Not sure really. I don't want to be forking out collocation that can constantly filter 5Gb/s attacks when we RARELY get hit by something so insane.
I think we get hit by something noticable (100mb plus) about once every 3 weeks. And in the past 12 months only 4 of them have been over 1Gb/s, only 2 over 2Gb/s. For example even with attacks & null routing our bandwidth was under 1TB last month. It's about 1.5TB this month due to that 4Gb/s monster.
Give me a link or tell me the prices I'm looking at and I'll take a peak.
Any opinions on OVH network structure for this? Are they going to close my server if this keeps happening?
So, my host has placed me on my last warning for attacks.
I need a host that will either put up with the complete wankers who seem to populate this world.
I've been getting nulled 1-2 times a month on average. I can be find for 2 months, then boom twice. I'd say once/3 week average?
Attacks are usually 50-300Mb/s and we swallow those but every now and again someone gets bored and hits people with 3-5Gb/s attacks. Intermittent via shells(50-100 ips).
I need a host that offer heavy firewall features, that won't cost me my left eye. The only guys I've found so far are OVH.
I do not mind buying a server instead of colocating if the price is right. i5/i7/x34 with a min clock speed of 2.8ghz and 4gb ram.
Any help would be loved.
FYI, when I spoke to IceColo, they said they offer an IP null routing service (activated within 2 minutes of request), so you are not charged for bandwidth caused by attacks (as long as you can detect and report them).
Rapidswitch will only offer to nullroute your server, they dont do any real DoS/DDoS mitigation although they do offer some hardware firewalls.
Burstnet in the UK/Manchester advertise their usual "Cisco Guard" protection, but I have no idea how effective this is against what type of attack, or what hardware they use.
Yea, I really kinda hate a company who's emails don't actually work
They list [email protected] emails but non work *_*. There live chats never online either, checked 4-5 times a day at different intervals. I didn't like BurstNet US but the EU network might be what I require, I just need to ask them what part of the network there Cisco Guards are at.
Servers for an online game, UDP protocol based. (They do use TCP but only for administrative purposes. We end up blocking TCP half the time due to brute forces anyway).
Ah. Okay, you do have a couple of options here, but all would involve a degree of layer 7 analysis on your server(s) and layer 3 filtering by the provider.
1) When a UDP packet is sent back from the game client, you could include an encrypted hash (so every packet is signed and the hash append by the client itself) for the server side to verify that the packet sent is genuine. If the server receives more than X packets in X period with an invalid/missing hash, it automatically sends the necessary request to have the IP null routed. However, this would require that your ISP give you an API (or other automated method) in which to do this. This also means even if the attackers reverse engineer the application, they would have to build in support into whatever botnet/shells they were using to include this hash.
2) If you are unable to build in this encrypted hash (or the algo is reverse engineered out of the app), you can also establish pattern analysis of the packets being sent by a normal client. If it exceeds the amount of packets that a normal game client sends, or is abnormal, then you issue the same blocking request as in option 1.
3) If your provider won't give you an API (or other automated method) in which to null route source based on source IPs, then you will need to find a provider who is willing to work with you to give you this functionality.
If you had absolutely no luck with either of those three options, then you may need to look at bringing a specialist in to advise you further??
Oh, I also forgot to mention, you'd need to build in replay attack protection into this. Perhaps caching each transmitted hash for a set period of time (in memcache or other memory store ofc), and if that hash is encountered more than X times, it requests the blocking of the IP.
Also, if your current transit provider doesn't provide the null routing service, I can point you in the direction of a provider which does (as we use this same method to block attacks on servers).