Dedicated external firewalls

[StonedPenguin]

I've been with NFO for years now and one thing I and many others who I know have always had issues with was dealing with dealing with firewall related things.

My OS of choice is windows however I often find myself needing to add small filters for application specific attacks making windows an impossible choice for me. In other cases I've had application specific attacks trigger automated filters and amplify a DoS attack that wouldn't otherwise effect me. With some sort of external dedicated firewall you could have the ability to add exemptions for automated filters, add custom filters for machines on any OS and possibly even take load of the routers that usually handle filters(I'm not 100% sure on how that's setup). Down the road something like this could be expanded to extra DDoS protection or even more. All in all I'd be a good source of extra income for NFO, greatly help those who don't like, can't or don't know how to use linux.

Could something like this ever be added? Do you think it should be added?

[SupGamer]

I think something like this would be extremely helpful. One of the things that turns me away from NFO is how easily your server can be null routed because of a DDOS attack. Having this sort of a firewall would be a great asset to people that want to be able to easily block attacks etc. Something server owners never want for their server is downtime. Downtime can not only affect the income of a community but it can also cause players to leave etc, only causing you (the host) to lose more money and customers. All in all I think this would be a great idea to look into and possibly implement in the future.

[kraze]

I've been with NFO for years now and one thing I and many others who I know have always had issues with was dealing with dealing with firewall related things.

My OS of choice is windows however I often find myself needing to add small filters for application specific attacks making windows an impossible choice for me. In other cases I've had application specific attacks trigger automated filters and amplify a DoS attack that wouldn't otherwise effect me. With some sort of external dedicated firewall you could have the ability to add exemptions for automated filters, add custom filters for machines on any OS and possibly even take load of the routers that usually handle filters(I'm not 100% sure on how that's setup). Down the road something like this could be expanded to extra DDoS protection or even more. All in all I'd be a good source of extra income for NFO, greatly help those who don't like, can't or don't know how to use linux.

Could something like this ever be added? Do you think it should be added?

When a filter is applied it is done because it will have some type of benefit. Normally, this is for the customer, but in some cases this is to protect people on the same machine or customers at the same location from seeing the effects. Though, layer 7 attacks can be tricky, and unfortunately, there is no catch all method for those. We're always working to improve our filtering process. In this case doing a dedicated firewall on top of what we're already doing wouldn't offer any benefit here. Cost/complexity is and will always be huge factors here. Mitigating DDoS attacks is not cheap, and a solid firewall/router capable of doing the filters you want while also being able to filter larger attacks will easily push 100K, plus a support contract of 25K. Complexity is also extremely important. A large and complex network is difficult to run/manage, so you want to keep things simple where you can.

Being known as a mitigation host is frankly not something we want, and it's extremely unlikely we'll advertise our current protection in the foreseeable future .

I think something like this would be extremely helpful. One of the things that turns me away from NFO is how easily your server can be null routed because of a DDOS attack. Having this sort of a firewall would be a great asset to people that want to be able to easily block attacks etc. Something server owners never want for their server is downtime. Downtime can not only affect the income of a community but it can also cause players to leave etc, only causing you (the host) to lose more money and customers. All in all I think this would be a great idea to look into and possibly implement in the future.

It's actually not easy to get a server null routed here, at least when compared to other GSPs and most dedicated server providers. Most places, don't filter at all and null at the sign of an attack no matter the size. The firewall mentioned above in the context that the other user wants it at would also no benefit to you if you're seeing nulls. It'd really only benefit you if we scrapped our current system and purchased one specifically for mitigation, and even then it may still not help as you need the bandwidth to go along with it.

If you haven't, I'd recommend reading over these KB post on DDoS attacks and null-routes.
viewtopic.php?f=25&t=4931
viewtopic.php?f=25&t=11456

[StonedPenguin]

Having the ability to filter traffic is more then just for DDoS mitigation. You really wouldn't need anything more then a small virtual machine coupled with the simplicity of something like the firewall panel managed game servers already have to accomplish accomplish basic filtering and networking tweaks. The amount of profit you guys would make from this would far outweigh any of the costs you would incur.

[kraze]

Having the ability to filter traffic is more then just for DDoS mitigation. You really wouldn't need anything more then a small virtual machine coupled with the simplicity of something like the firewall panel managed game servers already have to accomplish accomplish basic filtering and networking tweaks. The amount of profit you guys would make from this would far outweigh any of the costs you would incur.

We already have this ability, and have exposed what we can to customers via the "Firewall" tab in their control panel. Also, doing what you want via virtual servers wouldn't be too helpful as it'd be limited on the amount of traffic it could afford. This also touches on the cost/complexity I mentioned above.

[StonedPenguin]

When a filter is applied it is done because it will have some type of benefit. Normally, this is for the customer, but in some cases this is to protect people on the same machine or customers at the same location from seeing the effects.

Having the ability to filter traffic is more then just for DDoS mitigation. You really wouldn't need anything more then a small virtual machine coupled with the simplicity of something like the firewall panel managed game servers already have to accomplish accomplish basic filtering and networking tweaks. The amount of profit you guys would make from this would far outweigh any of the costs you would incur.

We already have this ability, and have exposed what we can to customers via the "Firewall" tab in their control panel. Also, doing what you want via virtual servers wouldn't be too helpful as it'd be limited on the amount of traffic it could afford. This also touches on the cost/complexity I mentioned above.

My suggestion is more targeted at dedicated servers which don't have any "Firewall" tab unless you go managed, adding a filter/null route/whatever to protect the whole location is understandable but to block source engine queries for example will make that specific DoS attack effective when it can be mitigated with a module or program.

What if I need to block one specific small PPS attack you guys don't automatically filter? You won't add a filter when requested, not all OS's will support adding one either.

As for cost something like this could easily be a $20+ a month addon depending on capabilities while utilizing hardware that you guys normally sell for $8.

[kraze]

My suggestion is more targeted at dedicated servers which don't have any "Firewall" tab unless you go managed, adding a filter/null route/whatever to protect the whole location is understandable but to block source engine queries for example will make that specific DoS attack effective when it can be mitigated with a module or program.
What if I need to block one specific small PPS attack you guys don't automatically filter? You won't add a filter when requested, not all OS's will support adding one either.

Eventually, we'll likely allow customers to interact with our mitigation system directly and allow all services to place rules for their IP at a router level, though, that's long-term goal. Source Engine attacks like the one you're referring to are mimicking legitimate traffic, and there is not going to be an easy way to mitigate those, without a much more advance and complex system your options are basically block entirely or rate-limit. Generally though, if you're seeing an attack our system isn't detecting you can contact us and we'll work with you as much as we can to block it.

As for cost something like this could easily be a $20+ a month addon depending on capabilities while utilizing hardware that you guys normally sell for $8.

The backend cost would unfortunately be much much higher.

[mananee]

not all OS's will support adding one either.
gclub online