Web Hosting Talk : Web Hosting Main Forums : Managed Hosting and Services : SERVERORIGIN : Life is good

[CGXR]

Some explanation for those, who is experiencing DDoS and looking for professional solution.
A few months ago we had our webservers attacked and realy quick solution was needed.
On the advice of some guy from datacenter we contacted SERVERORIGIN.com, once the red button clicked the story starts.

Emergency service of SERVERORIGIN - "..If this is an emergency and you require immediate assistance.."
Our question: How long does it takes usually to complete with setup?
Answer: It usually takes about an hour.

The first ticket Submitted:02/01/2012 11:28 Priority:High
02/02/2012 14:18 - proxy started. 27 hours passed. Maybe for someone this would be fine but we lost a few thousands dollars during this setup process.
As well, wanted to mention that most of our messages were:
Sales > Normally the setup is within one hour. We do not see the information attached to the ticket. Did you provide the credit card and ID per our request?
Me > I provided it more than an hour ago.
Me > Waiting for your instructions
Me > I`d appreciate it you could complete the setup in short time as 1:30 passed. Thank you
Me > Could you please give me any update of the progress? If any
....
Me > Is there any progress? 02/02/2012 11:21

Conclusion: Forget about "immediate assistance". In most cases your attack ends before they start their proxy. It looks like that is exactly what they wait for. I'd say, this is the first interesting point of SERVERORIGIN tricks.


Service - "Scooby doooo, where're you.."
So, finally, our website is online (so laggy... ok no problem) at 02/02/2012 14:32
It is good time to take a rest... But we receive a message:
"..Hello, Your IP has been temporarily null-routed until the attack drops within limits. In the last several hours you have had multiple attacks - TCP/ICMP/UDP."
Such service we could get in datacenter absolutely for free! Thus, got null-routed $1300.

Cancellation - "Oooops!"
Once we requested service cancellation they charged $1400 from our credit card.
Question: WTF? Answer: Our terms - 3 months min.
Question: Why do you charge now as only one week passed? Answer: .... (that is no answer)


Refund - "....."
Once they got our $2700 their activity went down and we send them Refund Request 02/12/2012 18:45. Answer:
"...I am sure management will refund this but we're simply trying to be clear that this is not something we like to do because in the end, for the next 2 months we will be paying for transit and resources going unused.
They should have this refunded for you when billing comes in. The night manager has already approved it.
Thanks again."
We tried to contact any responsible person, but no any answer from that date.

Conclusion: Your website is yours only. Do not waste your money for such "DDoS protecion".
Once your site is attacked, order 2-8 new servers for the same money and enable load balancing, eg. based on DNS. We got only 2 servers and the problem gone away. Later we added 6 more servers, so, now we feel realy good.

Avoid "company" SERVERORIGIN!

[net]

Moved > Managed Hosting and Services.

[crc32]

Thanks OP for sharing your experience.

While my site is in no way a DDOS magnet, this is something that I worry about but never really gotten around to do anything about it. I've read somewhere that I should have an action plan in place so that when my site does get DDOS'ed (touch wood), I would know exactly what to do.

Thanks to you, I now know that ServerOrigin are definitely not the people to contact in case of DDOS.

I am interested in implementing your load balancing solution.
What are the specs of the load balanced servers and how big an attack can they withstand?

[IRCCo Jeff]

My question for the OP is whether any emergency installation service was purchased. If not, 27 hours isn't exactly out of bounds.

There isn't a single DDoS protection provider that says the "typical" setup is longer than 1 hour, but unless that is guaranteed in writing or somehow bound to an emergency setup fee its not worth too much.

[CGXR]

Yes, I clicked red button and emergency ticket was created. They promised a few hours, that is why i paid them. We lost a few thousands $ within this period.

Incoming traffic was about 2 mln. packets /sec. I would say it was a peak. We blocked attacking IPs and this peak went down. But it is not instant thing, withing those seconds you can get null-routed for 24h by datacenter or server just goes into coma. (To avoid server's coma it is good idea to reduce some TCP timeouts in sysctl and set them to 1-2 sec if attack detected)

We ordered servers
Dual Processor Quad Core Xeon
5620 - 2.40GHz (Westmere) - 2 x 12MB
cache w/HT.
x $349.00

When we had only 1 server, once attack started datacenter null-routed server and that was the end. Now, if any attack starts, some servers get 20-30% of DDoS packets so datacenter just enable CISCO and we feel good. If you use DNS load balancing it is important to set low TTL, eg. 300 sec.

[ServerOrigin]

We are reviewing this and the *true* story will actually get posted here since you decided to post this story in such a deceptive and libelous form.

This user has got a beautiful way of mingling the actual truth in with complete exaggeration.

[ServerOrigin]

Ahh yes, after I found the order I immediately remembered you.

* User's setup delay was WITHIN PROMISED TIME - NOT 27 hours and the few minutes of delay that actually occurred was due to him being in the Ukraine and failing the fraud review. He also failed to provide us the information we requested until asking multiple times.

Now where do I start with all of this? I guess I should say that this guy left out 98% of the ACTUAL truth.

First of all his time line on setup is severely exaggerated:

User contacts us for information regarding DDoS mitigation.

User: 02/01/2012 11:28
ServerOrigin Reply: 02/01/2012 11:31

Did I count wrong? I would swear that says 3 minutes...*shrug*

Next..

User Reply: 02/01/2012 11:44
ServerOrigin Reply: 02/01/2012 11:51
User Reply: 02/01/2012 12:00
User Replies again: 02/01/2012 12:09 "When I get an update?!?"
If 9 minutes is any INDICATION of how this user operates, you see where this is going.
ServerOrigin Replies: 02/01/2012 12:11
ServerOrigin Responds again: 02/01/2012 12:12
User Replies: 02/01/2012 12:20
omg, looks like not efficient funds on the card. We`ll be able to make a bank transaction to the card only tomorrow. Is it possible to get an extension till tomorrow?

You know what, I will just copy and paste this. No point in trying to timeline this. People reading this forum can see clearly based on this the kind of service we provide.

They can also read for themselves simply how ridiculous it is for you to come here and complain. You didn't even pay for 3 days - since we ALLOWED you to wait based on you getting your funds straightened out and ensuring you were pleased.

At that time you paid.

Here is his entire ticket history. (http://www.serverorigin.com/WHT/WHT-Yevgeniy.pdf[) Pick it apart if you wish, if you find where we did wrong, please point it out.

Nothing was modified here except removing private/key information. We have nothing to hide and maybe people can quite speaking so negatively about us once you see what lengths we actually go to just to be slapped with a chargeback.

People want to know one reason mitigation is so expensive? This kind of behavior.

Quote:

Please upgrade and enable website access asap.
Ticket ID: 369981
Department: DDoS Emergency
Creation Date: 02/06/2012 04:29
Last Reply: 02/06/2012 04:43
Status: Closed
Priority: High
Yevgeniy @ 02/06/2012 04:29
Please upgrade and enable website access asap.
----------------------------
IP Address: 92.240.97.246
Yevgeniy @ 02/06/2012 04:43
Please ignore this message no upgrade

We spent 80% of the time trying to keep up with his constant changes and updates / lack of server management knowledge, etc. User changed his IP 4 different times, changed his mind twice about upgrading, etc.

Here it is in all of it's glory:
http://www.serverorigin.com/WHT/WHT-Yevgeniy.pdf

[ServerOrigin]

By the way, after reviewing all of this I did find something quite funny. His request to cancel:
http://www.serverorigin.com/WHT/cancellation.png

Anyway, to sum it up - review the link in the previous post: http://www.serverorigin.com/WHT/WHT-Yevgeniy.pdf

[CGXR]

Quote:

Originally Posted by ServerOrigin

Ahh yes, after I found the order I immediately remembered you.

* User's setup delay was WITHIN PROMISED TIME - NOT 27 hours and the few minutes of delay that actually occurred was due to him being in the Ukraine and failing the fraud review. He also failed to provide us the information we requested until asking multiple times.

Sure, I expected your "true" refutation.
First, what did you mean be making word "Ukraine" in bold font? Looks like you wanted to change visitor's attitude to this post? Don't worry, that is ok.

Just to be clear, you asked credit card proof at 02/01/2012 13:35, proof uploaded at 02/01/2012 13:43. And at 02/01/2012 14:57 you post a message: Did you provide the credit card and ID per our request? That is more than an hour you just could not notice the uploaded file.
We asked: How long does it takes usualy to complete with setup?
You answered: It usualy takes about an hour.
Your protection was enabled in 27 hours. Thais is not a huge problem, though we lost our money within this time. But as a part of all those issues and thousands of wasted $$ it is important.

You again ignored the question about the refund, requested 3 months ago. Any news? Looks like you haven't yet "Ahh yes remembered". No problem, let it stay your little secret how to earn money.

And finally, I expect tons of dirt from you in order to clean up your reputation, but I am not going to discuss it and post never ending proofs and explanations. Let those stolen $2700 make you happy.
All I want is just to warn those, who can get into the same situation.

[CGXR]

Lol, you really fun! cancellation.png - that moment we just wanted to cancel and that is all. But when you, after that cancellation, get $1400 from our credit card without a notice, this became more interesting and we had to request the refund.

[ServerOrigin]

Quote:

Originally Posted by CGXR

Lol, you really fun! cancellation.png - that moment we just wanted to cancel and that is all. But when you, after that cancellation, get $1400 from our credit card without a notice, this became more interesting and we had to request the refund.

The issue was that you submitted the cancellation only after your had used the services throughout a month. You then requested it not be terminated until the end of the billing period. Yet, once you realized we would uphold the ToS - you got mad and started threatening going to WHT. ServerOrigin will not argue this any further, it's unprofessional and petty. We have stated our defense which is available for readers to draw their own conclusion.

* We mentioned Ukraine because it added to your fraud review problems. Ukraine has an incredibly high rate of fraud and even removing Ukraine from the fraud score, you still registered a 5.8 out of 10. Anything above 3 being suspicious and therefore the reasoning behind us requiring identifying documentation.

Another note and WARNING to those taking his advice:
Your take on mitigation is not going to work with any real attacker. If the attacker had any sense they would realize based on your spoken recommendation how flawed it is.

Quote:

Conclusion: Your website is yours only. Do not waste your money for such "DDoS protecion".
Once your site is attacked, order 2-8 new servers for the same money and enable load balancing, eg. based on DNS. We got only 2 servers and the problem gone away. Later we added 6 more servers, so, now we feel realy good.

It doesn't matter if you have 100 servers on DNS round-robin, the attacker can simply do a nslookup, get the list of IP's and send the full attack load to each individual IP. Softlayer now null-routes in excess of 100k PPS/2Gbps (normally for 12-24 hours) so the attacks you had would null each IP. Attacking each IP with the full payload would only take 6-short attacks one IP at a time to completely take you offline for a minimum 12-hours.

The reason there are mitigation companies like us is because methods like these do not work for real ddos attacks.