In today’s article, we’ll not only answer your questions about our DDoS protection, but you’ll also learn about some planned new features. Some questions cannot be answered in detail, lest we reveal too much. Thank you for your understanding.
Social media questions and answers
I have a DDoS attack protection service on my VPS, but somehow I lack control over whether this protection works … are you planning any web interface with statistics about DDoS attacks on a specific VPS in the future?
Yes, we are planning to have the information directly in the administration and you will be able to purchase more powerful filtering or special rules.
What about VPS protection? (how does it work)
Currently, the VPS activates DDoS protection at certain levels and filters the traffic. If the attack is stronger than the values we have set, we solve the situation by various traffic restrictions (bandwidth limitation, blocking of a certain protocol, blackholing, etc.) so that there are no complications for other clients. We will publish details when we offer more information directly in the VPS administration.
During the winter we want to offer the possibility to buy better protection or individually set protection or protection up to a certain level (for example, 3 Gbps filtering). One of the interesting new features will be that we will offer the possibility to add protection per country (either enable or disable a country). This will be interesting, for example, for services that are focused on the Czech and Slovak markets. You can restrict traffic from other countries to protect your site from most attempts.
From what attack strength do you block access to the IP address from the Internet?
This is very individual, each attack is unique. It varies according to the type of attack and the consequences. Sometimes there are problems even with small traffic of tens of kbps and sometimes, on the other hand, traffic of several Gbps does not matter.
Have you seen an attack that you can’t filter out?
Of course, we encounter this. There are new and new kinds of attacks all the time. We try to analyze every unknown threat and adjust everything so that it will be automatically blocked next time. It’s a constant evolution that takes a huge amount of time.
You wrote that there have been 300,000 attacks in 2 years. I don’t really believe that. What do you count as an attack?
There’s no reason to make up numbers of attacks. We count as an attack the network behavior when the values of normal traffic are significantly (many times) exceeded. We monitor network traffic overall, monitor and measure traffic on individual segments, and monitor and measure traffic to individual IP addresses. All of this is evaluated online and compared to pre-set values, or compared to values that we consider to be normal traffic at the specified time and day (different traffic during the day and different traffic at night, etc.).
The newly introduced IDS/IPS protection captures up to hundreds of requests per second. This is a different form of protection and the frequency of attacks is many times higher.
What servers and routers do you use for protection? Their performance and configuration?
Currently we have a bit of an unfortunate solution, because we built the protection gradually and we didn’t really know what we needed and how it would be in the end. So we bought servers in stages, and because of the urgency, we bought what was immediately available. Those who remember the 2014 attacks understand the urgency of the situation. The servers have powerful XEON processors with as many cores and threads (2×20) and the highest frequency. In total, there is over 1 TB of RAM and several TB of data space for subsequent analysis. All have 10Gbps network cards, with some servers having up to 6 of them (so that the above server can handle situations up to 60 Gbps).
We want to gradually replace everything with a unified HW solution, because it is a non-systemic thing in our infrastructure. Our other servers are always identical and easier to service and upgrade.
The IDS/IPS protection is made up of our “regular” servers and currently it is 4 servers, each with 2×20 CPU threads and 384 GB RAM and SSDs for logs (there are several TB of data with information about attacks every day).
Is DDoS protection also redundant?
Partly. Protection protects all our uplinks. Currently we have 3 optical routes and we can filter on each of them. We will now have 4 lines and are preparing to deploy 100 Gbps during the spring. If an element were to fail, there could currently be minor delays or imperfect filtering, as each server is tasked with something slightly different and they complement each other. Full redundancy will be in place when we deploy new servers and the current servers are used as a backup solution.
At the same time, when deploying 100 Gbps, balancing will be necessary and this will already ensure full redundancy of all elements.
I have a managed server at a competitor because they don’t offer this, but they don’t do DDoS protection as well as I would like. Not planning DDoS protection as a service? How much would it cost?
You mean DDoS protection as a service? We want to start offering this as soon as we have 100 Gbps routes (sometime in the spring).
Managed services will be with VPS, respectively we will have a container solution of web hosting and VPS. We’re working hard on it. There will then be other DDoS protection options.
Do you work with other companies to build DDoS protection? Do you share the results with anyone? It might help
We’re not currently working with anyone. We considered joining some projects, but it was generally the case that our data and information would be useful to others, but others don’t offer us a return. We’ll see how it goes in the future. We are not opposed to cooperation.
A bit of history of attacks on WEDOS
How did it start?
https://datacentrum.wedos.com/a/353/nas-nedogonjat-aneb-wedos-pod-ddos.html
As it went on:
First records
IPv6
https://datacentrum.wedos.com/a/366/vyjadreni-k-problemu-s-konektivitou-u-vps-dne-12-08-2016.html
We’re improving:
https://datacentrum.wedos.com/a/363/nova-idsips-ochrana-u-wedos.html
More questions about DDoS protection?
If you have any questions, don’t be afraid to write to us on social networks or in the comments below the article. We’ll answer then. If you want to ask about IDS/IPS protection, of course you can. These are extremely interesting topics.
We are building a second datacentre for you
In conclusion, we are working intensively on the construction of a second datacentre. It will be operational soon. Information can be found at http://dc.wedos.com/.