Worth it to pay for an anti-DDoS service?

[PenguinManiac]

Most hosting plans include free Cloudflare (anti-DDoS, among the other things) for a year until renewal, but later give it up and force you to choose to either pay for it to keep it or to give it up.
Does the average website really need such a protection, though? Wouldn't it be better to just buy it once you start to cruch bigger numbers (thus increasing the risk of appeal to bored hackers and run a greater risk of being brought down)?

 

[tim_cloudcone]

Having an anti-DDoS service is always a good idea. But I don't think you need DDoS protection for websites with very few visitors. That doesn't mean you won't be getting any attacks, but the damage might be far less than of a high traffic website. And it's also less likely to get attacked if you're website isn't that popular. It's hard to believe that some random attacker will spend any time trying to DDoS attack a small website. Unless someone's trying to target you specifically for some reason. So no I don't think you need to spend money on DDoS protection for small/average websites.

But something like Cloudflare is always nice to have. And I don't think you need to go through your hosting company to get it. You can manually set it up and use it forever for free. And their free service is really good.

 

[PenguinManiac]

PenguinManiac

I didn't know they had a free service, I've found out about it just now, thanks! Yeah, it's amazing what they offer for free, and it's weird to see that hosting services make it looks as if you should be paying for it. They even give you free SSL with them! (albeit mentioned as "limited SSL", so I'm pretty sure you won't get a certificate for it, but it will still make your website secure).

 

[tim_cloudcone]

tim_cloudcone

Yeah they give you free "SSL". And yeah you don't get a certificate. I think you have to add a self signed certificate from your side. What happens is, as all your traffic goes through Cloudflare, they'll use their own certificate for your domain. But SSL is only applied between your visitor and the Cloudflare server. The connection between the Cloudflare server and your own web server is not secure.

I'd recommend using Let's Encrypt. They offer free SSL certificates and it's a very popular service. If your web host uses cPanel, chances are you'll be able to add it right from cPanel. It's even sponsored by companies like Facebook and Google (Google Chrome) and I've been using it for nearly 2 years now.

 

[PenguinManiac]

PenguinManiac

I'm not much privy to the technical details about it. Does this mean that the connection is not actually secure because just half of it is encrypted? Is it a "fake" SSL connection (just promoted to get more customers) or is it actually secure, just not as much as with other services?
It's great to know you can actually get free SSL certificates, though. This could be even more useful than getting to know about Cloudlflare free services, thanks! I often see SSL certificates promoted around for fairly high prices, so i just assumed it was something only big companies did.

 

[Unknown]

Extra protection is never bad but I don't think that it's necessary right at the start because who's going to bother to DDoS or hack your website? Nobody. Why would they waste time on some small blog when they can gain actual valuable information from much larger websites...

So unless you have a really good and popular website, with constant daily traffic, I don't think that DDoS protection is a must. If you have the spare funds, sure you can get it but otherwise, invest into first making it popular.

I think DDoS protection is far more important for websites that revolve around customers purchasing things online - e-commerce.

I've read about the Google's free DDoS protection services called Project Shield. But they only accept specific websites.

 

[PenguinManiac]

PenguinManiac

Oh, wow, that's another one I hadn't heard about. Reading about it, it seems they only offer that service to particular websites that need security more than others, like the ones that deal with elections, news or donations. It would be amazing to have such a service for free for everyone, but if it's for good intentions then I can't exactly complain. Still good to know about it, though, thanks!

 

[tim_cloudcone]

I'm not much privy to the technical details about it. Does this mean that the connection is not actually secure because just half of it is encrypted? Is it a "fake" SSL connection (just promoted to get more customers) or is it actually secure, just not as much as with other services?

Sorry, now that I think about it, I might be wrong about it not being secure. Don't quote me on this but I think the entire connection might be encrypted. I last used Cloudflare free SSL about 3 years ago and as I remember, I had to create a self signed certificate on my server. If that's the case, it means the entire connection is encrypted. It just means the connection between Cloudflare and your server isn't using a certificate signed by a recognized certificate authority.

But anyway, always go for Let's Encrypt over Cloudflare free SSL. It's easier to set up than creating a self signed certificate on your server for Cloudflare free SSL.

It's great to know you can actually get free SSL certificates, though. This could be even more useful than getting to know about Cloudlflare free services, thanks! I often see SSL certificates promoted around for fairly high prices, so i just assumed it was something only big companies did.

Yeah I think standard SSL certificates are way overpriced. The main purpose of a standard SSL certificate should be to encrypt the connection. But most of the time it's promoted and used as a way to verify the identity of a website. That's the purpose of EV SSL (Extended Validation certificate) which are even more expensive. You can only get an EV certificate after verifying your identity with a certificate authority. So I think whoever created Let's Encrypt has got the right idea.

 

[virtubox]

virtubox

You are making a confusion between encryption and certificate validation. Even a self-signed certificate provide the same encryption than a certificate validated by a certificate authority.
And it's not needed anymore to generate a self-signed certificate with Cloudflare, you can generate a cloudflare origin certificate directly from your dashboard, and install it on your server. This certificate is generated by cloudflare and will provide an end-to-end encryption.
The main difference is the validity, cloudflare certificate are valid for 15 years.

Anyway, there is no need to pay for a DDoS protection, and if Cloudflare is able to filter a part of the attacks, it's your hosting providers job to provide you a DDoS protection without charging you for that.

 

[Judas2018]

Judas2018

Correct. Your hosting provider is supposed to have a system set up to protect your site from DDoS attacks. Considering how your site is being hosted by said web host, and is on said web host's server? It is in their best interest to protect your site from these attacks because you're a customer paying a monthly fee, to use their services. Not to mention those attacks not only affect your site directly, but the web host as well. Er go, they can't do anymore business as long as they're under attack just like you can't. So it's not your job to add extra protection. If you want to? It's your call, but ultimately 99% of this responsibility falls upon the shoulders of your web host.

 

[PenguinManiac]

Sorry, now that I think about it, I might be wrong about it not being secure. Don't quote me on this but I think the entire connection might be encrypted. I last used Cloudflare free SSL about 3 years ago and as I remember, I had to create a self signed certificate on my server. If that's the case, it means the entire connection is encrypted. It just means the connection between Cloudflare and your server isn't using a certificate signed by a recognized certificate authority.

But anyway, always go for Let's Encrypt over Cloudflare free SSL. It's easier to set up than creating a self signed certificate on your server for Cloudflare free SSL.

Yeah, Let's Encrypt seems much better for what it does. If you only want a SSL certificate, there's no reason to go with more steps than necessary with Cloudflare (even though its other services are indeed useful). Plus, I can't deny that being sponsored by Google and Facebook is the icing on the cake.

Yeah I think standard SSL certificates are way overpriced. The main purpose of a standard SSL certificate should be to encrypt the connection. But most of the time it's promoted and used as a way to verify the identity of a website. That's the purpose of EV SSL (Extended Validation certificate) which are even more expensive. You can only get an EV certificate after verifying your identity with a certificate authority. So I think whoever created Let's Encrypt has got the right idea.

Exactly. I think that introducing them for major companies, e.g. banks or payment processing companies, was for the best, since you want to be 100% sure you can trust the website with sensible information there. However, that's unnecessary and harmful for smaller websites, since high prices cut them out from having secure connections to protect their users. Let's Encrypt is truly a blessing.

 

[vishwa]

If your site have low amount of visitors than there is no necessary of buying DDOS protection. However if you are in a competitive niche than you might opt for this because in most cases DDOS attack have been done by competitors.

 

[harrygreen90]

Worth it to pay for an anti-DDoS service?

Yes it is worth buying a DDOS service because when your website is under a DDOS attack, your website is down and your business is too. I have ever got DDOS attacks on my website and it make everything on my website interrupted (visitors can not view my website and I could not work on it)

 

[hostslim]

You can answer your own question: What does it cost to be offline for a day due to a DDoS attack (or longer?) and what does it cost to have protection. That should answer your question and I'm pretty sure you will start looking at DDoS mitigation/protection solutions. It will cost you a few hundred dollars a month as an enterprise to be protected.