Hetzner - DokuWiki



In a DDoS (distributed denial-of-service) attack, an attacker will send thousands of fake requests in an attempt to exceed the bandwidth, flood a server's resources, and overload the system. By doing this, valid requests can only be processed very slowly or not at all. A massive amount of compromised computers (botnets) are often used to create a gigantic amount of data traffic.

A successful DDoS attack can cause significant downtime for web applications, websites, servers and IT infrastructure. A DDoS attack will not only seriously impact the victim. While a server is being attacked, it can also affect other servers, making them just as inaccessible during the attack and causing further collateral damage.

The security solution: DDoS protection

After completing a thorough examination of our systems' ability to resist DDoS attacks, Hetzner Online has implemented DDoS protection mitigation tools, which mainly consist of Arbor and Juniper hardware, into our network. Our three-layer system enables us to clearly distinguish between valid traffic and malicious attacks.

Traffic flow while regular operations


Traffic flow in a DDoS-protected system during an attack


The DDoS protection-system is divided up in the following layers:

1. Automated recognition of attack patterns

In addition to recognizing an attack based on the amount of traffic or the number of packets, we at Hetzner Online will be able to clearly define the actual attack and then to specifically home in on and react to that particular type of attack. For example, a UDP flood with 500k pps is harmless for a server. A 500k SYN packet, however, could pose a problem. Our DDoS protection tools can detect precisely this type of difference.

2. Filtering traffic for known attack patterns

This method allows us to effectively filter out the most commonly known attacks by putting them through traffic scrubbing filters. The method is especially successful at scrubbing out the following types of attacks: DNS reflection, NTP reflection, and UDP floods on port 80.

3. Challenge-response authentication and dynamic traffic filtering

In this final layer, we filter out attacks in the form of SYN floods, DNS floods, and invalid packets. We are also able to flexibly adapt to other unique attacks and to reliably mitigate them.

The above technologies support a high level of automation, which in turn will continue to be optimized step by step. We can improve the system by analyzing each attack and constantly adjusting our filters and responses.

How it affects customers

DDoS protection will not cause costs or prices to increase and will be available to all customers. Our system will detect DDoS attacks at all times, and its ability to recognize them will continually improve. Once an attack is recognized, the dynamic DDoS protection tools will immediately go into action and will filter out the attack. Your traffic will usually not be affected by the DDoS protection system due to its dynamic method of mitigating attacks.

© 2019. Hetzner Online GmbH. Alle Rechte vorbehalten.