

Hetzner Hostage - tluyben2
http://wlad.svbtle.com/hetzner-hostage

======
Thaxll
You should have a look at OVH, they include DDoS protection by default and
their prices are the best available on the market:

[http://www.ovh.com/us/dedicated-
servers/enterprise/](http://www.ovh.com/us/dedicated-servers/enterprise/)

~~~
waxy
I'm curios, do they actually do any kind of protection, and what's their
limit?

~~~
Thaxll
You can read technical stuff there :

[http://www.ovh.com/us/blog/a1171.protection-anti-ddos-
servic...](http://www.ovh.com/us/blog/a1171.protection-anti-ddos-service-
standard)

And:

[http://forum.ovh.co.uk/showthread.php?6661-URGENT-AND-
IMPORT...](http://forum.ovh.co.uk/showthread.php?6661-URGENT-AND-IMPORTANT-
Anti-DDoS-Protection)

"Our surplus network has a capacity over 2 Tbps. We have three VAC in
production, so we can manage up to 480 Gbps/480 Mpps."

------
joeframbach
This raises an attack vector for Hetzner's business itself. By finding their
larger clients and DDOSing them, Hetzner's business itself becomes at stake.

~~~
waxy
Yeah exactly, that's what I thought. If this is the way Hetzner deals with
even such small attacks, some competitor that has enough power could
potentially take out a lot of their clients and Hetzner would get the bash.

------
taway2012
No story here. No budget provider I've looked at says they will help you
withstand a DDoS attack. [Thanks to the commenter who says OVH does, I will
look into them closely.]

I did this due diligence for a 10-user app. These guys have no excuse for not
planning for a DDoS with a serious business.

------
slyall
One of the big political blogs in New Zealand recently had a similar problem
with Linode.

They got DOSed so Linode shut them down, then they found a new provider but
had problems moving to them since they couldn't get into the linode server to
copy the data.

[http://www.whaleoil.co.nz/2014/01/ferals-faults-fixes-co-
pil...](http://www.whaleoil.co.nz/2014/01/ferals-faults-fixes-co-pilots-
report/)

------
cft
You have two ISPs for any business-critical service that matters, and you
switch between them either using BGP in your router or using DNS if you have
not implemented BGP.

With a single provider, it's a gamble, although the expectation for _any_
reasonable provider is that they just let you saturate your link speed with no
questions asked, and block the offending traffic in their router if you can
identify it for them.

------
wurzelgogerer
Since this seems to be a problem for growing startups. Does anyone have any
information on what other companies cater to the european market and will not
hold you hostage if you get hit with a ddos attack? I'm looking specifically
for servers in Germany, if anyone has any clue.

------
aiaf
You can get a dedicated server with 128GB ECC RAM and 2 SSDs for $188 at
Hetzner. 188 bucks. Wow.

I guess the original post perfectly explains how such low prices are
attainable (no customer support, etc).

------
josephlord
I'm trying to think of the economic way to run a robust small scale service. I
think you need a way to rapidly spin up a replica service on an entirely
different provider.

I'm picturing a setup where you run on a cheap Hetzner host or similar with
the DB synced to a slave replica on EC2 or other cloud provider and a build
system so that you can spin up a whole replacement infrastructure on EC2 if
there is a severe outage or failure in commercial relationship and switchover
by changing the DNS settings.

------
Phil_Latio
> I almost failed off chair, I could not believe that someone was able to find
> the ip.

cloudflare adds a direct.* subdomain that points to your actual IP.

------
wukerplank
I have been a customer of Hetzner for several years now. Everything is fine
and cheap if you have no problems, but their support is the worst.

~~~
janinge
I was also happy with Hetzner when I used them a few years back. But I didn't
need their support other than for replacing hard drives, which they always
handled quickly and without problems.

One of my servers were once used in a amplification attack (DNSSEC...) for a
few days before I noticed. I guess Hetzner didn't detect this because just the
uplink got saturated. Had to manually request a null route so I could SSH to
another IP alias on the box. I wouldn't mind if they automatically did this
for me since the offending IP would be unavailable either way. At least they
don't charge you for DDoS traffic, like my current European budget provider
does.

If you move to something like Cloudflare, make sure to at least firewall off
everything but their IP addresses. Otherwise it will be trivial for the
attacker to connect to all the port 80's in the IP allocation to the provider
they know you were using, and compare the responses to what they get from
Cloudflare, to obtain your service's origin.

[http://www.youtube.com/watch?v=bmzHIB18XT8](http://www.youtube.com/watch?v=bmzHIB18XT8)

------
noir_lord
[http://news.ycombinator.com/item?id=6018796](http://news.ycombinator.com/item?id=6018796)

Doesn't sound like they have changed at all in the interim.

------
herge
You get what you pay for...

~~~
hackerboos
Actually OVH have very similar prices and are much more reliable.

As others have mentioned they've got DDOS protection on some of their newer
plans.

