Best way to protect your servers from DDoS without buying DDoS protection

Andrei

Hey,

Just wanted to ask if anybody has any experiences or knowledge about this.

Many thanks,

Andrei

EDIT: Yes I know about Cloudflare

TinyTunnel_Tom

If your serving a website you can use a reverse proxy or a game server you can use a TCP proxy. As for L7 that's up to the application

vfuse

Depends on what kind of attack, but powerfull server and 10gbit uplink helps.

coolice

You can protect only from low speed layer 7 attacks... http flood etc

black

Turning off your server is the best way.

Amitz

@black said:
Turning off your server is the best way.

Yeah - but - no - but... ;-)

Me_B

Cloudflare offer a good reverse proxy solution, that can help sustaining the load.

deployvm

You will have no chance of directly protecting your server for high bandwidth attacks (e.g. UDP based). You are limited by server's bandwidth speed.

For SSYN/TCP attacks, you could do some kernel tweaks (e.g. syn cookies, no of tcp connections) and configure IPTables to reject some syn requests but requires much CPU processing power.

For application layer attacks (Layer 7), this is dependent on how much server resources you have available. You could configure nginx (best option), use ddos deflate (use fork on github), limit the number of connections per IP and block bad/invalid requests/headers.

All of this will only work for small attacks (some requests per second) and your webserver will not possibly be handle an attack of a hundred or thousands requests size.

Your other option to get hardware-based DDoS mitigation and use that as a reverse proxy or tunnel to your unprotected server. Of course, this will add latency and cause some performance degradation (depending on filter location) but is the best solution where there is no direct protection.

rm_

First of all, http://rhelblog.redhat.com/2014/04/11/mitigate-tcp-syn-flood-attacks-with-red-hat-enterprise-linux-7-beta/
even the two commands they list in the beginning will already help a lot.
After that you could consider deploying SYNPROXY either following the same article further, or this one: https://r00t-services.net/knowledgebase/14/Homemade-DDoS-Protection-Using-IPTables-SYNPROXY.html

TinyTunnel_Tom

@Me_B said:
Cloudflare offer a good reverse proxy solution, that can help sustaining the load.

The free one won't protect you,

k0nsl

@TinyTunnel_Tom,

This is what their representatives usually say when asked about it:

Our goal is to never send traffic through directly, but in rare cases with Free and Pro customers, we do if it's likely to affect other customers. There's no specific number or set limit.

With Business and Enterprise, there's no limit. We devote the resources necessary to block the attack regardless.

AlexBarakov

The best free way is to keep the server unplugged from the network. 100% protection

TinyTunnel_Tom

use the ip 127.0.0.1

spidervenom

Use windows firewall

desperand

@rm_ said:
First of all, http://rhelblog.redhat.com/2014/04/11/mitigate-tcp-syn-flood-attacks-with-red-hat-enterprise-linux-7-beta/
even the two commands they list in the beginning will already help a lot.
After that you could consider deploying SYNPROXY either following the same article further, or this one: https://r00t-services.net/knowledgebase/14/Homemade-DDoS-Protection-Using-IPTables-SYNPROXY.html

At November 2014, we did try synproxy, and other methods from message above.

And what i want to say? It's works very well.

We did make gre tunnels from OVH servers to our game servers.

Then we did enable AntiDDoS Pro + synproxy.

If some of attack go though ovh anti-ddos, we can absorb this attack by our syn-proxy.

This is very good solution, if mitigation mode from OVH not triggered, or attack not detected, but you are dieing under ddos.