Any server, regardless of location (physical and network), regardless of host, ISP, etc, is hard to defend, especially with DDoS. A DoS (Denial of Service) can easily be defended against because it's only one computer -- set up a program on the server that will watch for this and temporarily block the IP. A DDoS (Distributed Denial of Service) is a DoS who's execution is distributed across multiple computers, so the server receives multiple simultaneous DoS attacks. That system could quickly become overloaded before it could block all the connections that are performing the DoS.

If you want proof that any server can easily fall prey to a DDoS, look at Freenode. They have hubs all around the world on different ISPs. Most of these are in Europe and North America, and we'll sometimes lose part or all of one continent. Of course, IRC is an easy attack target, this is just an example to prove my point.

A good strategy to work around this is to have different servers in different physical locations, then have your DNS setup for failover. From there, it's just a matter of keeping each location's data synchronized.

_________________
Kris the Piki Geeker

Sure. But hard does not mean there's nothing that can be done. And we're not talking about the server that's the target of the attack here, we're talking about collateral damage. Still hard but, again, that doesn't mean something can't be done.

What I don't know is how much what Linode can do is dependent on the DC/network provider. I know there are devices like Cisco Guard but I get the impression (but don't know for sure) that that's something that the network provider would use (if they chose to). I also hear about asking network providers to null route targeted IPs. I don't know if this is something that HE does better or worse than other providers.

I didn't say it was impossible to do anything about it. The point that I want to makes is that prevention is completely impossible. There are plenty of things that can be done to minimize risks and damages, but completely blocking a DDoS will never happen.

The question should never be what someone is doing to prevent a DDoS, it should be what they are doing to divert as much of the risk as possible, and in the event a DDoS does occur, what they are doing to come back online.

_________________
Kris the Piki Geeker

Three, but that doesn't really change my comment. Have you not been told in the past that if you need high availability you should be spreading your linodes out over multiple datacenters? Any and every provider suffers from occasional issues like this.

What do you run on your servers?

Agreed. The question at hand (as I understand it) is whether something about Fremont/HE makes mitigation slower/less effective.

That depends on the staff and the tools that the parent company provides.

The status page (http://status.linode.com/) isn't saying anything about a DDoS. It says that the connection appears stable and that they are awaiting response on the issue. The part I find amusing about the status is their initial post:

Of course it's affecting a "percentage" of Linodes since it is affecting some Linodes -- unless some Linodes aren't counted toward the total Linodes

(edited (again) to fix grammar -- apparently I'm byslexik now)

_________________
Kris the Piki Geeker

Right, which was my question. Seems like linode tries to be very neutral about their DC/network providers, which I guess isn't all that surprising.

But see also the discussion at http://www.linode.com/forums/viewtopic.php?t=2883. There's no resolution about whether HE is good or bad at helping mitigate ddoses.

If you look up softlayer (which theplanet now is) and ddos, you can find comments about softlayer allocating Cisco Guards to mitigate attacks. So does linode have better ability to mitigate at Dallas?

I suspect linode can't/won't comment on that. And we don't even know for sure whether it was a ddos. But it seems pretty clear that Fremont/HE continue to have more trouble than the rest of the DCs (combined?)

I think they meant that it was affecting only a small number of the 'nodes at Fremont.

Fremont is going to have a 5 minute interruption while HE.net upgrades their router @ 6pm PST.

30 minute warning.

we received an alarm (from an external monitor) for nodes linode114737 and linode29827 at the same time about 10 minutes ago.. seems ok now.

Yep, we see fremont as having issues too.

Yes, I know. I just find such wording amusing. Even 100% is a "percentage", so that line could mean "a network issue that is affecting the total percentage of Linodes in Fremont", or "a network issue that is affecting all Linodes in Fremont"

_________________
Kris the Piki Geeker

A/UX 3.1.1. What does it matter to you?

So that's where the original Panix servers ended up...

_________________
Rgds
Stephen
(Linux user since kernel version 0.11)