Do you have experience handeling...

[KyferEz]

DDoS?
Joe-Jobs?

I ask because I admin a spam-fighting site with forums which is occasionally joe-jobbed and has now been ddosed for the 2nd time in as many months. The current DDoS was using every connection to the server, and has lasted over a week. The members of my forums are VERY effective at taking down spam sites, and spammers hate us for it.

My current hosts cannot handle the DDoS. They are inexperienced with such problems and are unfamiliar with mitigation tactics.

My current host's answer to the DDoS is to suspend my account, null route my domain, and wait for it to blow over. I don't mind the null-routing (though I'd prefer it to route to a round robin of 127.0.0.1, 192.168.0.1, 192.168.1.1, 192.168.2.1 soas to cause the bot-net to inflict damage upon itself).

However the suspension of my account is VERY annoying, as it prevents me from doing anything: retrieving a backup, viewing IPs involved in the attack, etc., and also takes down other domains hosted on the same account.

My current host also does not assist in providing detailed information on the attacks.

And as for Joe-Jobs, many hosts will suspend a site for spamming without researching first, which is one of the intents of a joe-job...

So my questions to you are:
1) Does your support staff have experience mitigating DDoSes?

2) If my site was with you and was under heavy sustained DDoS, what would be your first actions?

3) How would billing issues be handled (in case BW was exceeded during the DDoS)? For example, would you allow BW to be greatly exceeded resulting in an enormous bill or would my site be temporarily disabled?

4) If my site was temporarily disabled (from exceeding available BW), would I still be able to access my site's control panels?
4b) Could I download a recent backup of my site?

5) Do you have any anti-DDoS technologies in place or available? (Please answer yes/optional/no to each):
- automatic BW limiting on a per-IP basis
- automatic IP blocking
- Do you use a stateful firewall
- Utilize SYN Cookies
- Have Application front end hardware
- Have some form of IPS

6) During a heavy DDoS where my site was unavailable due to the severity of the DDoS, would I be able to access my control panels?
6b) What about accessing my site via ftp or ssh during the attack?

7) In the event you think a client may have sent spam, what would be your actions?
7b) What if the client claims they were joe-jobbed?

Thank you very much for taking the time to answer all of my questions!

[Matt R.]

Hi,

DDoS prone websites aren't really what we are geared up to host, in all honesty.

Thank you for your interest though.

[Alan B]

Good answer!

[SupremeChaotic]

I was thinking the same thing, Alan. =cD