A distributed denial of service (DDoS) is an attack where a person or group of individuals sends a flood of network packets to a server that may lag, crash or completely immobilize the targeted service. DDoS attacks often cannot be tracked back to the source as the attacker(s) use: compromised computers (botnets/stressers), amplify off of a flawed infrastructure or service (NTP, DNS, SNMP, Source Amplified DDoS attack, etc) and use spoofed machines to initiate their attacks. The best way to stop DDoS attacks is to have a hosting provider whom provides actual in-depth DDoS protection.
Our DDoS protection has multiple layers with specific specialized purposes to ensure that everything is filtered appropriately. For our first two layers which does about 45% of our basic DDoS filtering (Preemptive Firewall and Arbor DDoS Mitigation Unit), we rely on a French hosting provider called OVH. This is because they are the only hosting provider currently able to fit our very specific requirements including providing the raw bandwidth needed to protect the top servers on Garry's Mod. We will be investing into getting our own independent location(s) in the near future.
The rest of our DDoS protection is fully custom and cannot be found by any hosting provider not directly partnered with us. Our DDoS protection is designed to only allow traffic to the service(s) that you wish to host, this is one of the many ways that we ensure that our hosted servers are protected from up to 99% of DDoS attacks.
To ensure maximum transparency, we will break down exactly what each of our DDoS Mitigation Layers does below:
The first layer of our DDoS mitigation system is designed to stop basic but very large UDP based amplification type DDoS attacks. Some examples of what it would block is NTP, DNS, SNMP and UPNP type amplification attacks.
This layer is designed to be able to "gulp" up at least 100 Gbps or more of inbound DDoS attacks towards our clients. While we are investing in our own location, OVH provides the raw bandwidth needed for the first layer.
This currently mitigates about 10% of all of the DDoS attacks that come through our routers. While this may seem insignificant, we would need very large network pipes at our own location (100 Gbps minimum) to match this.
Some things that this layer of our DDoS mitigation system stops are network packets that are not crafted properly, match random UDP patterns, fail checksum tests, and are detected to be a part of a botnet (zombie detection).
The capacity of this layer is up to 80 Gbps of packet filtering, this isn't mandatory on our end since the third layer is able to filter nearly everything without issues. The second layer does however filter most of the large attacks.
The Arbor DDoS mitigation unit accounts for about 35% of all DDoS attacks that come through our network. With just the first two layers of our system combined, we are able to mitigate about 45% of all DDoS attacks for our clients.
This may seem like it should be more than enough DDoS Protection for most clients; however, our company has very high standards when hosting the top servers on Garry's Mod.
This is one of our fully custom DDoS mitigation layers which protects our clients from the majority of DDoS attacks that flow through our network. This layer is designed by us to only allow the specific traffic for the end service that the client chooses.
The third layer of our DDoS mitigation system is designed to protect our clients from in-depth DDoS attacks up to 25 Gbps. This system is also designed to be stackable in the future, we plan on upgrading this up to at least 100 Gbps or more in the future.
This layer protects our clients from up to 95% of all DDoS attacks that come through our system regardless if the first two layers are present or not. The system is completely custom and is designed to give our clients more in depth and specific DDoS protection.
All other hosts that currently provide DDoS protection are designed to give you more generalized DDoS protection. That means that even if they tell you that they offer a ridiculous amount of DDoS protection capacity such as 480 Gbps, that is no promise at all that their system can detect the attack, let alone filter it.
OVH cannot make custom filters for you on request regarding abnormal services, this is the biggest reason why clients go to us and not to OVH directly.
This is our final fully custom layer in our DDoS mitigation system. The layer is designed to specifically protect our clients against DDoS attacks that target a part of their service(s). An example of where this happens most often is in Garry's Mod servers, where there are public DDoS attacks that target how the game engine works. An in depth example of this are DDoS attacks that have the same exact packet structure as real traffic which the game engine uses, this is not blockable via traditional forms. The formal name for these attacks are Valve Source Engine floods or exploits. These DDoS attacks currently cannot be properly filtered by any other hosting provider unless they are directly partnered with us.
These attacks are also actually very common, we have clients purchasing dedicated machines from us just to protect themselves from these very in depth DDoS attacks. This is while their hosting provider is telling them that it's impossible to properly filter these attacks, they claim that they offer a "solution" to these attacks while they simply apply a rate limit and state that these attacks are absolutely impossible to resolve, which is completely false.
This is a truly custom system that is designed to protect you even further than any other hosting company can offer. Many top 10 GMod servers rely on this system to be able to stay up 24/7 and it also lowers your server's latency in the server browser (Source) which gives you a slight advantage in how your server is shown. When this is combined with our custom IP geo-location and optimized routing (already comes free with all servers), it increases the amount of players that join your server by about 20% which nobody else can offer!
This layer of our DDoS mitigation system protects our clients from the rest of all DDoS attacks that aren't taken care by our other layers. With our third layer and fourth layer alone, we are able to protect from up to 99.99% of all DDoS attacks even if the attacks are designed to exploit the game's engine, such as a VSE DDoS attack.
We are very realistic with our customers as many other hosting providers advertise to their clients a stupidly high DDoS capacity, such as 480 Gbps for their overall mitigation amount, when in reality their system cannot even detect the attack. Our combined capacity rating that we give to our clients is within 25 Gbps to 65 Gbps of DDoS protection. Please remember that it will always depends on the type of the attack that comes in, if the attack is amplification based, we can protect you from hundreds of gigabits of incoming bandwidth. As a promise to our customers, we haven't and will never null route any of our clients ever!
The best perk about choosing our hosting provider is that we do not need to rely on another company for DDoS protection (for our custom layers). In the unlikely scenario that an attack does get through all of our layers, we will do everything to patch it as soon as possible.
Some of the DDoS attacks and floods that we are known to protect our clients from are:
Please remember that this is only a very small list of some DDoS attacks that we currently filter. If you have any questions or concerns about anything then please contact us here.
We also make custom DDoS Mitigation filters on request for clients regardless of the service as this is usually used with our managed or unmanaged dedicated machines. For example, if you want us to create custom DDoS Mitigation filters for a particular service or even if you made your own game, then we can definitely create it so that you are truly protected against even the most in depth "layer 7" attacks which no other hosting provider truly offers.