How much network latency is between you and the load balancer, and between the load balancer and the web servers? Normally, the initial TLS connection should be around 4 * the network latency, and subsequent requests should be very close to the network latency.
I'm having issues reaching IP addresses unrelated to Cloudflare. Based on some traceroutes, it seems AS174 (Cogent) and AS3356 (Level 3) are experiencing major outages.
ip-api.com was also affected by this.
After our first alert at 10:49 (cert expired at 10:48:38) and a minute of being puzzled as to why our certificate expired, we realized the root we bundled is the issue. We finished updating our primary API servers at 10:55.
This isn't on the level of some other providers, they'll still null route you if you go over an unspecified amount of traffic. IIRC they use Juniper and Corero.
This is the reply I got from their support, just a few days ago:
>In short, our DDoS protection works by filtering out DoS-like traffic and is applied via the Linode network, so all Linodes are automatically protected. If your server were to be on the receiving end of a larger attack that impacts the Linode's host, we would need to prevent your server from receiving traffic until the attack ends. If you're concerned that you might be the target of a large DoS attack, there are a number of third-party DDoS mitigation services that you can use alongside your Linode.
>We aren't able to provide specific numbers since effects can vary depending on the attack. If you wanted to be sure your Linode is protected, we would recommend utilizing a third-party DDoS protection service overtop of your Linode's included protection. You also have the option of waiting to apply third-party protection until a null route is found to be necessary.
I'd love a service that puts me in touch (for a fee) with an engineer/someone above level 1-2 support from Google/Amazon/huge corps
When dealing with companies that are above a certain size, it takes days or weeks to get to someone that can fix issues, but if you're lucky and you have a friend that knows someone who works there he can expedite your ticket. This service would work like that, a friend that puts you in touch with people hired at big corps.
I'm aware this service would have a number of potential issues, such as how to get employees on the platform without annoying their employers, or how to prevent abuse/bribes, but if somebody find a way..
As a small business owner, this terrifies me. Since the TTL for NS records is 48 hours, a domain takeover like this could easily bankrupt a lot of SaaS companies.
What options are there to prevent this? Would a registrar such as MarkMonitor provide at least some notice or protection?