This is the reply I got from their support, just a few days ago:
>In short, our DDoS protection works by filtering out DoS-like traffic and is applied via the Linode network, so all Linodes are automatically protected. If your server were to be on the receiving end of a larger attack that impacts the Linode's host, we would need to prevent your server from receiving traffic until the attack ends. If you're concerned that you might be the target of a large DoS attack, there are a number of third-party DDoS mitigation services that you can use alongside your Linode.
>We aren't able to provide specific numbers since effects can vary depending on the attack. If you wanted to be sure your Linode is protected, we would recommend utilizing a third-party DDoS protection service overtop of your Linode's included protection. You also have the option of waiting to apply third-party protection until a null route is found to be necessary.
Edit: To clarify, filter = protection. Preventing all traffic is not. Both were stated in the description above so they should be clear which one it is.
Then I forgot to deposit a check at one point and overdrafted my account. I assumed things were fine because none of my transactions were getting declined. Instead I was being charged an extra $15 fee on every transaction, so that $0.75 stick of gum? $15.75, etc. This went on for about three weeks before I got my statement and talked to my bank.
They informed me that in fact the protection was from my transactions from being declined, at the paltry expense of $15 per transaction.
>We have just detected an attack on IP address x.x.x.x. In order to protect your infrastructure, we vacuumed up your traffic onto our mitigation infrastructure. The entire attack will thus be filtered by our infrastructure, and only legitimate traffic will reach your servers.
and then:
>We are no longer able to detect any attack on IP address x.x.x.x. Your infrastructure has now been withdrawn from our mitigation system.
I never need to do anything, but I don't think these attacks are real anyway.
What would it take to convince you an attack is real when it has been 100% mitigated and you never saw it in your backend infrastructure?
I ask as the engineering manager for DDoS protection at Cloudflare, and we stop a lot of attacks. But I feel this tension in the communication and product offering... if we do our job well enough that a customer's system does not see the attack, how does a customer see and feel the value?
An example is that as a reverse HTTP proxy we are implicitly also a full TCP proxy for HTTP traffic and so we receive significantly large SYN or ACK floods. We stop these 100% by virtue of being the terminating TCP proxy, but also by using connection tracking, anycast, XDP + eBPF, and so forth... you won't see a single one of these SYN or ACK packets hitting your infrastructure... so what would we have to communicate to convince you that the attack existed?
I was running node_exporter, which exports a lot of detailed network info from my kernel to Prometheus. During the time intervals leading upto, during, and after the attack, there is nothing there. Not even a blip.
I don't find it likely that OVH completely prevented any kind of volumetric attack from hitting me with zero detection latency. I just have doubts about there existing a perfect technology that doesn't have any false positives and also kicks in instantly. I'll keep an open mind.
In the past providers like Linode were happy to just null route your IP for several hours/days or charge you thousands to block a small flood.
AWS does charge for WAF and Shield, I believe.
I also remember comparing AWS Lambda at Edge vs Cloudflare Workers (though Lambda allows for longer execution times and generally provides more flexibility like RAM, CPU, Runtimes since it runs on a Linux VM vs V8 Isolates for Workers), costs were something like 10x apart.
Can't wait for WebSockets support for Workers.
OVH: go into lockdown!
[1]: free as in free beer, at no direct cost to users
[2]: terms and conditions apply, free until you hit certain conditions (for example, constant barrage)
[3]: free as in the customers pay for the (mandatory) DDoS protection via increased prices (similar to how I remember OVH handling their "free" DDoS protection)
For 3 (as was in the example), the cost of the DDoS protection service is directly added to the rates of services on offer.
OVH was quite blatant in this, as it had offered an optional DDoS protection service for a fixed rate of 3€/mo (this was a few years ago, exact details might be hazy). After they had a large network overhaul (with major interruptions), they simply raised the prices by 3€ and advertised the new, "free" DDoS protection service which was included in all of the services.
Last time, I checked GCP costed me $26 (+ hidden charges) for the same I could get on many other places for $7. Some of them provide instant customer support too and are better because it's not an outsourced customer center in India or other places.
Check out:
vultr: https://www.vultr.com
Scaleway: https://www.scaleway.com/en/
OVH: https://www.ovhcloud.com/en/
DO: https://www.digitalocean.com
Some prefer managed infrastructure and want to write code. Though, you can do that via GKM but prefer more straightforward approach.
Nanobox: https://nanobox.io
Heroku: https://www.heroku.com
LastBackend: https://lastbackend.com
ML/AI
Paperspace: https://www.paperspace.com
Flyodhub: https://www.floydhub.com
Colocation for those who have big infrastructure needs and developers will cost them less.
Equinx: https://www.equinix.com
Datafoundry: https://www.datafoundry.com
Disclaimer: not associated with any of them. Have used some of them and for others, heard great things.
You can easily go lower for less support and most likely a shit interface with some reliability issues.
This! i don't want to spend my life navigating the maze of options and hidden costs of AWS et al, this is important to most projects for two reasons - time and cognitive load... Until things get truly massive scale, it's not worth the brain drain and time is more precious. Navigating the interface of Linode is actually pleasant and takes minimum effort.
If anyone needs a reason not to use AWS for your boss in a nutshell: employee sanity.
(I am just a customer)
Instances of comparable power are somehow more expensive on both AWS and GCP.
Also, simplicity; AWS IAM is mightily complicated, things like Cloud Formation are totally non-trivial, etc. You can get going more easily with simple and moderately complex setups on Linode or DO.
Of course, AWS, GCP, and Azure have much bigger infrastructure, several availability zones, a lot of managed software (object storage, various databases, queues, email gateways, docker hubs, etc) which smaller players don't provide, or can't provide at the fault tolerance level which big players are able to offer. Something like AWS Aurora is hugely internally redundant to withstand link problems, node outages, etc transparently. If you want a thing like that, managing it yourself takes serious chops, and money.
When a company has a room to care to the detail like this, you can feel they're not crushed by support requests which may mean they're doing things right.
It took me a while to even find GCP's cost calculator and the AWS one required me to make an account before using it. I spent days looking through documentation an learning all the nomenclature ("elastic beanstalk - seriously??") so I could even start to understand the calculator. Their structure is incredibly convoluted (compute+load balancing+database+database storage+block storage+content delivery+container managment...), making it near impossible to know how much I would end up spending. Not to mention that the prices and performance vary wildly (reserved vs hot vs cold compute).
My rough estimate would've put me at around 3x the cost compared to Linode and I'd be living in fear of the bill every month. Linode told me exactly how much of what I would be getting and how much I'd have to pay - in words, not ec2_t2.micro_us-west_reserved.
I keep everything directly user-facing (ie, must-be-always-available) on GAE. Which is expensive, but nobody has to wear a pager.
Basically for small, simple applications, Linode or DO are great. They’re simple, the pricing is simple.
For more complex applications with lots of components, service buses, microservices etc, bigger cloud services offer you lots of features, but it gets difficult to operate if you’re just one guy (IME).
Very predictable how much you'd pay by spinning one up as bandwidth is a pooled limit among all your machines, so you won't pay until you exhaust the pooled monthly limit, and they don't charge you for disk IO and performance/cost ratio has been better.
You'd question why you'd pay more for less performance.
Will ec2 ever be able to boot into recover mode easily? Linode allows you to boot into recovery mode by attaching your disk and also easily access your console from browser in case you screw up networking or firewall to lock yourself out.
They provide easy daily/weekly backup instead of making you write script to take ebs snapshot manually.
Maybe my AWS knowledge isn't caught up but AWS feels like everything is for you to manage.
Also they don't do weird stuff like GCP resetting the hostname on every reboot but things are how you'd expect.
DX/UX/UI
Fit small to medium business (i.e. better resource management decision. Yes, that imaginary scaling thing)
Price predictability
---
Launching a production on DO: 1 LB + 2 droplets + 1 managed PG. That's pretty much to cover a huge portion of problem space you are solving for customers. Mostly enough for a sustainable business.
For really simple providers (just a VM; in AWS, just EC2) you can still write all your own Ansible/Puppet/Chef (I recommend Ansible) to setup your servers for you. You can do your own databases, but there is complexity in scaling, multi-read only workers, etc. Managed solutions are nice in how they handle that for you and you really only need to do off-site backups. But the advantage is, once you have it all written and figured out ... you can move it anywhere.
As a startup, you want to get everything fast. So you're going to get locked in (most likely). That's fine if you start making money. If you want to start cutting costs later, it's not really going to matter who you originally started with. You're going to be rewriting a lot.
There are a TON of tradeoffs going in either direction. Linode/Vultr/DO really appeal to people self-hosting or startups that have infrastructure people from day one who can stand up things, platform-independent, from day one.
DO has started offering managed databases and load balancers. Now we see Linode offering DDOS (maybe saving you money from paying CloudFlare)? Everyone wants to get to the point where they can at least offer the minimum AWS/GCP/Azure stack (web + DNS + load balance + firewall + database .. maybe throw in some managed k8s like DO is doing now?)
It's really all about tradeoffs. What time do you want to put in now so it's easier to migrate later?
I work for Cloudflare, and we do not charge you money for our DDoS protection. It's free and included on every plan level including our free level, and the protection you get is equal to the protection our enterprise customers get.
In other product features we have we also work hard to make sure we do not charge you for any bad traffic, i.e. our HTTP rate limiting product has the pricing structure designed so that you aren't paying for the traffic stopped by it.
Pricing really isn't the issue here, but where Linode and other hosts adding DDoS protection helps is in the scenarios where your origin / host IP or provider is known. In those scenarios attackers may directly attack the host.
Just as elsewhere in security, you are as strong as your weakest link, and I am really pleased to see hosting companies expand their DDoS protection.
The various disclaimers: I am the engineering manager for DDoS protection at Cloudflare, and I run a little farm of machines at Linode :) I'm happy on both fronts with this announcement from Linode.
https://news.ycombinator.com/item?id=3654110 Compromised Linode, thousands of BitCoins stolen (2012)
https://news.ycombinator.com/item?id=3655137 Linode Manager Security Incident (2012)
https://news.ycombinator.com/item?id=5552756 Linode hacked, CCs and passwords leaked (2013)
https://news.ycombinator.com/item?id=7086921 An old system and a SWAT team (2014)
https://news.ycombinator.com/item?id=10825425 Linode DDoS continues – Atlanta down for 16+ hours (2016)
https://news.ycombinator.com/item?id=10998661 The Twelve Days of Crisis – A Retrospective on Linode’s Holiday DDoS Attacks (2016)
https://news.ycombinator.com/item?id=10845170 Security Notification and Linode Manager Password Reset (2016)
https://news.ycombinator.com/item?id=10806686 Linode is suffering on-going DDoS attacks (2016)
> why would I want to use Linode over GCP or AWS?
If you include dedi providers like OVH into this comparison, you probably just wouldn’t.
For a long time Linode has had better features, performance and bandwidth. It wasn't until recently DO had Managed DB and many other additions.
Linode's High Memory Plan also has much better Memory : CPU Ratio.
Still waiting for their CDN, ( Not sure why they are not exposing it and instead requires going through CS ), Managed DB and Bare Metal. Once those three are in place, ( and well tested ) It should provide decent competition to the HyperScalers.
Personally, think DO has a more pleasant UX too.
I actually don't use DO, but I've used their articles many times after searching for how to setup some things on Linux. Their tutorials are excellent and have saved me a ton of time. I'd imagine those articles alone drive a lot of traffic to them.
Also from benchmarks ive seen Linode was inconsistent and overall not that faster than it looks on paper. Vultr was best in things like cpu performance but had slower networking. DO was just ok in any matrics.
If you add that DO has best admin panel, usually are first with most services like Spaces (which are not that amazing but OK) and sponsor lot of good content (tutorials, podcasts).
They are all similar services once you get one one of them there arent many reasons to switch. Like i looked into vultr high frequency compute for new service and then i realized i will have to deal with two invoices instead of one every month... so i just used DO:))
1. For a long time, Linode did not have a terrform provider 2. DO's managed Kubernetes offering Just Works, and is very competitively priced
FWIW, I still run a small Linode box. It's been rock-solid, and the support they provide is absolutely top-notch.
Linode has better resources for the price and really solid support, so I tend to stick with them.
Which one? I count at least 4 off the top of my head.
And the problem wasn’t just those security incidents, it was Linode lying and covering them up.
Have you looked? Linode BW is incredibly expensive compared to just about any dedi provider.
I wonder how quickly DigitalOcean will add this to remain competitive.
It's a huge win to have your hosting provider handle this and it's also nice to not be "forced" into using Cloudflare for such an important feature.
They still null route when the upstream links become congested but this is becoming less and less frequent as their network edge grows.
Even DO themselves mention they don't protect against it and even go as far as saying to use Cloudflare.
Here's a tweet of that from Jan 2018: https://twitter.com/digitalocean/status/958364631671758854?l...
Is that them taking the "not advertising it" line to the next level by publicly stating they don't protect you even though they do? I'm a bit skeptical.
Next to Moscow it is one of the most difficult places I've tried to put servers.
Doesn't AWS charge an arm and a leg for traffic?
GCP Network has built in DoS mitigation as well (e.g. in the load balancing layer) so you get some protection from that for free.
Having this as a default seems good.
Assuming you aren't getting 1000s per minute, of course.
Might be this one? https://news.ycombinator.com/item?id=12403783
DO has been good on me too.
