So if I get ddosed you cancel my linode subscription?

No, but what I've done in the past is three strikes and you're out (or less) -- especially if the severity of the attacks affects all the machines, and subsequently all of our customers in a given data center. There may be other circumstances in which I'd overlook this "rule", but in general Linode cannot afford to harbor the type of clients that attract attacks.

I take the integrity of our network and the quality of our subscribers very seriously. This type of activity on our network won't be tolerated. Clients that attract this type of stuff will need to look elsewhere for hosting.

Thanks,
-Chris

Could you be a bit more specific on the types of things that attract attacks...?

Honestly, I don't know if I can qualify it. My guess is script kiddies getting into juvenile arguments with one another, attacking others from a Linode which prompt a counter attack, that kind of stuff. Who knows.

-Chris

I should also mention that in the rare occasions I've done the "three strikes" thing I've *asked* people to leave, and given them time to migrate their services elsewhere. In those circumstances, the clients were understanding. We didn't just switch them off, although occasionally I have had to do that.

-Chris

Canceling accounts for ddosed script kiddies, I understand and agree. But how about if a customer runs a very useful service like for example wikipedia.org? I don't know how often server administrators get ddosed so maybe this is not really an issue.
But it would be nice to know that if these things happen often and I manage to develop a popular service, that I wouldn't have to change provider just because some 12 year old child decided to try his botnet on me.

Is this common practice? Do other server providers cancel customers accounts on ddos? Perhaps there are ways to defend oneself against ddos attacks that your isp is willing to share with you.
If a 12 year old controls a 1000-node botnet, wouldn't the traffic generated from one of his nodes look similar enough to each of the other of his nodes, to be possible to block at the router level?

When you get to the point that you are running something the size of wikipedia on a linode we'll talk. Generally if you are running services that attract these types of attacks, you know. If not, you will know by the third time you are warned by your hosting provider.

I hate the assertion that IRC is always branded as a useless service that just attracts DDoS attacks, this is my biggest issue still with ThePlanet.

There are some of us who work very hard at running polite and fair IRC servers, but random attacks do happen to any service - just ask Steve Gibson. In any instance I'd whack the power button on my Linode the instant I saw an issue generated from it, I know what it's like to be one of the customers near a DDoS attack and there are some people that start IRC networks on bad pretenses and then provoke people with it.

So thank you for not taking others stupidity out on the rest of us

_________________
--
Colin Alston
Network Operations - Slipgate Group
http://www.slipgate.za.net/

isn't there a middle ground?

if someone is running a legit site and they happen to be a lightning rod one solution would be that they agree to allow their site to be temporarily powered down*. possibly for either x hours or x days--whatever is necessary to wait out the attack.

that way the entire network isn't suffering and owner of the ddos'd site is not being punished (by losing their linode account) because someone else chose to issue a ddos attack against them.

i agree that linode shouldn't be providing ddos protection--it's not in the contract. at the same time, if there are reasonable steps that can be taken to support linode customers who may be the unfortunate target of a violent act, this would reflect positively on linode.


--
*powered down: it seems like this would be a reasonable clause to include in the linode contract. ~"if your account is ddos'd it will be automatically and temporarily disabled to prevent the ddos attack from affecting other customers."

Don't DDOS attacks normally involve just throwing as many packets as possible at the target's IP, thereby saturating their network connection? In that case I don't see how powering down the target's linode would prevent other Linode customers from being affected.

If the target becomes unreachable, the attacker would be thinking "LOL my 4tt4ck iz w0rk1ng" not "Darn, they foiled my attack by shutting down their machine, might as well call it off".

You are correct. Disabling the target has no effect on the attack. The affected IP has to be null routed by Linode's network connectivity supplier (Hurricane Electric, in this case). That costs Linode time and money - hence the 'no prisoners' approach to this type of problem.

_________________
/ Peter

Speaking as a member of a group who gets the packets fairly often:

People who have botnets are the most juvenile people on the planet.

But Linode's policy is a good one. If you want DDoS protection, it will cost you . . . a lot.

does null routing have to be costly? it could be automated to occur when a ddos attack is detected.

Hurricane Electric would need to spend money to do the detection. From their perspective, one person's DDOS looks like somebody else's busy day. They would have to log traffic for each IP and look for sudden changes. At the moment they only have to log cumulatively at the address block level for traffic billing.

_________________
/ Peter

the burden of identifying the ddos'd IP(s) could be placed on Linode. then all that Hurricane Electric (HE) would have to do would be to set the null route.

Linode could create a mechanism for quickly identifying ddos attacks and automatically reporting them to HE for null routing.

Caker, how much work would it be to create a mechanism that automatically id'd a ddos'd IP and reported it to HE? and can you think of any reasons why you wouldn't want to to have such a system in place?