In my experience hetzner DDoS protection doesn't work

As long as the hoster doesn’t actively make things worse by disconnecting you, any further help is just a happy accident. The bar is very low.

Yeah I suppose by "doesn't work" I should clarify that maybe it is doing something and preventing some attacks, and that it doesn't take down my server. With that being said, it has certainly failed to mitigate attacks on numerous occasions that cf would've.

That's not making things worse - that's just what the DDoS achieved anyway, but without harming anyone else.

In either case you just wait for the attacker to reach daddy's credit card limit and then your site is back up.

No, in the cases 'throwaway150 and I are talking about, your site is not back up. You (hopefully) got an email in your inbox saying your hosting provider has decided to take your website offline because of anomalous traffic or whatever, and after the attack ends you’ve got at least a couple of days of back and forth with support ahead of you before your downtime is actually over.

So until daddy's credit card runs out, plus two days. A shame, but it still doesn't cause meaningful harm.

Or get a different provider. Some are faster to respond. I had a false positive DDoS detection from netcup once (I was scraping an FTP site in active mode) and they automatically routed my IP through a DDoS scrubbing service, and automatically stopped that when an attack was no longer detected. I don't know what they have set up to be able to reroute a single IP globally like that - they agreed with some of their upstreams, to allow the occasional /32 for DDoS protection purposes.

I'm less scared of the hoster pulling down your site - not the end of the world - then decided to charge you bandwidth fees for all the MS-DOS attacks. The former presumably has no financial impact, the latter, potentially brutal

What is an MS-DOS attack?

Off-topic, but there are six different people using the word "hoster" in this thread. I've never heard that word used instead of "host" or "hosting service" before, and yet here it's somehow prevalent. I feel like I'm having a stroke, or I just stepped into an alternate universe. Where did you all pick up that word?

This happens often in comment threads, one comment uses an uncommon word and the entire thread goes along with it.

That's just English being irregular. One that hosts websites should be called a hoster in principle :)

Host is both a noun and a verb. (The host can host a party.)

Hoster is new to me too.

But I get it as a pattern. (If you dine at the party then you are a diner.)

Considering there are probably near-zero MS-DOS machines online these days, I expect their attacks wouldn't cost very much.

On the other hand, based on supply v. demand I'd expect an MS-DOS attack to be pretty expensive these days :)

This!! Everyone seems to "really need" that unlimited scalability of AWS & Co - but they'll happily scale your compute and the bill for you.

Sure maybe you'll get lucky and they waive it.

But sometimes going down is a feature if you're not a multi m/billion dollar business

Has anybody made a benchmark of different cloud providers and how they respond to DDOS?

this is too naive sorry, Hetzner will disconnect (and ban you if DDoS is too long), same as OVH. It works mostly for brutal UDP flooding but sophisticated attacks such as swarm of Puppeteers hosted on infected machines by the millions will not be protected, those "new DDoS mode" are offered by most DDoS providers.

Cloudflare will disconnect you from their free plan just as quickly.

Especially when you are facing "infected machines by the millions".

Likely true, but now you can go back to the original statement: the issue isn't really that the service isn't available for a while... It's that the hoster will remove your server.

Your server will keep existing if cloudflare just drops their free service, effectively going down for the ddosrs but still available for your own access directly

Except that Cloudflare is geared towards ddos protection - i.e. you can monitor, get alerts, turn on temporary protection, etc. It can do this because that's it's main business. It's not possible to have the same expectations from infra providers like Hetzner.

I don't think Cloudflare's main business is DDoS protection.

Citation needed. I know folks using the free plan that have gotten ddos’d and cloudflare kept them online. Can you point me to an article where cloudflare disconnected someone for getting attacked

They definitely used to do this ca. 2011-2012, any bigger attack and they'd drop you right away if you were on a free plan (and slightly slower if you weren't). But well, that was almost 15 years ago.

evidence?

Handled hundred of dedicated servers for different projects over the last 20 years. Yes, OVH literally does ban accounts, and Hetzner nullroute your service at first if it's an elaborated attack.

It's funny because Hetzner was infamous for null routing on the slightest DoS back in the day. Have they improved?

that's ddos protection....