DDoS mitigation / virtual LAN

  • Hi!

    I just ordered a few root servers which I will use for a Kubernetes cluster. I am going to use this for a standard web application, and I am wondering about Netcup's DDoS mitigation. So far I've been using Cloudflare but I'm not too happy with the added latency so I would like to use it only for static assets with a dedicated domain, and have requests for dynamic content served by my servers directly, since TTFB is a lot better without a proxy in between.

    This will mean that I cannot benefit from Cloudflare's DDoS mitigation. How good is Netcup's? What kind of attacks can it mitigate? It's a standard app which will unlikely attract attacks I think, but these days better safe than sorry.

    Together with the servers I also ordered a virtual 1Gb/sec LAN to connect them. Can anyone confirm if this is a truly private network? I wouldn't want to use encryption between the servers since this slows things down considerably.


  • Regarding Netcups DDOS-Protection I cannot tell you anything helpful for your decision. I never noticed a DDOS on my services the last 4 years - but just use the Forum-search, some other users noticed attacks. Nobody like me not noticing any attacks will ever submit a forum-post like "glad to have Netcups DDOS protection", but every single customer having any Performance/(D)DOS-Issue will likely fire up a new Forum-Post complaining to be victim.

    What I noticed is, that there was a discussion about "UDP DDOS Traffic" which seems to be not detectable / filtered by Netcups DDOS-Infrastructure. As you seem not to speak german and machine-based language-translation probably will not provide you the information, that the the referenced Forum-Thread-Author seems to be a very young and/or unexperienced person (disclaimer: this is just my personal view, based on the style of writing), I would suggest to focus on the Postings of "[netcup] Felix" in this thread which give some insights you maybe like to read.

    Regarding CloudFlare and Latency: A "standard web application" will not noticeable suffer by the "cloudflare latency". But as you seem to have a certain type of Web-Application where latency is a key indicator I would suggest:

    1. prepare and test your setup for cloudflare (or a similar service)

    2. disable cloudflare for regular (day to day, high-performance) service usage

    3. re-enable cloudflare in the case of a DDOS to provide additional protection "on demand"

    4. automate the switch between cloudflare enabled / disabled to make it as easy and trivial as possible for you to quickly add additional protection in case of needed

  • Hi gunnarh ! And thanks for your reply. Regarding the vLAN, by private I mean that nobody can intercept the traffic between my servers or something like that, since I need database and storage replication between them in my Kubernetes cluster. Is this the case with Netcup's vLAN? Thanks!

  • Define "nobody can intercept" please.

    And: Is passive eavesdropping OK but Interception is not?

    Who is "nobody"? Other Netcup-Customers? Everyone? Nobody but Netcup?

    Of course at least Netcup could technically do both, passive eavesdropping as well as active interception.

    Other Netcup-Customers having control over Virtual Machines should not be able to do eavesdropping or active interception that easy. Other Netcup-Customers having access to a physical Network-Port (e.g. customers which are renting a physical server) shouldn't have an easy possibility to do eavesdropping or interception too, but I think for them it is only the L2-Network-Environment protecting your encapsulated Ethernet-Frames with a very low guarantee regarding this request (e.g. typically Attacks in L2-Networks like ARP-Spoofing or Flooding the SAT-Tables etc... are maybe not 100% mitigated).