Don't trust your business with Linode
twitter.comThis is why I like hosting providers that totally ignore reports/DMCA. Even if you're not doing anything illegal, it's good to know your server won't get taken down randomly because of a false report.
What are some hosting providers that fit this criteria?
Njal.la
P.S. Also. I would avoid hosters (and other Internet services) that have political slogans on their site ("support Ukraine", "BLM", whatever). They will easily turn off paying customers for the sake of agenda and virtue signaling, whether it comes from a news feed or a single abuse complaint.
Has anyone else had issues with Linode before? While this specific situation sucks, I feel like I’ve seen much more headache with AWS/GCP/Azure regarding people getting completely locked out of stuff.
I had a Garry's Mod server on Linode for a while. A player was upset they were banned and reported my instance for DDoSing them. Linode rate limited my node.
I replied to the ticket saying, "How am I DDoSing someone when the bandwidth/packet-rate graphs you host show I am not?" to which they acknowledged it was a false report, unrestricted my node and closed the ticket. Not a big deal but still odd that they did not first check their own bandwidth graphs. That to me appeared to be a front-line customer support training issue.
I should add that the player was really upset that their exploit code could not crash my server. It happened a couple times so I found the packet that took it down and used a simple iptables string filter to drop it. That is when they went with the false reporting tactic.
I received a third-party malware report from Linode once[0]. It’s possible that something has changed in the meantime since this was probably 4–5 years ago, but my own experience in a similar scenario was that Linode acted reasonably and in good faith. This tweet makes it sound like their policy and procedure hasn’t changed.
In my case, Linode opened an “AUP violation” ticket with a copy of the report, the steps they required to close the ticket (essentially: fix it and explain corrective measures), and a time when they would disable the server otherwise (which was something like 24 hours). It sounds like itch.io decided to ignore the AUP violation ticket and their server was disabled after 24 hours, just like the ticket said it would. (Waiting on a support ticket instead of calling also seems like a weird bad choice when your whole site is offline.)
I guess, having some first-hand experience with Linode’s malware handling process, that itch.io were at fault here, but I guess there may be more to the story they haven’t shared or weren’t clear on.
[0] Actually twice; some internet vigilante hooked up a virus scanner to a web crawler and was sending false positive reports directly to the abuse address for the netblock. After the second one I kindly suggested Linode stop accepting these reports, and never heard anything again.
> sounds like itch.io decided to ignore the AUP violation ticket
Did you see the part where they removed the content within 24 hours?
Just removing the content is not sufficient; one must still respond to the ticket with the information that Linode requests in order to keep the server from being disabled. The instructions in the ticket I received were not hard to understand or comply with in this regard and the whole thing was resolved within minutes of my response.
I’m not sure what the point is of interrogating me here; I am just a third party who went through the same thing and thought additional detail about the process would be appreciated. I didn’t have any service interruption, but I followed Linode’s instructions, and this leads me to conclude that the OP probably did not.
Ah I see, you're not defending Linode's heavy-handed process, you're just explaining it more accurately.
It's always a risk when you're leasing computer resources from a 3rd party.
At least if you own the hardware, you won't lose your data (except in extreme cases where the government takes it, but if this is the case you're screwed and data / service loss is the least of your worries).
> At least if you own the hardware, you won't lose your data (except in extreme cases where the government takes it
For colocation you probably won't loose the data but the company you chose can still disconnect you. And it's not uncommon in certain countries that police will take the whole rack belonging to different customers when they do police raids against pirating, mainly because they're incompetent but also trying to find other violators.
People have backups on another cloud / on premise right?
That's a lot of work to do right. Probably rare in the wild.
> That's a lot of work to do right.
Compared to?
Backups are something you should have regardless, an account with other providers and means to spin up some nodes is just basic common sense.
Vote with your wallet, let the execs know and never come back, it's honestly that simple.
Agreed. It's easy to get a false sense of security with s3 / object storage being so reliable.
Always better to have an escape hatch and corresponding protocols in place.
Every business I work(ed) with found out that at least backups (on cd, dvd, tape and s3) for some systems were useless when trying to restore them. Sometimes they had been storing useless backups for many years before finding out they were done wrong at the worst possible time.
Nothing to do with the medium, just when you have 100-1000s of systems which are backed up, some of these systems 10+ years old, testing the backups is simply not done in reality.
Testing restoring regularly is part of the deal of saying “i have a backup!”
A good thing is all these viral security requirements slithering through the software supply chain (and backup is a part of security because ransomware) will force anyone who sells SaaS to consider it after the startup stages when they sell to enterprises.
Yes, I know, but even in banking (pci/iso cert) I saw faulty backups, and not incidentally.
I have had two reports from/via Netcraft(for the exact same file) that resulted in Linode threatening to take down my small VPS within 24 hours. But while I don't think such a short time for response is reasonable without any actual non-bs evidence in both times they backed down after I explained to them that there was nothing wrong. Was long before the Akamai acquisition though so who knows if their procedure changed.
Hey folks, Jim at Linode here – wanted to offer some general information about our abuse practices and policies:
When we receive a valid abuse report that resolves to one of our IPs, we open a ticket (and send an email) to let you know. The ticket provides details about the abuse report we received, how to resolve it, and the timeframe in which we need a response before we remove access to the abusive content.
Since most abuse reports we process are the result of a system compromise and aren't intentional, we can be flexible. If you need additional time to investigate an abuse report we've sent you, all you need to do is respond to our ticket and ask.
If you dispute the validity of a report or believe an abuse reporter is acting in bad faith, that's feedback we listen to – you just need to respond to our ticket.
In general, if you're communicating with us and acting in good faith, we'll work with you on these matters.
My friend just got pwned by a malicious itch.io game a few days ago. They didn't reply to my report, but seemed to have taken it down after a couple days.
Later versions of windows 10 and up has a sandbox feature (https://learn.microsoft.com/en-us/windows/security/threat-pr...) you can enable to run random exes, also advised you keep a free malware scanner active etc. I resurrected an ancient piece of hardware recently and in the hunt for drivers these were key.
Last time I checked it didn't have gpu acceleration or it was so buggy that games just crashed regardless.
Seems like a great feature! Judging from VirusTotal results, this was nearly undetectable.
My personal preference rather than picking X over Y VPS provider is to spread my nodes out across several of them. This would especially be the case if I were running a revenue generating business. Providers have unplanned outages. Support teams of an individual provider can get overwhelmed and take lazy actions like those in this tweet.
By having applications and data distributed over multiple providers automation can change DNS when a provider is having issues even if said issues are self inflicted such as a lazy over-reaction to an abuse report. It may not be feasible for a company to have all their data replicated on all providers. This is probably OK. N+1 for hard to replicate data may be sufficient to have a degraded service rather than a full site down critical outage.
Another benefit to having multiple providers is letting them know the better they treat you, the more significant weight your automation will give to spinning up nodes there. Make them compete for your money.