This is the reply I got from their support, just a few days ago:
>In short, our DDoS protection works by filtering out DoS-like traffic and is applied via the Linode network, so all Linodes are automatically protected. If your server were to be on the receiving end of a larger attack that impacts the Linode's host, we would need to prevent your server from receiving traffic until the attack ends. If you're concerned that you might be the target of a large DoS attack, there are a number of third-party DDoS mitigation services that you can use alongside your Linode.
>We aren't able to provide specific numbers since effects can vary depending on the attack. If you wanted to be sure your Linode is protected, we would recommend utilizing a third-party DDoS protection service overtop of your Linode's included protection. You also have the option of waiting to apply third-party protection until a null route is found to be necessary.
Edit: To clarify, filter = protection. Preventing all traffic is not. Both were stated in the description above so they should be clear which one it is.
Then I forgot to deposit a check at one point and overdrafted my account. I assumed things were fine because none of my transactions were getting declined. Instead I was being charged an extra $15 fee on every transaction, so that $0.75 stick of gum? $15.75, etc. This went on for about three weeks before I got my statement and talked to my bank.
They informed me that in fact the protection was from my transactions from being declined, at the paltry expense of $15 per transaction.
>We have just detected an attack on IP address x.x.x.x. In order to protect your infrastructure, we vacuumed up your traffic onto our mitigation infrastructure. The entire attack will thus be filtered by our infrastructure, and only legitimate traffic will reach your servers.
>We are no longer able to detect any attack on IP address x.x.x.x. Your infrastructure has now been withdrawn from our mitigation system.
I never need to do anything, but I don't think these attacks are real anyway.
What would it take to convince you an attack is real when it has been 100% mitigated and you never saw it in your backend infrastructure?
I ask as the engineering manager for DDoS protection at Cloudflare, and we stop a lot of attacks. But I feel this tension in the communication and product offering... if we do our job well enough that a customer's system does not see the attack, how does a customer see and feel the value?
An example is that as a reverse HTTP proxy we are implicitly also a full TCP proxy for HTTP traffic and so we receive significantly large SYN or ACK floods. We stop these 100% by virtue of being the terminating TCP proxy, but also by using connection tracking, anycast, XDP + eBPF, and so forth... you won't see a single one of these SYN or ACK packets hitting your infrastructure... so what would we have to communicate to convince you that the attack existed?
I was running node_exporter, which exports a lot of detailed network info from my kernel to Prometheus. During the time intervals leading upto, during, and after the attack, there is nothing there. Not even a blip.
I don't find it likely that OVH completely prevented any kind of volumetric attack from hitting me with zero detection latency. I just have doubts about there existing a perfect technology that doesn't have any false positives and also kicks in instantly. I'll keep an open mind.
For HTTP customers there are full SIEM logs under Firewall > Overview on our dashboard, and for paid tiers there are drill-down analytics in addition to the full SIEM logs. There is also log push to receive near real-time full HTTP logs into Google or AWS for your own analysis and these show if a firewall feature touched the request or if it was served from cache.
In addition for HTTP customers we show graphs of SYN floods, etc for the IPs your web properties are advertised on.
For L4 customers via Magic Transit we also have Network Analytics showing what we received at our edge network and a log of attacks detected and mitigated.
There is still lots of room for improvement... that's really what I'm asking, what does the ideal system look like for someone where they see and understand the data and trust it.
For example, is it valuable to see the attack landscape and what is happening across our systems even when you are not the target? Would that help give perspective to attacks that do target you, and also increase faith that this system exists and is stopping attacks when attacks do not target you?
Would 100k SYN floods have slowed me site down? Would it have taken it offline? Would it have caused the site to remain up but corrupt data on the backend for some reason?
Off the top of my head, I would think about offering a "replay attack against your staging infra" feature on higher tier plans. The price point should help prevent someone leveraging you as an attack platform, and customers will be able to understand the value that you're bringing to the table in a much more practical way.
Will help add perspective to how disruptive the attacks are.
What we can tell you is the frequency, size and nature of attacks that Cloudflare sees, and when we can clearly identify that an attack was unambiguously targetting you specifically then we can tell only you about that too.
If there were a global dashboard which was vague about the target and source, merely the frequency, size and nature... would that be valuable?
> What we can tell you is the frequency, size and nature of attacks that Cloudflare sees, and when we can clearly identify that an attack was unambiguously targetting you specifically then we can tell only you about that too.
Also, even if you could tell us WHAT kind of attack it was that would be helpful too.
In the past providers like Linode were happy to just null route your IP for several hours/days or charge you thousands to block a small flood.
AWS does charge for WAF and Shield, I believe.
I also remember comparing AWS Lambda at Edge vs Cloudflare Workers (though Lambda allows for longer execution times and generally provides more flexibility like RAM, CPU, Runtimes since it runs on a Linux VM vs V8 Isolates for Workers), costs were something like 10x apart.
Can't wait for WebSockets support for Workers.
According to the AWS pricing example 10 million requests per month on Lambda@Edge costs $9.13. The same thing on Cloudflare Workers costs $5.00. So I would expect it to be closer to 2x. Although as you say there's a bit more flexibility with Lambda@Edge so it'll depend on your particular case.
I'm curious if your situation was different somehow that made for such a big cost difference between the two?
I guess, when I compared, I took Lambda@Edge's per second billing into consideration and not per 50ms (which brings down the RAM usage cost from $62.52 to $3.13 and total usage from $68.52 to $9.13).
What really sealed the deal for me was the very low cold-start times with Workers. I'm not aware of recent improvements with Lambda@Edge, but the last time I tried them, it wasn't uncommon to hit 100ms+ start times.
If you ask for any estimated traffic size so you can go to a service that does do filtering for a living, they won’t give you that stating “nobody does”. It took a lot of time getting numbers out of them, and that finally finding a top level employee through our account manager was what led to them going “oh yikes, yeah something is off.” Sigh.
I wouldn’t recommend the cheapest Kimsufi offerings though, something like the SYS-WS-1 goes for $33 and is easily comparable with Linode offerings priced at multiple times that.
OVH has a VPS product that’s far cheaper than what Linode offers, but I can’t speak to the quality of that offering.
OVH: go into lockdown!
: free as in free beer, at no direct cost to users
: terms and conditions apply, free until you hit certain conditions (for example, constant barrage)
: free as in the customers pay for the (mandatory) DDoS protection via increased prices (similar to how I remember OVH handling their "free" DDoS protection)
For 3 (as was in the example), the cost of the DDoS protection service is directly added to the rates of services on offer.
OVH was quite blatant in this, as it had offered an optional DDoS protection service for a fixed rate of 3€/mo (this was a few years ago, exact details might be hazy). After they had a large network overhaul (with major interruptions), they simply raised the prices by 3€ and advertised the new, "free" DDoS protection service which was included in all of the services.
Last time, I checked GCP costed me $26 (+ hidden charges) for the same I could get on many other places for $7. Some of them provide instant customer support too and are better because it's not an outsourced customer center in India or other places.
Some prefer managed infrastructure and want to write code. Though, you can do that via GKM but prefer more straightforward approach.
Colocation for those who have big infrastructure needs and developers will cost them less.
Disclaimer: not associated with any of them. Have used some of them and for others, heard great things.
You can easily go lower for less support and most likely a shit interface with some reliability issues.
This! i don't want to spend my life navigating the maze of options and hidden costs of AWS et al, this is important to most projects for two reasons - time and cognitive load... Until things get truly massive scale, it's not worth the brain drain and time is more precious. Navigating the interface of Linode is actually pleasant and takes minimum effort.
If anyone needs a reason not to use AWS for your boss in a nutshell: employee sanity.
They seems to be working hard  with 10! more DC planned in 2020. The entire Hosting market is growing like crazy!
(I am just a customer)
Instances of comparable power are somehow more expensive on both AWS and GCP.
Also, simplicity; AWS IAM is mightily complicated, things like Cloud Formation are totally non-trivial, etc. You can get going more easily with simple and moderately complex setups on Linode or DO.
Of course, AWS, GCP, and Azure have much bigger infrastructure, several availability zones, a lot of managed software (object storage, various databases, queues, email gateways, docker hubs, etc) which smaller players don't provide, or can't provide at the fault tolerance level which big players are able to offer. Something like AWS Aurora is hugely internally redundant to withstand link problems, node outages, etc transparently. If you want a thing like that, managing it yourself takes serious chops, and money.
For really simple providers (just a VM; in AWS, just EC2) you can still write all your own Ansible/Puppet/Chef (I recommend Ansible) to setup your servers for you. You can do your own databases, but there is complexity in scaling, multi-read only workers, etc. Managed solutions are nice in how they handle that for you and you really only need to do off-site backups. But the advantage is, once you have it all written and figured out ... you can move it anywhere.
As a startup, you want to get everything fast. So you're going to get locked in (most likely). That's fine if you start making money. If you want to start cutting costs later, it's not really going to matter who you originally started with. You're going to be rewriting a lot.
There are a TON of tradeoffs going in either direction. Linode/Vultr/DO really appeal to people self-hosting or startups that have infrastructure people from day one who can stand up things, platform-independent, from day one.
DO has started offering managed databases and load balancers. Now we see Linode offering DDOS (maybe saving you money from paying CloudFlare)? Everyone wants to get to the point where they can at least offer the minimum AWS/GCP/Azure stack (web + DNS + load balance + firewall + database .. maybe throw in some managed k8s like DO is doing now?)
It's really all about tradeoffs. What time do you want to put in now so it's easier to migrate later?
I work for Cloudflare, and we do not charge you money for our DDoS protection. It's free and included on every plan level including our free level, and the protection you get is equal to the protection our enterprise customers get.
In other product features we have we also work hard to make sure we do not charge you for any bad traffic, i.e. our HTTP rate limiting product has the pricing structure designed so that you aren't paying for the traffic stopped by it.
Pricing really isn't the issue here, but where Linode and other hosts adding DDoS protection helps is in the scenarios where your origin / host IP or provider is known. In those scenarios attackers may directly attack the host.
Just as elsewhere in security, you are as strong as your weakest link, and I am really pleased to see hosting companies expand their DDoS protection.
The various disclaimers: I am the engineering manager for DDoS protection at Cloudflare, and I run a little farm of machines at Linode :) I'm happy on both fronts with this announcement from Linode.
Currently, since I use caching, I never see what consumed the bandwidth, so I don't know what file people are downloading so much.
(P.S. Hey David, long time! I hope everything is going well)
Mind if I put them in touch with you?
And hey again, long time no speak... if you're in London let me know. Otherwise one day I'll make it to wherever you are in the world now.
I will let you know next time I'm in London, it's been a while. I'm still in Thessaloniki, let me know if you're ever around!
Sigh, you don't know what you're talking about.
Everything past "make VM" is lockin. Firewall rules, be they security groups, NACLs, or what have you are different for each platform. Each service you use is lockin. Even the build scripts themselves are lockin. The users within the console, and all their associated permissions are lockin.
Do you want load balancers? AWS - so.. thats ALBs, or NLBs, or CLBs? Or did you want to spin up a bunch of dinky ec2 haproxy dockers? Does your application use sticky sessions or have session data? That limits you in a bit of ways.
There is no neutral way to talk about network, compute, storage, and api assets that don't involve lockin of a great deal.
Unfortunately I've noticed that their "unmetered pipe" offering is quite a downgrade, as it's only 10 Mbit.
EDIT: Sorry, I'm wrong. All dedicated servers have 1 Gbit unlimited uplinks. I'm not sure why I keep getting confused on this point, their support has confirmed this fact many times to me.
When a company has a room to care to the detail like this, you can feel they're not crushed by support requests which may mean they're doing things right.
I can tell that - many people in this thread are using “AWS” as though it’s synonymous with “EC2”.
I build things with consideration to platform and vendor lock ins. Kube, containers, etc have resolved many deployment issues for me. For other things like authentication, logs, database, analytics, cache, search etc. There is parse, elastic/solid, postgres, redis, logio, ackee etc
Obviously, there are still many spaces left which AWS cover but most applications don't need them. Compliance is a big hurdle for businesses which they pay for. For individuals experimenting, not so much.
I keep everything directly user-facing (ie, must-be-always-available) on GAE. Which is expensive, but nobody has to wear a pager.
Basically for small, simple applications, Linode or DO are great. They’re simple, the pricing is simple.
For more complex applications with lots of components, service buses, microservices etc, bigger cloud services offer you lots of features, but it gets difficult to operate if you’re just one guy (IME).
It took me a while to even find GCP's cost calculator and the AWS one required me to make an account before using it. I spent days looking through documentation an learning all the nomenclature ("elastic beanstalk - seriously??") so I could even start to understand the calculator. Their structure is incredibly convoluted (compute+load balancing+database+database storage+block storage+content delivery+container managment...), making it near impossible to know how much I would end up spending. Not to mention that the prices and performance vary wildly (reserved vs hot vs cold compute).
My rough estimate would've put me at around 3x the cost compared to Linode and I'd be living in fear of the bill every month. Linode told me exactly how much of what I would be getting and how much I'd have to pay - in words, not ec2_t2.micro_us-west_reserved.
Very predictable how much you'd pay by spinning one up as bandwidth is a pooled limit among all your machines, so you won't pay until you exhaust the pooled monthly limit, and they don't charge you for disk IO and performance/cost ratio has been better.
You'd question why you'd pay more for less performance.
Will ec2 ever be able to boot into recover mode easily? Linode allows you to boot into recovery mode by attaching your disk and also easily access your console from browser in case you screw up networking or firewall to lock yourself out.
They provide easy daily/weekly backup instead of making you write script to take ebs snapshot manually.
Maybe my AWS knowledge isn't caught up but AWS feels like everything is for you to manage.
Also they don't do weird stuff like GCP resetting the hostname on every reboot but things are how you'd expect.
Fit small to medium business (i.e. better resource management decision. Yes, that imaginary scaling thing)
Launching a production on DO: 1 LB + 2 droplets + 1 managed PG. That's pretty much to cover a huge portion of problem space you are solving for customers. Mostly enough for a sustainable business.
https://news.ycombinator.com/item?id=3654110 Compromised Linode, thousands of BitCoins stolen (2012)
https://news.ycombinator.com/item?id=3655137 Linode Manager Security Incident (2012)
https://news.ycombinator.com/item?id=5552756 Linode hacked, CCs and passwords leaked (2013)
https://news.ycombinator.com/item?id=7086921 An old system and a SWAT team (2014)
https://news.ycombinator.com/item?id=10825425 Linode DDoS continues – Atlanta down for 16+ hours (2016)
https://news.ycombinator.com/item?id=10998661 The Twelve Days of Crisis – A Retrospective on Linode’s Holiday DDoS Attacks (2016)
https://news.ycombinator.com/item?id=10845170 Security Notification and Linode Manager Password Reset (2016)
https://news.ycombinator.com/item?id=10806686 Linode is suffering on-going DDoS attacks (2016)
> why would I want to use Linode over GCP or AWS?
If you include dedi providers like OVH into this comparison, you probably just wouldn’t.
They’re not really cheaper, their hardware isn’t better, and they’ve shown a willingness to toss security out the window. Doesn’t strike me as deserving of “a chance”.
Stuff like Terraform works just fine with OVH dedicated servers, so that can’t be the problem either.
Have you looked? Linode BW is incredibly expensive compared to just about any dedi provider.
I wonder how quickly DigitalOcean will add this to remain competitive.
It's a huge win to have your hosting provider handle this and it's also nice to not be "forced" into using Cloudflare for such an important feature.
They still null route when the upstream links become congested but this is becoming less and less frequent as their network edge grows.
Even DO themselves mention they don't protect against it and even go as far as saying to use Cloudflare.
Here's a tweet of that from Jan 2018: https://twitter.com/digitalocean/status/958364631671758854?l...
Is that them taking the "not advertising it" line to the next level by publicly stating they don't protect you even though they do? I'm a bit skeptical.
For a long time Linode has had better features, performance and bandwidth. It wasn't until recently DO had Managed DB and many other additions.
Linode's High Memory Plan also has much better Memory : CPU Ratio.
Still waiting for their CDN, ( Not sure why they are not exposing it and instead requires going through CS ), Managed DB and Bare Metal. Once those three are in place, ( and well tested ) It should provide decent competition to the HyperScalers.
Personally, think DO has a more pleasant UX too.
The content might be dumb, but it drives eyeballs and you remember DO.
Also from benchmarks ive seen Linode was inconsistent and overall not that faster than it looks on paper. Vultr was best in things like cpu performance but had slower networking. DO was just ok in any matrics.
If you add that DO has best admin panel, usually are first with most services like Spaces (which are not that amazing but OK) and sponsor lot of good content (tutorials, podcasts).
They are all similar services once you get one one of them there arent many reasons to switch. Like i looked into vultr high frequency compute for new service and then i realized i will have to deal with two invoices instead of one every month... so i just used DO:))
I actually don't use DO, but I've used their articles many times after searching for how to setup some things on Linux. Their tutorials are excellent and have saved me a ton of time. I'd imagine those articles alone drive a lot of traffic to them.
1. For a long time, Linode did not have a terrform provider
2. DO's managed Kubernetes offering Just Works, and is very competitively priced
FWIW, I still run a small Linode box. It's been rock-solid, and the support they provide is absolutely top-notch.
Linode has better resources for the price and really solid support, so I tend to stick with them.
Which one? I count at least 4 off the top of my head.
And the problem wasn’t just those security incidents, it was Linode lying and covering them up.
Next to Moscow it is one of the most difficult places I've tried to put servers.
Doesn't AWS charge an arm and a leg for traffic?
Maybe you could run www on AWS and your real service somewhere with reasonable prices for traffic. In my experience, people who randomly DDoS tend to hit www rather than useful parts of a service.
I don't believe I've been charged for this type of attack. The one you should look out for if you are new to AWS and trying to do this "trick" is L7 repeated downloads of high-file-size content to consume your budget rapidly.
How an one protect against this type of attack?
GCP Network has built in DoS mitigation as well (e.g. in the load balancing layer) so you get some protection from that for free.
Having this as a default seems good.
Assuming you aren't getting 1000s per minute, of course.
Might be this one? https://news.ycombinator.com/item?id=12403783
DO has been good on me too.