Stop Using Digital Ocean Now: The Aftermath

Sorry but I must be blunt... What do people expect for &lt; $8&#x2F;mo service? Should DO spend a few man hours to fix the issue at hand (abuse or not) and very much burn the 7 months worth of service income from this account? This is an unreasonable expectation.<p>Something has to give. Yes we&#x27;ve all built and sold products and believe in providing an impeccable service worth far greater than the sum of its parts. Because we&#x27;re in it to please everyone and build a reputation. But hosting is different. There are real costs for <i>not</i> taking action (upstream null routing, blacklisting, chargeback fees, fraud, abuse, etc).<p>I&#x27;m definitely playing devil&#x27;s advocate and yes I go above and beyond for my clients. Never have I kicked a client to the curb for abuse they haven&#x27;t originated. But DO is unmanaged and acquires clients by the shovel. Something has to give.<p>For the record, I did publicly state here in HN that DO&#x27;s business plan doesn&#x27;t add up and this is one of the side effects.

On the other hand, here&#x27;s my experience with Linode.<p>Another host company claimed that one of my machines was doing port scan on their network. Linode opened a ticket and preemptively blocked all outgoing connections to the SSH port from my machine.<p>I had enough time to see what&#x27;s going on and chatted with a very responsive support. The aftermath is that I moved all my data to a new linode, waited to for the DNS propagation and killed the old linode. No service disruption and no all-nighters.<p>I seriously can&#x27;t recommend they enough. And yes, I&#x27;m aware of the security problems they had months ago, but I bet that they don&#x27;t want any more damage to their brand and they&#x27;re working very hard to no let that happen again.

&gt; <i>The things which i still don’t understand.... Is my privacy is more important than my user experience or happiness of the service ? Even if i want them to tell what really happened ?</i><p>Well, yes. It is completely appropriate that they aren&#x27;t going to discuss your logs and other private details in public without your permission. You don&#x27;t understand that, for real?<p>They have no <i>obligation</i> to discuss your case in public at all, although it might be wise for them to do so and explain themselves, if you are generating lots of bad feelings for them.<p>(They do, I&#x27;d agree, have an obligation to discuss your case <i>with you</i> and tell you why they closed your account. It&#x27;s not really clear to me if they did so; it kind of seems like they did so, something to do with DDoS.)

OP, can you please confirm whether or not you made this post quoting a reply from Digital Ocean in the previous thread, as [1] claims you did?<p><i>Now i&#x27;ve received an answer from DO. I seriously dont know how i did a DDos.</i><p><i>Here it&#x27;s.</i><p><i>Greetings,</i><p><i>Based upon the tcpdump results, I have again confirmed that your droplet was indeed performing a Denial of Service attack.</i><p><i>With this information, we are unable to restore services to your account.</i><p>If this is true, it is disingenuous not to mention this reply in your post.<p>[1]: <a href="https://news.ycombinator.com/item?id=6439501" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=6439501</a>

His server was probably broken into, someone used it for DDOS&#x27;ing, DO shut it down and customer has no clue what&#x27;s going on.

Hi, this is Ben, CEO and Co-Founder of DigitalOcean, we have received the document and will discuss the matter publicly.<p>-----<p>All times are UTC.<p>Our monitoring picked up a malicious UDP traffic pattern on 2013-09-08 00:58:23. A ticket was then opened with the customer at : 2013-09-08 01:05:55 roughly 7 minutes later.<p>The customer informed us that it was a script that was crawling in the background.<p>We informed the customer that it may be a good idea to check through the virtual server to see if there were any signs of a compromise just in case.<p>The droplet was unlocked at this time.<p>A second UDP pattern was detected on 2013-09-24 12:27:09 and a ticket was opened 2013-09-24 12:27:14 to request more information from the customer.<p>Because this was already a second occurrence we had to do a more thorough follow up. Discussing the matter with the customer, he informed us that it was a mysql db dump script that was pushing data to dropbox.<p>He provided us a link to a github project that he wrote, we asked further questions. Specifically if you are writing a mysql dump remotely why are the packets being sent as UDP? Additionally if the final destination is dropbox that would be an SSL encrypted connection and again why would that transfer go over UDP?<p>We reviewed the code of the dump-to-cloud project and it was using the dropbox sdk, here is where the file transfer is initiated:<p><pre><code> def upload_file(file_name) client = DropboxClient.new(@access_token) file = open(file_name) puts &#x27;Uploading file!! Please wait.&#x27; response = client.put_file(&quot;&#x2F;#{file_name}&quot;, file) puts &quot;uploaded:&quot;, response.inspect end </code></pre> From the dropbox SDK here is where it sets the destination for the file transfer:<p><pre><code> def build_url(url, params=nil, content_server=false) # :nodoc: port = 443 host = content_server ? Dropbox::API_CONTENT_SERVER : Dropbox::API_SERVER versioned_url = &quot;&#x2F;#{Dropbox::API_VERSION}#{url}&quot; target = URI::Generic.new(&quot;https&quot;, nil, host, port, nil, versioned_url, nil, nil, nil) #add a locale param if we have one #initialize a params object is we don&#x27;t have one if @locale (params ||= {})[&#x27;locale&#x27;]=@locale end if params target.query = params.collect {|k,v| CGI.escape(k) + &quot;=&quot; + CGI.escape(v) }.join(&quot;&amp;&quot;) end target.to_s end </code></pre> The code that actually transfers the file from the dropbox sdk:<p><pre><code> def do_put(url, headers=nil, body=nil) # :nodoc: assert_authorized uri = URI.parse(url) do_http_with_body(uri, Net::HTTP::Put.new(uri.request_uri, headers), body) end </code></pre> The file is transferred via HTTPS since it is going to a secure service and HTTPS would rely on TCP for the data transfer, again to ensure that all packets are delivered.<p>Given that it was the second incident that a UDP traffic pattern was observed in less than 30 days and that the information the customer provided regarding the traffic did not match up, we made a determination that in fact it couldn&#x27;t be this script that was generating the traffic.<p>All of this information was relayed to the customer that we did not believe that the traffic in question was related to this script because it would not rely on UDP, an insecure protocol to deliver files to a secure endpoint where data integrity was of the utmost importance.<p>Unfortunately, we could not unlock the account at this time because the information we received was not clear and we already had two incidents of outbound UDP traffic that appeared to be disruptive and abusive in nature totaling 1Gbps as if it were a denial of service attack, typically associated with UDP packets.

I use DO for a messing around on a small web app I&#x27;m developing. Within 24 hours of having my droplet up the root password was guessed and my machine was used for some DDoS. Granted I was an idiot for not changing the password immediately but I definitely felt like DO should just use ssh key validation like AWS does right off the bat. That deters attackers from even trying brute force attacks in the first place.<p>Anyway, I checked the logs and pretty much the minute my machine was deployed a script was guessing my password (lots of failed login attempts for &quot;root&quot; and &quot;oracle&quot;). This probably means someone knows DO&#x27;s IP addresses and their automatically generated password scheme (all lower case alpha characters of a fixed length).<p>I reported the incident and destroyed my droplet since there was nothing important on it. When I heard back from DO I basically got (paraphrasing here) &quot;you should install fail2ban next time&quot;. Case closed. I&#x27;m not a big customer or anything so I don&#x27;t expect premium support or anything but I feel like someone should have looked into the attack a bit more. Seems like a lot of people are experiencing the same thing.<p>I guess what I am saying is you get what you pay for (it is only 5 bucks after all).<p>EDIT: Still using DO. I was just a bit more careful next time I deployed a droplet.

About a week ago I got to experience Digital Oceans very tight suspension policy first hand. What happened was that one of the accounts I manage was suspended. I had to go through a very long and detailed validation process before they understood that they had done wrong (they admitted to doing an error and apologized). But when my account was activated again my droplet had been destroyed..<p>After some more time they managed to resolve this and I&#x27;m again a happy DO user but I wish that they take a look at their policies. Just the fear of knowing that they can shut you down by mistake for a day or two is bad enough to not use them. They should have a policy where they at least call you and talk to you before they do anything.

Some months ago a tried to open an account with DO, but my account was blocked by DO before creating a droplet because my dad, who has the same name as I do, had already used the service. DO wanted me to verify my identity, address, etc.<p>I can&#x27;t stand such friction, so I stayed with AWS, who have never had an issue with having a customer with very similar or equal name to another. Clearly, there is something wrong in DO&#x27;s identity&#x2F;fraud detection process, and even more wrong is the fact that they are locking user&#x27;s production accounts without any warning at all.

Wait... did I miss something or did you send snailmail and expect a response within 10 hours?<p>Also I am nowhere close to being a lawyer but I&#x27;m pretty sure if they disclosed your private information on here without your written permission you could sue them probably for more than either of these 2 posts are worth against them.

Sad to say, the same thing happened to me and the support messages were unhelpful to say the least. They have several copy-and-paste answers they use far too eagerly.<p>And it&#x27;s asinine to ask someone to update billing information when they&#x27;ve locked your account from accessing the billing info page. Two of us have seen that with DO. Makes them look quite sloppy.

<i>And now after nearly 10 hours or so i still haven’t heart from DO.</i><p>There is a problem on the Internet is that people demand things NOW. Really? How long will it take for stuff to happen in real life (especially if you are dealing with government).<p>Some stuff does happen immediately (like registering or purchasing something), but stuff which requires human intervention is obviously slow. And it requires time.<p>Yes, you can have 24&#x2F;7 response. But only if you hire someone (probably 3 persons) working for you round the clock which will mean paying thousands of $$ per month and not $5&#x2F;month.

&gt; Is it fair to tyrannically close someone’s account up and accuse him or further treat him as a liar ?<p>Isn&#x27;t this what Google does on a daily basis to users of their various services? There seem to be no consequences for them and less than zero interest in improving any of it.<p>There are companies that can cause your business untold financial damage through these kinds of actions. For some reason they continue to evade responsibility in financial, moral and ethical terms. It sucks.

There may be all kinds of valid reasons to validate acounts, check documents and ownership of cards, etc.<p>None of those reasons excuse putting services offline while this validation is happening - first try validation, give it some reasonable timeframe, and only then cut or don&#x27;t cut the service depending on results. Is it really so complicated?

OK, after read the two blog posts, and all the comments here, this is my tough:<p>I&#x27;ve a poor&#x27;s men backup solution too, from my personal droplet to gmail.<p>I use it for backup &#x2F;etc, &#x2F;root, &#x2F;usr&#x2F;local&#x2F;(s)bin and &#x2F;html, with excludes and rotations (about 15MB total), encrypted 4 passes with 4 different algorithms.<p>I did write two scripts, one for backup-restore (and encrypt&#x2F;decrypt, secure deletion, html email generation, etc) and other to list-retrieve remote backups using IMAP.<p>On gmail I did put a filter to send all to the trash, so I get 30 days backup rotation. More complex rotations could be implemented using different cron tasks, with different config files, pointing to different accounts (srv-month-number@...), but for my personal VPS I don&#x27;t need that, 30 days is enough.<p>But.<p>Now, I go to the digital ocean panel, to the &quot;backups&quot; tab, and I read:<p><pre><code> &quot;Pricing is set at 20% of the Droplet&#x27;s monthly cost (e.g. It will cost $1&#x2F;mo. to enable backups for a 512MB Droplet).&quot; </code></pre> And I can only think: facepalm.<p>It&#x27;s not only the price of the implementation time, that me and this other person with ruby&#x2F;dropbox have spend...<p>Even if it looks like &quot;you get a <i>gratis</i> backup solution&quot;, really it may be more expensive (because of all the network bandwitch)<p>Well, at a side of the fun of implementing your own backup&#x2F;restore scripts, you get:<p>* provider independence (if all DO is down, you still can restore from gmail or dropbox)<p>* no periodical costs (but remember the implementation cost maybe bigger the first time, then is just reuse and edit a few variables).<p>* Security (you control how and where the data goes, otherwise you can save and restore from the provider, but implementation, management, internal policy, budget, team or technology changes, etc around your data is up to you).<p>But, I will never call again my solution a &quot;poor&#x27;s man&quot; solution, because counting implementation time and network traffic, is much more expensive than $12&#x2F;YEAR.<p>Edit: formatting a list.

Previous post was submitted here: <a href="https://news.ycombinator.com/item?id=6438761" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=6438761</a>

I left them long ago after super crap support.<p>No thanks and good luck.

&gt; And now after nearly 10 hours or so i still haven’t heart from DO. Also now that the HN topic is not on the front pages no one is getting updated about the situation. That’s why i wanted to write this post.<p>I won&#x27;t speak for everyone, but I can personally live without having updates on the OP&#x27;s Digital Ocean drama on my HN homepage at all times.

&gt; DigitalOcean requested me to send a paper which authorizes them to disclose the information in public. It was midnight here in Turkey and i was asleep.<p>&gt; And now after nearly 10 hours or so i still haven’t heart from DO<p>What about timezone differences? You were asleep, they could be, too.

that&#x27;s rough<p>they obviously only care about conversion and not validating the user before hand in (any) way, so brutal.<p>From verizon I got a similar answer they couldn&#x27;t discuss my own account with me after me giving them my social and all that - wtf. i hung up and tried another service rep and they gave me too much of my own personal info with out verifying any of my personal details and anyone elses&#x27; on my plans, which is kind of scary (Wtf)<p>also i really really like the idea of daily backups to dropbox, with like 1TB of backups i need a solution, and this seems like a great one. thanks for coming up with that

Funny that DO&#x27;s public response was to demand permission to discuss the case <i>publicly</i>, when apparently they had not discussed it with the customer concerned!

I&#x27;ve also had a bad experience with DO in production. Moved to Webfaction and have never looked back. They are just excellent in every which way.

By the way, someone should watch this thread and start saving all posts by the OP. Last thread he deleted a lot of them.

I&#x27;m a DO user, I created my account 2 months ago and I&#x27;m a happy customer.

Isn&#x27;t that a major violation of their SLA? Have you consulted with a lawyer?

Never heard on DO but will use them for a project soon - looks great

is this... a joke?