New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
VPS that can handle 45,000 pps syn flood
dmmcintyre3
Member
I have a site that's been the target of a 18,000 45,000 pps syn flood that I need a host for.
Comments
If it can be served by shared hosting, our shared hosting is protected as far as i've tested it. We can offer you a 1-week trial to see if it works out for you (and us) or not.
If it needs to be served by a VPS, then BuyVM's got those filtered IPs available.
That's funny, we have no support tickets from him regarding this slowness, nor reports of the same from other clients. Perhaps he should recheck his configurations.
BuyVM
I think maybe liam was thinking of this thread:
http://www.lowendtalk.com/discussion/comment/49348#Comment_49348
Aye, dmm clarified via PM. And an issue we've already resolved.
I'm going to try BuyVM's ddos protection, but since I only have a 128 I'll have to proxy to another VPS. (Probabally a VPS I had for a while that's 11ms away)
I messaged pony asking him to triple check if we had one spare and to just toss you one. It'd be a lot easier than you having to setup a proxy/vpn between the two.
Francisco
I already have the reverse http proxy and mail proxy (to not show the not ddos protected VPS's IP in mail headers) set up.
Right on, you could make a nice article about that on here since i'm sure there's a bunch of people that would want such a setup
Francisco
Reverse proxy isn't that hard, I mean...even I managed to get it to work on my home connection. one external ip, many sites on the inside
hard part is SSL.
I friend of mine actually made a reverse squid serve a Exchange 2010 webmail over https. I'm not sure he did it, maybe he is willing to share his guide?
Looks like it's down after moving to buyvm with the filtered ip.
Are you sure it's actually on the filtered IP? Should be within 209.141.39.0/24
PM me the IP and I can ask awknet to take a peak at it. I know our billing is seeing tons of SYN all the time.
Francisco
I was told a Varnish proxy will filter out all SYN packets for HTTP requests. Not sure is this helps or not but if you get a few LEBs, load balance them, then filter the traffic with varnish it would probably help. It's a more nerdy way to go but it sounds like fun.
Not quite, it just handles floods better. You can't filter SYN fully it's required by design
At 18k pps the issue isn't going to be if his application can hold up, it's if the routers & nodes he's passing through can.
His IP finally 'kicked' in, i'm not sure if it was an ARP issue on our end (I saw none) or Justin making some adjustments to the filters.
Either way, let me know on IRC/PM if there's any additional ACL's you want.
Francisco
@KuJoe +1 To varnish. We use Varnish over high risk clientele websites, if they get SYN Flood our #1 method is to just stick varnish over it, we never have to worry about SYN again. Though, varnish doesn't support SSL so if you need it, probably best to look at something else.
Then the SYN floods aren't that big, no where near 18k pps
OpenVZ melts during high PPS.
Francisco
@Francisco Can't say I've ever recorded the PPS on the flood, it'd be interesting to log it, next time i see one, ill make sure to record it and post it back here
Not saying Varnish is a end all and be all, be it sure as damn helps for those script kiddies trying to knock our shared hosting nodes offline!
@miTgiB just said on IRC the attack that hit his network was around 45,000 pps.
I've asked awk to triple check what the TCP filtering is doing.
The attack is slamming away at awknet and only some syn is getting through (quite possible it's legit traffic). I'm waiting on them to confirm why TCP connections aren't completing.
The flood got through for about 5 - 10 seconds and for sure it was strong. Within a few seconds it went away though.
Francisco
no way! buyVM sucks! This forum is about BuyVM or what?
oh sorry, @taipres demonized me
I didn't demonize anyone, Aldryic is on here 24/7 this is indeed BuyVMTalk, which is fine.
Lets make it PytoHost talk from now on!
BuyVM/Awknet seems to have gotten the attack under control.
Just curious - was someone attacking freevps?
Someone not happy to wait in line? :-)
Actually he daemonized you.
Yes.
Let me make a rage thread about PytoHost
fcuk, can someone
? I need to sleep now
? I need to sleep now
If that doesn't work, I will kill -9 you. It won't be pretty:
http://graphics.stanford.edu/~monzy/KillDashNine.mp3
I'll refresh the site every few hours and see if I spot anything.
I'm still a little confused about the TCP flags the flood was carrying.
Francisco
You should be able to handle that with a Gb connected server if you run CSF&LFD, however the standard solusvm doesn't pass enough info to the VM. You can change the IPTABLES variable in /etc/vz/vz.conf however to let the VM handle SYN and PORT flooding.