That night, the server monitoring alarm rang like a death wish, I stared at the screen on the soaring traffic curve, heart thumped: finished, and ran into a DDoS. Three hours later, the site was barely restored, but the order data lost a large number of bosses, the face of the black can drip out of the ink. This matter let me completely understand, choose high defense servers, really can not figure cheap and save trouble - once planted, the cost is heavy.
So, we do not whole false today, fishing dry said: how to dazzle from a bunch of high-defense service providers, sieve out the reliable “hard stubble”. I've been in this line of work for ten years, stepped on the pit than some people have seen more servers, the following experience, you listen to the right.
Let's talk about the current state of the market. Now is an IDC dare to say that they engage in high defense, mark a few hundred G defense with the sale of cabbage like. But there is a lot of water here. I found that some businesses so-called “high defense”, in fact, is to ordinary servers set a cloud firewall rules, really encountered a sustained attack, immediately show the original shape. There are more desperate, oversold bandwidth, usually look calm, a hit the entire IP segment are paralyzed, the neighbor's attack can implicate you.
Defense is the lifeblood, to the death of the key. Don't just listen to sales flimflam “we have T-level cleaning center”, you have to ask: defense is the local hardware firewall, or cloud cleaning? Where are the cleaning nodes distributed? How long is the attack response time? I usually let them provide the most recent attack defense report, or to ask for a test IP, their own hands to play a look. Last year, I tested a quite famous service provider, advertising blown sky-high, the results of my script a pressure, less than 10G traffic on the knee - customer service also said that the hard “test is not standardized”, so angry that I directly pull the black.
There is also something to be said for testing methods. In addition to the basic HTTP Flood, CC attacks and slow attacks are more common now. Here I'll throw in a simple Python script that simulates a CC request, which you can use to measure the server's ability to handle the number of connections.
Be careful, this script is only for testing your own server, don't use it to mess with others, that's illegal. I used a similar method to test a service provider back in the day, and as a result, their firewall directly pulled my IP, and customer service called to ask if they were doing a stress test - you see, a quick response is also a plus. If the cleaning center can identify and mitigate it in a few minutes, the tech base of that house can't be bad.
Line quality directly affects the user experience. High-defense servers often have higher latency due to traffic cleaning detours. I suggest you focus on BGP lines and CN2 directly connected nodes, especially if the business is in China. Use tools for long-term monitoring, such as Smokeping, to record latency and packet loss. The data speaks the most reliable.
Last year, I helped a game company to choose a high defense, compared five or six, ran a week of testing, and found that “CDN07” of the Hong Kong node, not only the defense statement is beautiful, the line is also stable a batch, the average delay of less than 40ms, packet loss rate is almost zero. Their cleaning strategy is quite intelligent, unlike some vendors, one-size-fits-all, killing normal traffic. Of course, this is not to say that you have to choose it, but you have to find this balance: defense is ruthless, the line can not be stuck into the PPT.
After-sales service, I have suffered bloody losses. Once in the early morning was attacked, call the service provider, the side stammers half a day before turning technology, and so cleaning takes effect, the yellow flowers are cold. So now, I choose merchants first look at the technical support channels: is there a phone, online customer service, work order system? What is the response time commitment? It is best to provide a dedicated customer service line, it is worth spending more money. Do not believe in those “24/7 automated protection” nonsense. Really encountered complex attacks, but also rely on manual analysis.
My current partners, work orders within ten minutes must be back, and engineers can directly understand my business logic, adjusting the cleaning rules - this experience, than what ads are useful. I have also seen more outrageous, some small businesses work orders dragged a day, and finally dumped a “recommended upgrade package”, pure hooliganism.
Price-wise, high defense services are worth every penny, but not the more expensive the better. You have to calculate the price-performance ratio. For example, some vendors have a low price for basic defense, but the cleaning fee after overloading is frighteningly expensive; others pack unlimited cleaning. I used to take out all the hidden clauses in the contract, especially the details of “attack peak processing” and “traffic overage billing”. Once I almost stepped into the pit, the contract says “free defense against attacks under 50G”, but the small print states “only includes UDP Flood”, other types of attacks are charged separately - this! The word game played, can not be defended ah.
Speaking of contracts, the SLA (Service Level Agreement) must be read verbatim. Is the scope of defense clearly written? How much cleaning time is promised? What is the compensation in case of failure? I have seen a business write “99.9% availability guarantee”, but the DDoS attack period is excluded - this is not a rogue? So, black and white, key words. My current habit is to let my legal friends to help me scan the contract, focusing on the compensation clause: for example, cleaning failure for more than 5 minutes, there must be a service credit or refund, otherwise the SLA is a piece of paper.
Here's another tip: look at the service provider's customer cases and industry reputation.
If he can serve the financial, gaming and other high-risk industries, the strength is generally not too bad. I recently noticed that “08Host” in the game protection this piece to do quite fine, targeted optimization of the UDP Flood defense, customer feedback to carry a number of hundred G-level attacks, and customer service response as fast as the war, three o'clock in the middle of the night to find people. However, or that old saying: what suits your business is the best. Don't just look at the brand aura, the actual performance is the hard truth.
Anti-DDoS ServersThis thing, in fact, is a bit like buying insurance: usually not used, but in case of accident, you have to count on it to save your life. Therefore, the configuration can not be sloppy. I share a basic Nginx protection configuration example, combined with high defense services, can carry a lot of application layer attacks.
I've tested this configuration and it can block most CC and slow attacks, but only if the high defense backend is strong. If the cleaning center does not work, the software configuration alone is a drop in the bucket. Therefore, when picking service providers, I always ask them: can you provide customized WAF rules? Cleaning nodes are not globally distributed? Data comparison down, some merchants Asian nodes strong, Europe and the United States to pull the crotch; some are globally balanced. For example, 08Host, I tested their Anycast network, attack traffic near the cleaning, latency control is good, suitable for international business.
Lastly, a word of caution: high defense servers are not permanent. Attacks change every day, you have to regularly communicate with the service provider to adjust the strategy. My own habit is to do a quarterly stress test, by the way, to see if there is a new program can be upgraded. Last year, there was a zero-day attack outbreak, I cooperated with the service provider to take the initiative to push the rules update, did not wait for the attack to come to the defense - this initiative, is really reliable.
Choosing a high defense server is, in the end, a systematic project. From the hard strength of defense to the soft strength of the service, from the line quality to the price terms, each link must be taut. More trouble in the early stage, less bad in the late stage - this reasoning, put where it applies. I hope these rants can help you avoid pitfalls. If you have a specific scenario is not sure, welcome to come to me at any time to nag. After all, in this line of work for a long time, the greatest sense of accomplishment is to see others less detour.