[sdogruyol]

Being attacked or even getting compromised is customer fault ? Okay i get that. But what about closing the account instantly, not notifying the customer, accusing that customer of being a cheap liar and treating them in a bad way?

[dragonwriter]

Suspending -- what was done in the first instance -- a system which is engaging in an apparent DDOS is a perfectly reasonable action.

Locking the account when the explanation given is inconsistent with the observed behavior it was supposed to explain and the system is again engaing in an apparent DDOS is also a perfectly reasonable action.

It also seems from your posts that both times you were notified of the action by DO, so "not notifying the customer" is not an issue.

I don't see any evidence you were accused of being a "cheap liar", either.

The fact that services now make it cheap and easy to set up servers doesn't mean that you have no responsibility for what the servers you set up do. If you are really running a service with 25K active users, you probably ought to be able to respond to your VPS hosts questions about unusual UDP activity with either an explanation that holds water, or an up-front admission that you don't know where it is coming from and will take action to prevent it, rather than claim it comes from a database dump script that doesn't use UDP.

[waps]

Sadly, suspending a system which is the target of a ddos is the only action an ISP can take. Even if you're not ddossing anyone but merely the target you'll get suspended, assuming you're not paying enough to make it worth it for the ISP

[ehutch79]

Sounds like they gave you plenty of chance to check it out;

""" We informed the customer that it may be a good idea to check through the virtual server to see if there were any signs of a compromise just in case """

In fact from the dates listed, it looks like you had over two weeks to check for compromise. Even then, it seems like they tried to talk to you before just closing your account;

""" A second UDP pattern was detected on 2013-09-24 12:27:09 and a ticket was opened 2013-09-24 12:27:14 to request more information from the customer. Because this was already a second occurrence we had to do a more thorough follow up. Discussing the matter with the customer, he informed us that it was a mysql db dump script that was pushing data to dropbox. """

[bradleyland]

> But what about closing the account instantly, not notifying the customer, accusing that customer of being a cheap liar and treating them in a bad way?

I know this can be difficult, but it's important to understand the difference between calling someone a liar and pointing out that what is being claimed does not match reality.

DO has to take action to protect their reputation, their other customers, and whoever is the target of the potentially malicious attack. If they have empirical evidence of this attack, then they must take action. When you attempted to explain what you thought was the source of the traffic, they took the time to show (in detail) why that was not the case. This is not the same as calling you a liar. It is calling you incorrect, but these are two very different things.

You can be incorrect and not be a liar. That's a valuable lesson to learn if you intend to work in a technical field. If I were you, I'd try to take a step back. Take a couple of days off and come back to the issue. Try to understand why everyone is siding with DO on this, and resist the urge to immediately believe that everyone is against you.

[csomar]

According to Ben, they did notify and talk to you about the issue.

[taf2]

perhaps they can't tell if the customer was running the attack or not... it's kind of similar to someone buying and selling drugs in your house... it's your house you take some heat when it happens in your home... not sure it was the right thing or wrong, but i am sure they have to shut you down at least on that one instance to protect themselves as well as anyone else using their service...

[sdogruyol]

You know what they stopped answering my ticket after first response. If it wasn't HN post gaining this much traction i'm pretty sure that they won't respond to me.

[veemjeem]

They responded to you 7 minutes after discovering the irregular behavior. It's up to you to figure out the cause. It's not their responsibility to tail log files.

Had you chosen a VPS like amazon, you probably wouldn't even get notified. The first time you'd notice a problem is when you get your $1000 bandwidth bill from amazon.

You're like the customer that shows up at a restaurant and complains publicly about the food and demands a refund. When you make it a public issue, the company will move mountains to help you, but you're still an asshole for doing it.

[sdogruyol]

They notified me what? They closed my account first and then mailed me after? It's like killing a man first and then saying the reason why.

[thaumaturgy]

If the account can reasonably be considered to be abusive (whether intentionally or because it was compromised), DigitalOcean has an even greater obligation to protect their network and the other network that's being targeted. Immediately suspending the account is the correct first step.

If DigitalOcean's support wasn't clear about their reasons for suspending the account, or if you feel that you weren't getting a helpful response from them, then post the communications you had with them to prove it.

[orclev]

Well, we've now heard two different stories. According to Ben, there were two events. The first time they took your server offline and contacted you to tell you about it, they did not however lock your account. When the second event occurred with you being unable to provide a reasonable explanation and apparently being unable to deal with whatever compromise occurred, they took the system down again and this time also locked your account.

Your explanation of the events only mentions a single occurrence, at which time your account was locked in addition to the server being shutdown.

In either case, a server engaging in malicious activity, is normally taken offline as soon as the malicious activity is discovered to prevent further damage from occurring. You'd get a similar response from just about any other hosting provider you care to name. If you're lucky, and they're feeling generous, they might work with you to find the problem prior to taking the system offline, but normally standard procedure is to take the system offline immediately. The fact that you seem surprised about this shows you don't have much experience administering your own servers.

The standard response usually goes something like:

1) Server is discovered doing something malicious

2) Server is taken offline/shutdown

3) Administrator is notified

3a) Read only copy of the old server HD is brought online on a new server to allow administrator to perform forensic and backup work*

4) Administrator must bring up new server to replace old compromised one

*Sometimes the provider will provide you the old HD image, sometimes not, really depends on the provider.

[debian3]

They basically killed the killer, 1gbit udp probably killed the website or servers of someone else.

[dragonwriter]

Suspending account is an action reversable with sufficient cause, killing him is not.