This raises an attack vector for Hetzner's business itself. By finding their larger clients and DDOSing them, Hetzner's business itself becomes at stake.
Yeah exactly, that's what I thought. If this is the way Hetzner deals with even such small attacks, some competitor that has enough power could potentially take out a lot of their clients and Hetzner would get the bash.
No story here. No budget provider I've looked at says they will help you withstand a DDoS attack. [Thanks to the commenter who says OVH does, I will look into them closely.]
I did this due diligence for a 10-user app. These guys have no excuse for not planning for a DDoS with a serious business.
One of the big political blogs in New Zealand recently had a similar problem with Linode.
They got DOSed so Linode shut them down, then they found a new provider but had problems moving to them since they couldn't get into the linode server to copy the data.
You have two ISPs for any business-critical service that matters, and you switch between them either using BGP in your router or using DNS if you have not implemented BGP.
With a single provider, it's a gamble, although the expectation for any reasonable provider is that they just let you saturate your link speed with no questions asked, and block the offending traffic in their router if you can identify it for them.
Since this seems to be a problem for growing startups. Does anyone have any information on what other companies cater to the european market and will not hold you hostage if you get hit with a ddos attack?
I'm looking specifically for servers in Germany, if anyone has any clue.
I'm trying to think of the economic way to run a robust small scale service. I think you need a way to rapidly spin up a replica service on an entirely different provider.
I'm picturing a setup where you run on a cheap Hetzner host or similar with the DB synced to a slave replica on EC2 or other cloud provider and a build system so that you can spin up a whole replacement infrastructure on EC2 if there is a severe outage or failure in commercial relationship and switchover by changing the DNS settings.
I was also happy with Hetzner when I used them a few years back. But I didn't need their support other than for replacing hard drives, which they always handled quickly and without problems.
One of my servers were once used in a amplification attack (DNSSEC...) for a few days before I noticed. I guess Hetzner didn't detect this because just the uplink got saturated. Had to manually request a null route so I could SSH to another IP alias on the box. I wouldn't mind if they automatically did this for me since the offending IP would be unavailable either way. At least they don't charge you for DDoS traffic, like my current European budget provider does.
If you move to something like Cloudflare, make sure to at least firewall off everything but their IP addresses. Otherwise it will be trivial for the attacker to connect to all the port 80's in the IP allocation to the provider they know you were using, and compare the responses to what they get from Cloudflare, to obtain your service's origin.
http://www.ovh.com/us/dedicated-servers/enterprise/