I used to think that. But from my experiences, their customer service is crap, and I had a bunch of downtime on their VPS offering with no compensation offered.
I've stayed away from them since then. Not a very impressive company, and I'm not too surprised they're failing to deal effectively with this DDoS.
Gandi is a domain registrar first and in that respect they're lightyears ahead of the competition. They don't do shady stuff of squatting on your domain searches etc.
If you choose to use a value added service like VPS, you should expect subpar experience. You can go to any cloud provider and find a service for which you're going to have a worse experience than you had with Gandi VPS.
Gandi is not awful for managing domains (although they had issues with DNS management for years) but Gandi is a no-no-everything-constantly-on-fire for everything else, notably VPS and networking stacks
Try njalla, a privacy focused domain provider. It was founded by Peter Sunde, one of the original creators of The Pirate Bay. You can pay with crypto currencies and they even have a .onion domain of their website, so you can reach them over Tor.
They buy the domain themselves, and let you pay with Dogecoins -- possibly a good deal for the next Pirate Bay, but not what I would use for general domain registration. There is a good chance one day they will go down and take your (their!) domain with them.
From their website:
---
We're not actually a domain name registration service, we're a customer to these.
[...]
When you buy a domain in our system, we're actually purchasing it for ourselves. We will be the actual owners of the domain.
If I bought what turned out to be blunt or broken kitchen knives from IKEA, and they refused to accept a return and offer a refund, I wouldn't shop there again either.
We used them for years too but their admin panels and tooling had too many issues. We lost access to stuff more than once and we moved to name.com at some point. Haven’t had any issues on name.com so I would not really recommeng Gandi.
I would not call Gandi high integrity folks after having seen that story of them losing customers' paid emails and telling them to restore from their own backups
https://news.ycombinator.com/item?id=22001822
I would be surprised if a niche site like HN which has relatively small number of users could bring down Gandi. Surely, their status page is behind a solid CDN.
If Gandi folks read this: I am curious to read your post-mortem analysis on this.
I was seriously thinking about bringing some domains back to LiveDNS. I am thinking that after this, you may even be a little better at your job. Transparency is key here for me, even if you messed up.
I would be really interested in a website that tracks services that are currently under attack or some sort of fire so I can follow their status updates. I love examining high stress situations like that in real time.
That would be a weird and not so subtle approach. The service has to be responsive enough to handle that 100GB of traffic, which DDoS works against. 1GB a day would be a rounding error for any established internet service, on the other hand if you get DDoS'ed, you will do at least a bit of log review.
Not really. If the attacker has code execution on the target servers they can just blast out UDP packets (with erasure coding for bonus points). The DDOS will jam up the inbound link to the target server, but the outbound link will be able to send out unacknowledged UDP packets just fine. Can make them look like DNS requests if you're paranoid.
If the attacker doesn't have code execution on the target -- in other words they just found a way to make some web server cough up data that it shouldn't -- then this won't work.
This sounds like an action movie sequence. See the sibling answer. DDoS gives people reason to look into logs/metrics. If you get caught by an automatic check, you fail either way. If not, you move from an "everything normal" scenario to "we're looking at ways to kill traffic" scenario, which is not beneficial for exfil.
You divert the time and attention of the security and ops teams; and DDoS-for-hire has made it relatively trivial to stage an attack even if you don’t have a bot net.
Sec/ops doesn't normally involve looking at live network capture snapshots all day. ("Eyes on glass" monitoring exists, but that's not for common services) You're not distracting people from spotting exfil.
Either the company has the capacity to spot traffic anomalies like that or it doesn't. If they do, you're caught. If they don't, you're only giving them a reason to look in the logs because of DDoS. If your only issue was masking the higher network throughput, you can slow down. By starting DDoS you don't know what protections will be activated - it can be "running services in this state is useless, let's kill all of them until traffic stops". Or "there's lots of traffic to/from this AS, let's just kill that route". (it was your AS)
> Sec/ops doesn't normally involve looking at live network capture snapshots all day. ("Eyes on glass" monitoring exists, but that's not for common services) You're not distracting people from spotting exfil
No, but if the people on call are being drowned in alerts because everything is down due to the DDoS, an alert saying there's anomalous traffic ( if it's even capable to detect that during a DDoS, when all traffic would be anomalous depending on infrastructure) could be easily missed.
From my experience handling on-call during DDoS, there's not much drowning in alerts. You mute alerts about things being down. Then look at ways to drop the biggest / isolated types of traffic. Then analyse what is affected and start logging the impact. I don't believe anything would be missed: security monitors would alert different people / channels than service ops, post-incident review would look at alerts raised, any weird traffic would be looked at during "isolate and kill traffic" stage.
Volume is not the only way to notify about anomalies. Poisoned data entries / canaries, outbound traffic which should never exist, unexpected DNS queries, and many others will trigger regardless of DDoS.
Cloudflare, the solution for no problem... I don't believe in DDOS without any proof. Imo they just have some performance problems to solve. I think the DDOS would magically stop after Database Maintenance on Jan 25.
