your pipe, the only way to go is to hire a service like them or to distribute your servers across many pipes and data centers.

If they are exploiting an application or protocol then I would handle that with configuration changes on your end.

Jim
  • 398
0

I have experience with Verisign's DDoS Mitigation Services. They are pricey, but it works well.

up_the_irons
  • 321