Discover Centmin Mod today
Register Now

Cloudflare Let's talk about DDoS Protection

Discussion in 'Domains, DNS, Email & SSL Certificates' started by deltahf, Jan 29, 2015.

  1. deltahf

    deltahf Premium Member Premium Member

    582
    264
    63
    Jun 8, 2014
    Ratings:
    +483
    Local Time:
    3:12 PM
    Although I have, thankfully, never been the victim of a DDoS attack, it's something that I still worry about. I'm hosted on Linode, and I know they null-route your IP if you are targeted, so I'd like to do something to prepare.

    I have set up CloudFlare, but I've been disappointed in both its performance and the company's support. Tracking page loading times with NewRelic and Google Analytics, I found no improvement in speed for international visitors. It also increased my server load and page processing time by 15% (according to NewRelic), and - worst of all - my visitors in certain regions around the world reported sporadic "CloudFlare 502" errors (that's what they show when CF claims it can't reach your origin server - but I know my server never had any issues). My support request went unanswered for nearly a week, and when they did finally answer, they simply copy/pasted an article from their knowledge base and clearly didn't read my message.

    Granted, this was entirely on their free plan - perhaps you get better service on a paid plan, but I digress...

    I have considered moving to Incapsula's free or Personal plan, then upgrading to their full Business package with DDoS protection if I ever was to need it. I like their heuristic analysis of DDoS attacks, compared to CloudFlare's challenge page which asks visitors to complete a CAPTCHA if you are under attack. However, I want to use an EV SSL certificate (I just think they're cool), and Incapsula only supports them on their business plan...ugh!


    I would rather not have to deal with a third party, to keep my infrastructure simple and rely on the benefits of a solid Centminmod/Linode install and SPDY instead of a CDN...but DDoS is still something I worry about.

    How do the rest of you deal with this? What would you all recommend?
     
  2. eva2000

    eva2000 Administrator Staff Member

    53,488
    12,130
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,671
    Local Time:
    5:12 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    our resident expert through first hand experience would be @RoldanLT :) And maybe @Matt @Matt Williams @Steve Tozer @GhoHan might have some input too ? :)

    Why EV SSL and not regularly non-EV-SSL ? EV needs business validation and business documents to verify your business identity. While non-EV= domain validated SSL only needs you to verify you own the domain i.e. via @yourdomain or DNS changes to the domain.

    I don't have first hand DDOS protection experience but I do use both Cloudflare free plan and Incapsula's Business plans both offer limited DDOS protection until you pay for the much higher plans at >US$200 and >US$299 per month respectively. Security wise I prefer Incapsula as they have heuristic analysis and other neat features for security i.e. 2 factor authentication per directory you define etc. But for SSL will be expensive which is one reason I haven't tried them - that and their SSL front end won't have the same SSL cipher preferences I like to use i.e. my custom OpenSSL 1.0.2 + chacha20_poly1305 ciphers Forums switch to chacha20-poly1305 SSL cipher (OpenSSL 1.0.2 beta3) | Centmin Mod Community and they may also keep SSLv3 enabled for backwards compatibility.

    FYI, RamNode offers cheap DDOS protection too - US$3/month per IP for 10-20Gbit DDOS protection depending on location.

    However, been researching DDOS protection for a while now too as I share the same concerns you have - of when and not if it happens. But usually DDOS protection is expensive, so depending on your budget you may need to wait out an attack or only look into such protection when you start getting attacks. Imagine US$200/month extra for protection you don't need right now and imagine you don't get attacked for another 18 months = 18x 200 = US$3,600 wasted if you are not operating a for profit/revenue generating site !
     
    Last edited: Jan 29, 2015
  3. deltahf

    deltahf Premium Member Premium Member

    582
    264
    63
    Jun 8, 2014
    Ratings:
    +483
    Local Time:
    3:12 PM
    Because I like the additional green bar that is displayed in some browsers with EV SSL certificates. :D I do operate my site as a business (sole proprietorship) and am willing to verify the details, so I thought I might go for it. At risk of dragging my own thread off-topic, is there any reason you would recommend against an EV SSL cert?

    Are you using CloudFlare here? I did a traceroute but it seems to go directly to Linode. Maybe you're just using them for DNS?

    All good points. I just feel like it would be most prudent to leave my DNS hosted with a DDoS mitigation service instead of Linode's DNS - that way, if I do come under attack, I can just upgrade my account with them without having to wait for DNS changes to propagate. Hmmm...maybe I should forget the EV SSL certificate and just do the Incapsula $19 a month plan. I'm really afraid they are going to cough up occasional 502-esque errors like CloudFlare did, though... :cautious:
     
  4. eva2000

    eva2000 Administrator Staff Member

    53,488
    12,130
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,671
    Local Time:
    5:12 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    DNS i use DNSMadeEasy which is DDOS protected for DNS layer already just not your site. So if your DNS name servers get DDOS attacked, DNSMadeEasy protect you from that. But if your server IP gets DDOS attached DME won't help.

    As to EV SSL, just added expense and hoops to jump through for no benefit if you're not a for profit company/ecommerce type site.

    No the forums here straight Linode as no DDOS protection service so far I know allows custom SPDY/SSL cipher preferences + chacha20_poly1305 cipher support. Cloudflare or Incapsula I use for other sites/projects I have.
     
  5. rdan

    rdan Well-Known Member

    5,439
    1,398
    113
    May 25, 2014
    Ratings:
    +2,187
    Local Time:
    3:12 AM
    Mainline
    10.2
    Yes, I have a very bad experience about DDOS attacks :).
    Most company that offer ddos protection like Ramnode/OVH can only defend a Layer 3 and Layer 4 attack.
    But Layer 7 attacks is very hard to mitigate.
    CSF can help, by enabling CT_LIMIT.

    Be sure to add all Cloudflare IP on csf.ignore.
     
  6. deltahf

    deltahf Premium Member Premium Member

    582
    264
    63
    Jun 8, 2014
    Ratings:
    +483
    Local Time:
    3:12 PM
    Thanks for the input, guys.

    I did add the CloudFlare IPs to csf.ignore from the very beginning, but it didn't help. I don't think it was a firewall-related issue, though, because nothing was logged and it would only happen to users on intermittent page views (they'd get a 502 on one page view, then refresh the page to find that it's gone). As mentioned, CloudFlare support was no help.
     
  7. Steve Tozer

    Steve Tozer Member

    70
    42
    18
    Jul 28, 2014
    South Wales, UK
    Ratings:
    +49
    Local Time:
    8:12 PM
    1.91
    10.0.19
    Bit late to the party but agree with this info ;). I also use a service from https://cloudlayar.com/ seems to do the trick and blocks a lot of stuff.
    [​IMG]
     
    Last edited: Jan 30, 2015
  8. rdan

    rdan Well-Known Member

    5,439
    1,398
    113
    May 25, 2014
    Ratings:
    +2,187
    Local Time:
    3:12 AM
    Mainline
    10.2
    $19 per month seems fine if they really block all kind of attacks.
     
  9. eva2000

    eva2000 Administrator Staff Member

    53,488
    12,130
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,671
    Local Time:
    5:12 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  10. rdan

    rdan Well-Known Member

    5,439
    1,398
    113
    May 25, 2014
    Ratings:
    +2,187
    Local Time:
    3:12 AM
    Mainline
    10.2