
Linode launches free DDoS protection - hanru
https://www.linode.com/press_release/linode-launches-free-advanced-ddos-protection-across-its-global-network/
======
vld
This isn't on the level of some other providers, they'll still null route you
if you go over an unspecified amount of traffic. IIRC they use Juniper and
Corero.

This is the reply I got from their support, just a few days ago:

>In short, our DDoS protection works by filtering out DoS-like traffic and is
applied via the Linode network, so all Linodes are automatically protected. If
your server were to be on the receiving end of a larger attack that impacts
the Linode's host, we would need to prevent your server from receiving traffic
until the attack ends. If you're concerned that you might be the target of a
large DoS attack, there are a number of third-party DDoS mitigation services
that you can use alongside your Linode.

>We aren't able to provide specific numbers since effects can vary depending
on the attack. If you wanted to be sure your Linode is protected, we would
recommend utilizing a third-party DDoS protection service overtop of your
Linode's included protection. You also have the option of waiting to apply
third-party protection until a null route is found to be necessary.

~~~
KaoruAoiShiho
That's not protection, that's literally the opposite of protection lol. If you
get attacked they take your service out the back and shoot it in the head.

Edit: To clarify, filter = protection. Preventing all traffic is not. Both
were stated in the description above so they should be clear which one it is.

~~~
chias
Heh, that reminds me of my first bank account. They told me I had something
called "overdraft protection", which I stupidly assumed would protect me from
overdrafting my account by declining transactions.

Then I forgot to deposit a check at one point and overdrafted my account. I
assumed things were fine because none of my transactions were getting
declined. Instead I was being charged an extra $15 fee on every transaction,
so that $0.75 stick of gum? $15.75, etc. This went on for about three weeks
before I got my statement and talked to my bank.

They informed me that in fact the protection was from my transactions from
being declined, at the paltry expense of $15 per transaction.

~~~
jetrink
This is why the CEO of TCF Bank named his yacht Overdraft.

~~~
booi
And here I am laughing at this pretty clever joke only to realize this is
real..

[https://www.washingtonpost.com/news/get-
there/wp/2017/01/20/...](https://www.washingtonpost.com/news/get-
there/wp/2017/01/20/a-former-bank-ceo-named-his-boat-overdraft-now-that-bank-
is-in-hot-water-over-the-fees/)

------
regecks
I guess this is basically the same as OVH's "VAC" system? I sometimes get
these emails:

>We have just detected an attack on IP address x.x.x.x. In order to protect
your infrastructure, we vacuumed up your traffic onto our mitigation
infrastructure. The entire attack will thus be filtered by our infrastructure,
and only legitimate traffic will reach your servers.

and then:

>We are no longer able to detect any attack on IP address x.x.x.x. Your
infrastructure has now been withdrawn from our mitigation system.

I never need to do anything, but I don't think these attacks are real anyway.

~~~
buro9
> I never need to do anything, but I don't think these attacks are real anyway

What would it take to convince you an attack is real when it has been 100%
mitigated and you never saw it in your backend infrastructure?

I ask as the engineering manager for DDoS protection at Cloudflare, and we
stop a lot of attacks. But I feel this tension in the communication and
product offering... if we do our job well enough that a customer's system does
not see the attack, how does a customer see and feel the value?

An example is that as a reverse HTTP proxy we are implicitly also a full TCP
proxy for HTTP traffic and so we receive significantly large SYN or ACK
floods. We stop these 100% by virtue of being the terminating TCP proxy, but
also by using connection tracking, anycast, XDP + eBPF, and so forth... you
won't see a single one of these SYN or ACK packets hitting your
infrastructure... so what would we have to communicate to convince you that
the attack existed?

~~~
rmdashrfstar
Do you publish metrics on “attacks prevented” (or access to logging and
monitoring) for customers?

~~~
buro9
Yes.

For HTTP customers there are full SIEM logs under Firewall > Overview on our
dashboard, and for paid tiers there are drill-down analytics in addition to
the full SIEM logs. There is also log push to receive near real-time full HTTP
logs into Google or AWS for your own analysis and these show if a firewall
feature touched the request or if it was served from cache.

In addition for HTTP customers we show graphs of SYN floods, etc for the IPs
your web properties are advertised on.

For L4 customers via Magic Transit we also have Network Analytics showing what
we received at our edge network and a log of attacks detected and mitigated.

There is still lots of room for improvement... that's really what I'm asking,
what does the ideal system look like for someone where they see and understand
the data and trust it.

For example, is it valuable to see the attack landscape and what is happening
across our systems even when you are not the target? Would that help give
perspective to attacks that do target you, and also increase faith that this
system exists and is stopping attacks when attacks do not target you?

~~~
hashhar
I think it'd be helpful to highlight the impact on YOUR infrastructure for an
attack i am facing.

Will help add perspective to how disruptive the attacks are.

~~~
tudorw
Yes, also perhaps some guidance figures on what the impact would have been had
these measures not been in place.

~~~
buro9
Hard to answer the impact on your systems had we not stopped it... we don't
know the full capability of your systems. Whether you can take a 10k packets
per second ACK flood or a 1M pps ACK flood, or the 100M pps ACK flood depends
on a lot of things we aren't privy to.

What we can tell you is the frequency, size and nature of attacks that
Cloudflare sees, and when we can clearly identify that an attack was
unambiguously targetting you specifically then we can tell only you about that
too.

If there were a global dashboard which was vague about the target and source,
merely the frequency, size and nature... would that be valuable?

~~~
hashhar
> If there were a global dashboard which was vague about the target and
> source, merely the frequency, size and nature... would that be valuable?

Yes.

> What we can tell you is the frequency, size and nature of attacks that
> Cloudflare sees, and when we can clearly identify that an attack was
> unambiguously targetting you specifically then we can tell only you about
> that too.

Yes.

Also, even if you could tell us WHAT kind of attack it was that would be
helpful too.

------
diftraku
Is it free [1], free* [2] or "free" [3]?

[1]: free as in free beer, at no direct cost to users

[2]: terms and conditions apply, free until you hit certain conditions (for
example, constant barrage)

[3]: free as in the customers pay for the (mandatory) DDoS protection via
increased prices (similar to how I remember OVH handling their "free" DDoS
protection)

~~~
skrebbel
I don't understand the difference between 1 and 3.

~~~
diftraku
I may have used "free as in free beer" in a wrong way, what I meant with 1 was
there are no additional costs to the current or new users (the rates for the
services on offer stay the same).

For 3 (as was in the example), the cost of the DDoS protection service is
directly added to the rates of services on offer.

OVH was quite blatant in this, as it had offered an optional DDoS protection
service for a fixed rate of 3€/mo (this was a few years ago, exact details
might be hazy). After they had a large network overhaul (with major
interruptions), they simply raised the prices by 3€ and advertised the new,
"free" DDoS protection service which was included in all of the services.

------
pm90
Serious question: why would I want to use Linode over GCP or AWS? Asking as
someone who hasn’t really dabbled with smaller cloud providers. Is it cost?
Support? Developer tooling?

~~~
thrwaway69
Cost and ease of development by not throwing thousand of options in front of
your screen.

Last time, I checked GCP costed me $26 (+ hidden charges) for the same I could
get on many other places for $7. Some of them provide instant customer support
too and are better because it's not an outsourced customer center in India or
other places.

Check out:

vultr: [https://www.vultr.com](https://www.vultr.com)

Scaleway: [https://www.scaleway.com/en/](https://www.scaleway.com/en/)

OVH: [https://www.ovhcloud.com/en/](https://www.ovhcloud.com/en/)

DO: [https://www.digitalocean.com](https://www.digitalocean.com)

Some prefer managed infrastructure and want to write code. Though, you can do
that via GKM but prefer more straightforward approach.

Nanobox: [https://nanobox.io](https://nanobox.io)

Heroku: [https://www.heroku.com](https://www.heroku.com)

LastBackend: [https://lastbackend.com](https://lastbackend.com)

ML/AI

Paperspace: [https://www.paperspace.com](https://www.paperspace.com)

Flyodhub: [https://www.floydhub.com](https://www.floydhub.com)

Colocation for those who have big infrastructure needs and developers will
cost them less.

Equinx: [https://www.equinix.com](https://www.equinix.com)

Datafoundry: [https://www.datafoundry.com](https://www.datafoundry.com)

Disclaimer: not associated with any of them. Have used some of them and for
others, heard great things.

You can easily go lower for less support and most likely a shit interface with
some reliability issues.

~~~
porker
A couple of posters on HN say Vultr has intermittent internal network
problems. I've found no wider mention of this - can anyone confirm? I ask as
their High Frequency Computer looks (and in testing has been) good, but if the
internal network blips then that counts for nothing in a multi-server setup.

~~~
theyak
We've had network issues as well as forced shutdowns that have corrupted data.
Their support was also terrible. We only spent a few weeks with Vultr because
of this.

------
chomp
Is this an on-demand solution using something like BGP+ Radware or Arbor? At
what volume or pps will they announce a nullroute?

------
geuis
I’ve been a Linode customer for at least a decade. Cheapest bandwidth I’ve
been able to find anywhere and their data centers are super reliable.

~~~
kundi
Maybe because you only host static websites

~~~
geuis
I run [https://jsonip.com](https://jsonip.com) on linode. I push about 5-6
terabytes of data outbound each month. Linode is a dream.

------
nickjj
Well done Linode.

I wonder how quickly DigitalOcean will add this to remain competitive.

It's a huge win to have your hosting provider handle this and it's also nice
to not be "forced" into using Cloudflare for such an important feature.

~~~
acetheface
DigitalOcean has had free DDOS protection for quite awhile. And it sounds like
Linodes solution is fairly similar. DigitalOcean decided to not advertise the
fact because advertising your defenses is an open invitation to break them.

They still null route when the upstream links become congested but this is
becoming less and less frequent as their network edge grows.

~~~
nickjj
Do you have any documentation that mentions your droplets are protected from a
ddos attack without you having to do anything?

Even DO themselves mention they don't protect against it and even go as far as
saying to use Cloudflare.

Here's a tweet of that from Jan 2018:
[https://twitter.com/digitalocean/status/958364631671758854?l...](https://twitter.com/digitalocean/status/958364631671758854?lang=en)

Is that them taking the "not advertising it" line to the next level by
publicly stating they don't protect you even though they do? I'm a bit
skeptical.

------
ksec
Nice. Apart from the security incident that took place long time ago, are
there any reason why everyone is going straight to DO instead of Linode?

For a long time Linode has had better features, performance and bandwidth. It
wasn't until recently DO had Managed DB and many other additions.

Linode's High Memory Plan also has much better Memory : CPU Ratio.

Still waiting for their CDN, ( Not sure why they are not exposing it and
instead requires going through CS ), Managed DB and Bare Metal. Once those
three are in place, ( and well tested ) It should provide decent competition
to the HyperScalers.

~~~
meddlepal
Better marketing from DO. There strategy of content marketing with how-to
guides has been massively successful.

Personally, think DO has a more pleasant UX too.

~~~
Carpetsmoker
DO has been posting (or rather, spamming IMHO) /r/golang with fluff like "how
to use switch statement in Go". You know, the sort of articles that someone
who learned Go a week ago can write.

~~~
meddlepal
As a former marketing co-worker once told me: marketing is pretty much just
standing around flapping your arms to get attention.

The content might be dumb, but it drives eyeballs and you remember DO.

------
PretzelFisch
Good for them. Having DDoS protection included in pricing is now one of our
core purchase criteria. There are many ransom hackers that target nobody
companies like where I work were this kind of protection is now mandatory to
ensure uptime.

------
pqdbr
I wish they had a datacenter in Brazil.

~~~
mike_d
Bandwidth in South America is approximately 8x the cost of North America or
Europe. There are almost no carrier neutral datacenters or peering where you
can exchange traffic with other in-country networks without paying for
transit. Most countries will strong arm you in to buying "local" for your
hardware - which means using in country re-sellers that drastically mark up
prices for foreign businesses.

Next to Moscow it is one of the most difficult places I've tried to put
servers.

------
arrty88
Does AWS or any other large cloud provider offer this type of service?

~~~
pm90
I don’t believe GCP has such a service explicitly, although in 2 years of
using them I’ve never seen any DDoS like behavior despite having multiple
public endpoints. I am assuming there is some kind of automatic remediation
that happens, or else I’ve just been extremely lucky.

~~~
dward
[https://cloud.google.com/armor/](https://cloud.google.com/armor/)

GCP Network has built in DoS mitigation as well (e.g. in the load balancing
layer) so you get some protection from that for free.

------
tomrod
Fascinating! I learned about fail2ban this week as well as how to search for
bad SSH actors -- I was amazed at the traffic requests my Linode was getting
decked with.

Having this as a default seems good.

~~~
RL_Quine
Spurious SSH traffic is not a DOS, and isn’t the sort of attack this is
talking about, rather volumetric floods and things of that matter.

------
buboard
i m always surprised by the obvious promotion posts here. I 've had free Ddos
protection in my hetzner servers since forever and nobody ever mentioned it

~~~
iMerNibor
There was a hn thread on it aswell when they finally added it instead of
nullrouting ips

Might be this one?
[https://news.ycombinator.com/item?id=12403783](https://news.ycombinator.com/item?id=12403783)

------
nik736
About time after everything was down for weeks in 2015.

------
theyak
The Christmas 2015 hack has now been fixed :) My boss has been begging us to
leave Linode ever since. We haven't left.

------
jitendrac
One more reason to Like Linode.

------
nerdbaggy
Congrats to them. Linode always has a special place in my heart.

~~~
ta999999171
Couple reasons for those less experienced with VPS?

~~~
mekster
Not GP but for me, Linode had been fine for 5+ years and it speaks but Vultr
has been having choppy network at least once a month for few years now
(detected by port monitoring) and that also speaks too.

DO has been good on me too.

~~~
debian3
Same experience here with Vultr, always go down. But seems to be a bit better
now than before.

------
kundi
OVH and Linode are what Bluehost is for shared hosting. Hosting providers that
you want to stay away from if you want good for your server infrastructure.

~~~
appleflaxen
can you elaborate?

------
commandersaki
Hope they use fastnetmon.

