New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
If your serving a website you can use a reverse proxy or a game server you can use a TCP proxy. As for L7 that's up to the application
Depends on what kind of attack, but powerfull server and 10gbit uplink helps.
You can protect only from low speed layer 7 attacks... http flood etc
Turning off your server is the best way.
Yeah - but - no - but... ;-)
Cloudflare offer a good reverse proxy solution, that can help sustaining the load.
You will have no chance of directly protecting your server for high bandwidth attacks (e.g. UDP based). You are limited by server's bandwidth speed.
For SSYN/TCP attacks, you could do some kernel tweaks (e.g. syn cookies, no of tcp connections) and configure IPTables to reject some syn requests but requires much CPU processing power.
For application layer attacks (Layer 7), this is dependent on how much server resources you have available. You could configure nginx (best option), use ddos deflate (use fork on github), limit the number of connections per IP and block bad/invalid requests/headers.
All of this will only work for small attacks (some requests per second) and your webserver will not possibly be handle an attack of a hundred or thousands requests size.
Your other option to get hardware-based DDoS mitigation and use that as a reverse proxy or tunnel to your unprotected server. Of course, this will add latency and cause some performance degradation (depending on filter location) but is the best solution where there is no direct protection.
First of all, http://rhelblog.redhat.com/2014/04/11/mitigate-tcp-syn-flood-attacks-with-red-hat-enterprise-linux-7-beta/
even the two commands they list in the beginning will already help a lot.
After that you could consider deploying SYNPROXY either following the same article further, or this one: https://r00t-services.net/knowledgebase/14/Homemade-DDoS-Protection-Using-IPTables-SYNPROXY.html
The free one won't protect you,
@TinyTunnel_Tom,
This is what their representatives usually say when asked about it:
The best free way is to keep the server unplugged from the network. 100% protection
use the ip 127.0.0.1
Use windows firewall
At November 2014, we did try synproxy, and other methods from message above.
And what i want to say? It's works very well.
We did make gre tunnels from OVH servers to our game servers.
Then we did enable AntiDDoS Pro + synproxy.
If some of attack go though ovh anti-ddos, we can absorb this attack by our syn-proxy.
This is very good solution, if mitigation mode from OVH not triggered, or attack not detected, but you are dieing under ddos.