As I mentioned, I had a series of DDOS attacks last week. They’re over now (knock wood), and NatNet was good about it (so far) and I don’t think it will cost me too much. BUT⦠After talking to them I’ve realized that DDOS attacks will start becoming part of our normal course of business. Here’s a bit of what they shared with meâ¦
We have been in business for more than 17 years now and in the first 15 years you could count the number of DDoS attacks that we had to deal with on one hand. Literally, on one hand. That is not an exaggeration. In the past two years, however, DDoS attacks are becoming more and more regular. In some cases it is a surfer that is mad for one reason or another. In some cases it is a competitor that it trying to hurt their competition. We have seen a customer who fired an employee and they got their revenge with an attack. We have seen a Church go after a site because it did not like the type of content they were displaying. This list goes on and on.
Why is it becoming bigger now than before, you may ask? The availability of “bot nets” for rent. Now someone can pay a third party and they will run the attack against whoever for whatever reason. Kind of like mercenaries, they don’t care. Over time we have simply told customers that we are not a DDoS mitigation firm and if you felt like you needed that kind of mitigation then you would need to contract for that separately from your hosting. Of course, back then the mitigation would cost $10,000-$100,000 per month depending on the size of the attack. Also, there were really only a small handful of mitigation firms and they would not sell to hosting companies because they knew they could sell more if they sold to our customers. Why sell NationalNet a single service when they could sell 5 or 15 or even 50 of our customers the same service and make way more money?
Of course, over the past few years there are more competitors in the space and there are people who will specialize in helping Hosts like us with a “First Line of Defense” style solution. Here is how our solution is going to work…if you get an attack we will turn on our mitigation system just like we did for you last week and we will mitigate the attack for 24 hours. If the attack lasts for longer than 24 hours then you have to decide if you want a real DDoS Mitigation Solution or would you rather just let your site go dark until the attacker moves on to someone else? For most sites, a real DDoS Mitigation Solution is going to run somewhere between $1,000 and $4,000 per month depending on some decisions that you make on how you want it to work. Our “first line of defense” product is going to be very affordable (probably about $20-$30/month for an account your size) and will work for 24 hours. In MOST cases, if an attacker is not successful in bringing down your site in the first 24 hours he will simply give up…which is what we are hoping for in this plan. If not, then you will have 24 hours to decide whether you want to engage our mitigation provider for a full blown solution or whether you would rather just take the site down long enough for the threat to disappear.
The problem is they don’t have any solutions between the $20-30/mo plan and the $1000-4000/month plans. The attack I had recently occurred over a few days. Just a little bit here and there. They don’t have a plan to address that type of attack. They’re basically saying $1000/mo minimum to deal with that type of situation. I’m not inclined to triple my hosting bill, so I’m wondering if I should find a another host. I REALLY don’t want to change host, and (I haven’t seen this month’s bill yet, but) they were more than fair about the recent attack. And their service is decent.
So I’m wondering â are any of you on hosts that are at least as good as NatNet that include comprehensive DDOS mitigation for a reasonable price? And have you ever had to use the mitigation service (or know someone else who did)? As NatNet put it⦠“there is nothing worse than paying ANY amount of money every single month and the first time you really need it to work it fails”. So it’s important that it be more than words on paper (or words on a website), it needs to be a tried and true service.