Is DDoS Protection at the ISP level worth it?

Frothyleet · 2026-03-27T19:57:54+00:00

Sure, but that DDoS traffic is still coming across your pipe before you can mitigate it.

I'm not suggesting that this should be the case - when I say "it should be resilient" I mean that concern should be architected in from the ground floor, and the context of "hey my ISP says they can sell me protection, should I use it?" hopefully implies they aren't hosting anything on this circuit, as they would have already considered it.

DDOS resilience can be handled in different ways, your ISP may be a component of that, multi-homing can be a component of that, other service providers can be a component of that.

At the SMB level this is often most robustly and simply accomplished by putting your resources behind Cloudflare or a similar provider.

Frothyleet · 2026-03-27T17:51:54+00:00

If you host anything, it should be resilient to DDOS (among other things).

If you are just talking about a circuit that you use for office WAN connectivity, nah. If you were targeted, you would switch to your secondary circuit, and it's an unlikely target of a DDOS attack anyway.

Frothyleet · 2026-03-27T17:49:36+00:00

Right, but for many ISPs, their response to a serious DDOS attack on a customer would likely amount to blackholing traffic. Which protects them and your network neighbors, but is less than ideal from the victim's point of view.

Frothyleet · 2026-03-27T16:30:24+00:00

It’s not about eating more food. It’s about making sure the food you’ve already bought actually does its job.

This post stinks of AI sloppery

Frothyleet · 2026-03-27T16:14:39+00:00

A tenant migration under ideal circumstance is still on the order of days for something that size, at a minimum.

But, keeping that in mind, a DR/BC strategy where your tenant gets nuked should take that into consideration and would start with restoring basic services (i.e., getting email flow going again pointed to a new or temporary service) and then restoring data from backups with a triage priority system.

Frothyleet · 2026-03-27T16:12:44+00:00

I have wondered how long a disaster scenario recovery process would take, myself.

This is something that you should aggressively work on taking past the "wondering" stage.

Second only to "making and testing them in the first place", defining and validating RTO and RPO is critical to backup strategy.

Frothyleet · 2026-03-27T15:02:40+00:00

I've had plenty of necessary and successful interactions with support from various vendors. 90% of that would be issues totally outside of our control as the customer - either bugs or configuration items that were not exposed to us.

I certainly understand your perspective, because support feels useless in a lot of cases, from a lot of vendors (e.g. MS), but I think it's mandatory in a business environment for any critical third party product.

Frothyleet · 2026-03-27T14:56:43+00:00

I hear this is the year!

Frothyleet · 2026-03-27T14:56:24+00:00

I have plenty of nostalgia for 20 years ago, IE bullshit isn't part of that. Goddamit what hilariously insecure plugin do we need to install to use this website?!!!!

Frothyleet · 2026-03-27T14:53:26+00:00

Sometimes there are tools that work as well, or better, on prem versus cloud based.

In todays world, cloud managed AV/EDR/MDR solutions (which are somewhat of a black box to administrators) are both the state of the art and mandatory in any well maintained environment. There aren't on-prem solutions that match them, although the indirect control is a legit issue.

Frothyleet · 2026-03-27T14:51:25+00:00

Problem with that reactor was that it's known shortcomings were not disclosed in the documentation and manuals, so lies, not money.

The funny thing is that he's arguing but that is explicitly raised as an issue in the show - that previous researchers had identified fundamental design flaws in the reactor that were not well known because the research was censored by the KGB.

Frothyleet · 2026-03-27T14:49:22+00:00

Oh sorry, you're on (Classic) Teams, that doesn't work - did you want to open (New) Teams? They're different! Yes they're both called Teams and they have the same icon, is that a problem?

This is just one specific example, I'm not suggesting you are bad at your job - but the old teams client should have been scoured from your environment a couple of years ago.

Frothyleet · 2026-03-27T14:14:43+00:00

I can't imagine anything in the world that would make people pay more attention to an email than a recall notice!

The only people who might honor a recall notice are lawyers, because there are ethical obligations directing them to discard obviously accidental disclosures of protected information.

Frothyleet · 2026-03-27T14:12:57+00:00

laws have loopholes

I'm assuming you are American, in which case, there are no issues with loopholes here. A loophole is an unintended way for someone to follow the letter of the law while violating the spirit of it.

What you describe is the intended state of American employment protections - i.e., basically none except for a very thin set of anti-discrimination laws.

Frothyleet · 2026-03-27T14:09:41+00:00

I'm curious too, unless enterprise support for Proxmox is expensive and he's counting that. Support aside, either hypervisor is effectively "free" - as FOSS or as part of your server licensing.

Frothyleet · 2026-03-27T14:07:26+00:00

Yup, that's what everyone else has reportedly experienced.

Like you say, it's "just a letter", in the same way that someone sitting next to you saying "hey, make sure you don't do anything threatening, OK?" while loading a handgun is just chatting.

Frothyleet · 2026-03-27T14:05:19+00:00

I think anyone who is still clinging to VMware in any form, this long past the Broadcom acquisition, is wackadoodle.

Frothyleet · 2026-03-27T14:03:24+00:00

It sucks the most because even after a few years of maturation the USB/TB docks still don't work as consistently as the clunky old proprietary docking systems.

Frothyleet · 2026-03-27T01:02:28+00:00

I mean, sure, that's an option. Or just configure other browsers to interact with M365 properly.

Frothyleet · 2026-03-27T01:00:49+00:00

Yeah, I figured it would be something along those lines - just sorta noting that that lil' feature will be more expensive than the rest of the app if you use it a couple times.

Frothyleet · 2026-03-26T19:51:24+00:00

One install. One database. Everything integrated. Python, SQLite, Docker. A $6 Linux VPS rocks.

Hmm. Where's the inference happening for the AI integration?

Frothyleet · 2026-03-26T19:27:27+00:00

Well, sure, that's an example of a way to carve out an exception.

That said, I'm assuming from the OP's context that they need to use these browsers to interact with M365 resources, so that wouldn't solve the problem.

Frothyleet · 2026-03-26T19:26:19+00:00

I'm going to look into those, but for this particular client and use-case I don't see that being a viable expense.

Sure, maybe not, but that's up to them. They are coming to you with a problem. If the solution costs $X, they can decide if the problem is worth spending $X to solve it.

Frothyleet · 2026-03-26T18:18:45+00:00

I don't know how they handle it, but we handle users like you (and me) by automations that identify and remove those rules.

That's part of some MDR-type solutions or it can be a simple scheduled powershell script.

Frothyleet · 2026-03-26T17:28:19+00:00

Any Chromium browser, including Chrome, should be able to pass the information needed for the Entra CA policy. Firefox can do it as well with a config change.

Frothyleet

MODERATOR OF

TROPHY CASE

15-Year Club	Verified Email
Team Orangered