I run some webservers which serve small javascript files ( which are web widgets of about 8kb ) , I have several servers moved on ovh where I also have other services ( I also use their cdn service which is not bad )
the problem is that those servers trigger the anti DDoS service which WRONGLY think that legitimate traffic is an attack, put the server under filtering and I loose about 30% of the traffic.. my clients are complaining , my internal statistics show also evidence of the problem since I've moved on ovh, when ovh remove the filter immediately the widget success rate increase from 70% to about 99%
( I can only see that in http 200-response and in client-recordered metrics ) the problem is that severs that should handle 500Mbps of traffic are "limited" to less than 70Mbps due to that filter... ( also with server resources ( cpu/ram usage under 30% ) )
I know that serving 8kb/request at 70Mbps is quite a lot, each server receive about 3000 connections/second which for a normal website could look like a DDoS , but for me It's normal traffic!
I know what I'm talking about because I was serving same widgets on softlayer since a month ago with 1/4 of the ram per server and 1/2 of the servers ( and the have a DDoS too but probably less aggressively configured )
I don't even know if I can order multiple very small servers instead of less big servers to workaround that issue because OVH don't want to tell me the DDoS threshold that is hitting me ( Packet per seconds ? ip / seconds ? conntrack ? what ? ) are thresholds equals for all servers ? there is no documentation.
the not so funny part of all that is..
I've already opened a ticket for that.. 6528169741 , and in 9 days I have yet to reach a tech, on day one a "tech" from italy team asked me a tcpdump which I provided in MINUTES , then silence for days, after a call the tech told me that the dump was too big.. ( about 100mb ) , I asked which size would be better for them and he told me about 3mb, I said ok , but you could have truncated the tcpdump yourself with the tcpdump command to the size you want.. anyway I've uploaded immediately a new tcpdump of 3mb, no reply for more days..
after 6 days of ticket.. another italian "tech" told me that have opened an internal ticket.. after 3 days I'm still waiting.. not knowing a lot of things :
- If the problem can be fixed ( DDoS thresholds adjusted )
- how to handle such cases in future ( having to fight with "tech" support for days to get a reply is not my work ) /new servers
Anti-DDoS too aggressive, shaping my traffic to less than 70mb/sec ( on 7 servers.. )
Related questions
- Blacklisted IP ranges by UCEPROTECTL3
9143
23.02.2021 09:08
- Hot to delete my account?
8681
29.07.2018 19:49
- Purchased a dedicated server - Awaiting Validation on a Saturday
5468
19.05.2018 20:07
- .iso install on IPMI very slow
4772
22.05.2018 11:14
- Can't cancel/return server
4357
25.06.2018 08:31
- Proxmox + opnsense
4161
19.07.2018 15:53
- Setting up proxmox network?
3967
03.05.2018 10:15
- Help with FiveM (GTA Online) DDoS protection
3889
02.01.2021 22:53
- pfSense, IPv6, virtualized on dedicated server
3395
09.02.2018 18:06
- It is written that server Delivered in in 120s - I wait more than 12 hours and still do
3334
10.03.2018 08:44