[sdogruyol]

Hello Ben, thanks for the response. Fırst of all at first ticket i told that the only possibility of having an UDP outgoing is that script that i wrote.

Other than that i've no other activity or script that can generate that much traffic. Haven't you even considered that my droplet may be compromised or being attacked ?

Instead of letting me know what exactly happened or which processes were running at that time you just locked the account and accused me.

Couldn't you even look at the access logs or so to see which IPs login into the droplet and then take your action later instead of closing it instantly?

[veemjeem]

Most cheap VPS providers would not go do that much work to decipher the root cause of the problem. When you have a server sending 1Gbps traffic, it's easier to shut it down than tail log files to figure out the cause. Digital Ocean can't do that for every customer that pays $5 a month. If you want a high level support, you should have picked a mid-level VPS like rackspace.

[jrmiii]

Looks like they looked at the code and determined it could not be UDP from your script.

I think they did consider your droplets to be compromised.

I think at issue here is that they have to assume that the droplet owner is the malicious party, if they don't lock your account, they can't stop you from creating more droplets.

I think you may have a point that they did not clearly explain to you why your account was locked.

However, this incident makes me more likely to continue using Digital Ocean. With the new private networking they have in NYC2, I for one am thrilled that they do this kind of proactive monitoring.

[csomar]

Unmanaged = Your responsibility

I got my server down with DO many times at first. It was a problem with the CentOs package; but it was indeed my responsibility to fix it.

You are responsible of securing your server.

[chc]

According to Ben's account, they did suggest to you that the droplet might be compromised. That is what they believed to be the case.

[sdogruyol]

I was also tremendously happy with DO and their service. But what if you get your production apps down without even any notification and proper reasoning ? That's the thing which makes you feel insecure.

[nav1]

They did notify you.

>Our monitoring picked up a malicious UDP traffic pattern on 2013-09-08 00:58:23. A ticket was then opened with the customer at : 2013-09-08 01:05:55 roughly 7 minutes later.

Also, you should do a better job securing your server. It seems like the server was compromised.

[veemjeem]

If you have a production app, it would make sense for you implement HA, then you wouldn't have to worry about a single server getting hacked.

What proper reasoning do you need? If your server is hacked, it makes sense to shutdown the server, or disconnect it from the network completely. You can extract the data at a later time.

What if your server was hacked, then started serving up child porn? Would you be okay with having the server continue running?

[chc]

I'm sympathetic to your frustration — but when your box is owned and actively participating in illegal activity, you kind of have to expect it to get shut down.

[debian3]

The only thing who feel insecure here is your vps.