GoFuckYourself.com - Adult Webmaster Forum - View Single Post - If your server is down, how long can you go without a reply from your server people?

Phil21 · 05-14-2007, 01:45 AM

If you're down due to DDoS that's a tricky one. addressing a couple things people have spouted about here.

#1. "Hard Down" outages are easy. If apache fully crashes or the machine goes down, any host can trivially see this sort of outage. This outage should be extremely rare, as uh.. contrary to public belief this type of outage doesn't actually happen much.

#2. "Soft Down" situations are much harder to setup automated monitoring on. What defines "down"? Apache might be serving pages great, but the wrong content (e.g. mis-configuration) - or any myriad of other items where it truly appears data is being served, and not triggering alarms. This is where the host needs conent-based monitoring capabilities. This is NOT invisible to you, you WILL have to work with the host to set them up.

#3. It's absolutely impossible to monitor for ALL outage scenarios. A good host should be monitoring for everything realistically they are able to, and coming up with monitoring solutions for you when something is found that previously was not caught. For these situations, 24x7 support (via phone!) is critical. A "server down" call that is actually a server down, should get an immediate answer on the phone and then escalation right from there. Generally you should know what's going on within 15 minutes of your call. E-mail is the same way, but I advise against it as it's a somewhat unreliable mechanism. AIM/live support/etc. may be an option depending on the host - personally I hate these options as it makes support on the host's side a real nightmare (what did tech A say to customer, do, etc. when there is no ticket involved?). Depends on your host's support options, but you should be getting someone looking at stuff pretty quickly

#4. DDoS is hard, lets go shopping! For folks being DDoS'ed, throw your time estimates out the window. For most attacks, it's probably pretty trivial to filter and you'll either not even know you've been attacked, or be down for an hour or two until your host can put some filters in place. However for the REAL attacks (e.g. multi-gigabit, millions of packets per second, non-spoofed traffic, etc.) don't expect much from almost all hosts out there. These attacks are EXPENSIVE to filter, no matter what anyone tells you. First the host needs the inbound capacity to begin with (routers that can actually handle 50 million packets per second are not cheap), and either some very expensive DDoS filtering equipment or a lot of spare hardware and some good experienced tech's to deal with it. We've had customers under 4gbit+ attacks for over a month, where it took an entire rack of dual xeons to filter out the bad traffic. I feel bad for the clients, but this does not come cheap - someone has to pay for the equipment investment and the few gbit of bandwidth being burned.

If you are truly being attacked by a "real" DDoS attack, you need to find a host used to dealing with that sort of thing. The alternative is buying filtering services from a DDoS protection company such as prolexic. Unfortunately neither is a cheap option. However there is good news! If you are with one of the major "adult" hosts (as in, top 5) most of these guys have dealt with DDoS before and at least know where to start. Some are better than others, but you are infinitely better off with folks that know wtf they are doing, vs. mainstream reseller-flavor-of-the-month who will not have an idea of where to start. This sucks for small hosts out there - to be able to quickly adapt to these requirements you need oodles of spare capacity and hardware readily available, which is cost-prohibitive even to hosts of our size.

In short, good luck to ya! communication is key when you're having issues, and I have to say as a host it's easy to forget this in the heat of the moment. Generally I'm furiously working on an issue when the customer ticket comes in, and tend to reply after I get it figured out or the site back up. This sort of tunnel vision just leads to upset clients in the end, even if you did get their stuff back up faster than the 2-3 minutes it would have taken to respond. Live and learn

-Phil

05-14-2007, 01:45 AM
Phil21 Confirmed User Join Date: May 2001 Location: ICQ: 25285313 Posts: 993	If you're down due to DDoS that's a tricky one. addressing a couple things people have spouted about here. #1. "Hard Down" outages are easy. If apache fully crashes or the machine goes down, any host can trivially see this sort of outage. This outage should be extremely rare, as uh.. contrary to public belief this type of outage doesn't actually happen much. #2. "Soft Down" situations are much harder to setup automated monitoring on. What defines "down"? Apache might be serving pages great, but the wrong content (e.g. mis-configuration) - or any myriad of other items where it truly appears data is being served, and not triggering alarms. This is where the host needs conent-based monitoring capabilities. This is NOT invisible to you, you WILL have to work with the host to set them up. #3. It's absolutely impossible to monitor for ALL outage scenarios. A good host should be monitoring for everything realistically they are able to, and coming up with monitoring solutions for you when something is found that previously was not caught. For these situations, 24x7 support (via phone!) is critical. A "server down" call that is actually a server down, should get an immediate answer on the phone and then escalation right from there. Generally you should know what's going on within 15 minutes of your call. E-mail is the same way, but I advise against it as it's a somewhat unreliable mechanism. AIM/live support/etc. may be an option depending on the host - personally I hate these options as it makes support on the host's side a real nightmare (what did tech A say to customer, do, etc. when there is no ticket involved?). Depends on your host's support options, but you should be getting someone looking at stuff pretty quickly #4. DDoS is hard, lets go shopping! For folks being DDoS'ed, throw your time estimates out the window. For most attacks, it's probably pretty trivial to filter and you'll either not even know you've been attacked, or be down for an hour or two until your host can put some filters in place. However for the REAL attacks (e.g. multi-gigabit, millions of packets per second, non-spoofed traffic, etc.) don't expect much from almost all hosts out there. These attacks are EXPENSIVE to filter, no matter what anyone tells you. First the host needs the inbound capacity to begin with (routers that can actually handle 50 million packets per second are not cheap), and either some very expensive DDoS filtering equipment or a lot of spare hardware and some good experienced tech's to deal with it. We've had customers under 4gbit+ attacks for over a month, where it took an entire rack of dual xeons to filter out the bad traffic. I feel bad for the clients, but this does not come cheap - someone has to pay for the equipment investment and the few gbit of bandwidth being burned. If you are truly being attacked by a "real" DDoS attack, you need to find a host used to dealing with that sort of thing. The alternative is buying filtering services from a DDoS protection company such as prolexic. Unfortunately neither is a cheap option. However there is good news! If you are with one of the major "adult" hosts (as in, top 5) most of these guys have dealt with DDoS before and at least know where to start. Some are better than others, but you are infinitely better off with folks that know wtf they are doing, vs. mainstream reseller-flavor-of-the-month who will not have an idea of where to start. This sucks for small hosts out there - to be able to quickly adapt to these requirements you need oodles of spare capacity and hardware readily available, which is cost-prohibitive even to hosts of our size. In short, good luck to ya! communication is key when you're having issues, and I have to say as a host it's easy to forget this in the heat of the moment. Generally I'm furiously working on an issue when the customer ticket comes in, and tend to reply after I get it figured out or the site back up. This sort of tunnel vision just leads to upset clients in the end, even if you did get their stuff back up faster than the 2-3 minutes it would have taken to respond. Live and learn -Phil __________________ Quality affordable hosting.