Home server DDOS protection

ewrek

Hello,

I have a server home and i looking for the best way to have DDOS protection. I have a 110/30Mb speed and that is to slow for a DDos attack.

Is there a way that my MB's travel to a other server that has DDos protection?

BlazeMuis

You could setup some kind of a reverse proxy/constant on VPN on your router. Other than that, nope.

Ole_Juul

Get a server in a place that can offer you DDoS protection. Don't run a server on residential.

ewrek

@joodle said:
You could setup some kind of a reverse proxy/constant on VPN on your router. Other than that, nope.

`My router is to slow for a VPN. On the same server is a also a option right? Can you recommend a VPN provider?

BlazeMuis

@ewrek said:

@joodle said:
You could setup some kind of a reverse proxy/constant on VPN on your router. Other than that, nope.

`My router is to slow for a VPN. On the same server is a also a option right? Can you recommend a VPN provider?

Well, get a server at OVH and setup a VPN server on it, and make sure it's 24/7 connected to your server. Also, port forward the ports used on your "home" server.

Although I would not host anything on 30Mbps upload, I assume you're on DLS/VDSL?

ewrek

@joodle said:

@ewrek said:

@joodle said:
You could setup some kind of a reverse proxy/constant on VPN on your router. Other than that, nope.

`My router is to slow for a VPN. On the same server is a also a option right? Can you recommend a VPN provider?

Well, get a server at OVH and setup a VPN server on it, and make sure it's 24/7 connected to your server. Also, port forward the ports used on your "home" server.

Although I would not host anything on 30Mbps upload, I assume you're on DLS/VDSL?

Yes i have VDSl and the maximum speed that i can have .

I dont host important things like email on my home server, but i want to prepare my self for the doom scenario.

Need i High-end hardware for a VPN server or is the basic VPS of €2.99 great?

BlazeMuis

@ewrek said:

@joodle said:

@ewrek said:

@joodle said:
You could setup some kind of a reverse proxy/constant on VPN on your router. Other than that, nope.

`My router is to slow for a VPN. On the same server is a also a option right? Can you recommend a VPN provider?

Well, get a server at OVH and setup a VPN server on it, and make sure it's 24/7 connected to your server. Also, port forward the ports used on your "home" server.

Although I would not host anything on 30Mbps upload, I assume you're on DLS/VDSL?

Yes i have VDSl and the maximum speed that i can have .

I dont host important things like email on my home server, but i want to prepare my self for the doom scenario.

Need i High-end hardware for a VPN server or is the basic VPS of €2.99 great?

Well, how much bandwidth do you think you're going to use? Also, what are you hosting? Is it open for public or is it just available to yourself?

You are probably better off getting a small server and host the things you want on there. What if you have a power outage, or what if your ISP is having a cable cut etc.

If you want to max out 100Mbps you should get a server with a bit more than 200Mbps (overhead) because a VPN will double the bandwidth used on the server's end.

Clouvider

Wouldn't it be just easier to buy a server wherever you need to buy it instead of buying server just to tunnel stuff ? It doesn't make much sense

ewrek

@Clouvider said:
Wouldn't it be just easier to buy a server wherever you need to buy it instead of buying server just to tunnel stuff ? It doesn't make much sense

Well a i5 and 16gb ram and 3tb is not cheap to rent. > @joodle said:

@ewrek said:

@joodle said:

@ewrek said:

@joodle said:
You could setup some kind of a reverse proxy/constant on VPN on your router. Other than that, nope.

`My router is to slow for a VPN. On the same server is a also a option right? Can you recommend a VPN provider?

Well, get a server at OVH and setup a VPN server on it, and make sure it's 24/7 connected to your server. Also, port forward the ports used on your "home" server.

Although I would not host anything on 30Mbps upload, I assume you're on DLS/VDSL?

Yes i have VDSl and the maximum speed that i can have .

I dont host important things like email on my home server, but i want to prepare my self for the doom scenario.

Need i High-end hardware for a VPN server or is the basic VPS of €2.99 great?

Well, how much bandwidth do you think you're going to use? Also, what are you hosting? Is it open for public or is it just available to yourself?

You are probably better off getting a small server and host the things you want on there. What if you have a power outage, or what if your ISP is having a cable cut etc.

If you want to max out 100Mbps you should get a server with a bit more than 200Mbps (overhead) because a VPN will double the bandwidth used on the server's end.

i use it the most time for a linux server with owncloud for myself and some friend. The most of bandwidth goes to the server so i need 200Mbps.

Clouvider

@ewrek yeah, but heaving 200Mbps bandwidth on 30Mbps connection is kinda physically impossible too.

ewrek

@Clouvider said:
@ewrek yeah, but heaving 200Mbps bandwidth on 30Mbps connection is kinda physically impossible too.

I have 100 Mbps down and if that connection goes to a vps with a vpn is it 100Mbps+100Mbps when i upload a file to my home server.

Clouvider

30 up, so when you download from it you'll have some time to brew a tea ;-)

ewrek

@Clouvider said:
30 up, so when you download from it you'll have some time to brew a tea ;-)

Upload is Download for the server

BlazeMuis

@ewrek said:

@Clouvider said:
@ewrek yeah, but heaving 200Mbps bandwidth on 30Mbps connection is kinda physically impossible too.

I have 100 Mbps down and if that connection goes to a vps with a vpn is it 100Mbps+100Mbps when i upload a file to my home server.

When someone is uploading a file to your server, they can max out 100Mbps if their upload is or exceeds 100Mbps

If someone is downloading a file from your server, they can max out a maximum speed of 30Mbps which makes it ~60Mbps (plus some overhead) on your VPN server.

AlexBarakov

Is your residential ISP okey with you hosting stuff on it?

And i5 with 16GB of RAM is 22 euros at ovh. Probably less then what you pay for this connection.

BlazeMuis

AlexBarakov said: Is your residential ISP okey with you hosting stuff on it?

I guess he's living in The Netherlands and his ISP is KPN (correct me if i'm wrong @ewrek)

They're okay with this, dutch providers don't really care what their customers are using their network for.

ewrek

@AlexBarakov said:
Is your residential ISP okey with you hosting stuff on it?

And i5 with 16GB of RAM is 22 euros at ovh. Probably less then what you pay for this connection.

€22 a month is to much for me as a student, so i work with what i have. (i dont pay for electric and Ethernet)

@joodle said:

AlexBarakov said: Is your residential ISP okey with you hosting stuff on it?

I guess he's living in The Netherlands and his ISP is KPN (correct me if i'm wrong @ewrek)

They're okay with this, dutch providers don't really care what their customers are using their network for.

Yes and yes, are you spying me ? (unplugs his webcam)

BlazeMuis

ewrek said: Yes and yes i live are you spying me ? (unplugs his webcam)

Was just a guess because of the 110/30 internet speed haha. Only provider that's currently providing that is KPN. Also, VDSL is something KPN uses a lot :P

SplitIce

The most important question is do you have a static IP?

Everything becomes alot more difficult if the IP is dynamic.

joepie91

Are you sure it makes sense to host it at home? Keep in mind the power costs in particular, which aren't exactly low in the Netherlands.

rm_

SplitIce said: Everything becomes alot more difficult if the IP is dynamic.

IF you run a VPN to your actual dedi or VPS for DDoS filtering, it doesn't. Most VPN systems don't care if a client has a changing IP.

Harambe

OpenVPN server on VPS, OpenVPN client on your dedi at home. VPS port forwards from public interface to static OpenVPN client IP. ie. xx.xx.xx.xx:80 -> 10.8.0.x:80. Local server is setup to listen on VPN IP (10.8.0.x).

But if an attack leaks your home internet will go down, so there's that.

Four20

CloudFlare? Back-end IP will be hidden and you can enable "UAM" for extra protection, even though that's easily bypassed but still better than nothing.
You can use their API to update your IP every time it changes if it's dynamic.

Clouvider

@Harambe said:
OpenVPN server on VPS, OpenVPN client on your dedi at home. VPS port forwards from public interface to static OpenVPN client IP. ie. xx.xx.xx.xx:80 -> 10.8.0.x:80. Local server is setup to listen on VPN IP (10.8.0.x).

But if an attack leaks your home internet will go down, so there's that.

And I'm pretty sure the ISP will at some point notice the leaks and prevent them at the OP's expense for the good of other Clients.

Harambe

@Clouvider said:
And I'm pretty sure the ISP will at some point notice the leaks and prevent them at the OP's expense for the good of other Clients.

You'd probably kill the VPN connection before anything too bad happens though, can also rate limit the connection on the tun device to the max your line can handle, so worst case you're pulling your standard port speed. Depends on the attack type though I guess.

Either way, I wouldn't host anything DDoS-worthy from a residential connection, tunnel or not.. that stuff sticks with providers who have DDoS protection and quality networking gear to handle this stuff.

ewrek

@SplitIce said:
The most important question is do you have a static IP?

Everything becomes alot more difficult if the IP is dynamic.

It is a static IP

@Four20 said:
CloudFlare? Back-end IP will be hidden and you can enable "UAM" for extra protection, even though that's easily bypassed but still better than nothing.
You can use their API to update your IP every time it changes if it's dynamic.

CloudFlare looks great but is the free version too basic or good?

@Harambe said:

@Clouvider said:
And I'm pretty sure the ISP will at some point notice the leaks and prevent them at the OP's expense for the good of other Clients.

You'd probably kill the VPN connection before anything too bad happens though, can also rate limit the connection on the tun device to the max your line can handle, so worst case you're pulling your standard port speed. Depends on the attack type though I guess.

Either way, I wouldn't host anything DDoS-worthy from a residential connection, tunnel or not.. that stuff sticks with providers who have DDoS protection and quality networking gear to handle this stuff.

For now a VPS with a VPN Server looks the best option. OVH offers for €2.99 a 100Mbps line and https://www.ovh.nl/vps/vps-ssd.xml Is this the best option?

Four20

Yeah the free plan is decent.

oneilonline

@ewrek said:
Hello,

I have a server home and i looking for the best way to have DDOS protection. I have a 110/30Mb speed and that is to slow for a DDos attack.

Is there a way that my MB's travel to a other server that has DDos protection?

Typically your residential ISP will be the one to mitigate any DDOS attack. I would recommend you to contact them to inquire about why they haven't mitigated any DDOS attack, but then that may lead them to inquire as to why you are getting attacked, which would then lead to you revealing you're hosting a server at home when this is in violation of their TOS, maybe?

Unless your have a business ISP to your home, then yes, DDOS protection would be required. DDOS protection isn't cheap when it comes to an inline service. You'll likely be better off and cheaper hosting the server at a datacenter that offers DDOS protection.

ATHK

@SplitIce said:
The most important question is do you have a static IP?

Everything becomes alot more difficult if the IP is dynamic.

No it doesn't, there's tons of Dynamic DNS type things like no-ip or dyndns ... There's also Cloudflare and it's nifty API that you can easily make a bash script for..

Here's one I prepared earlier, checks gets the IP from icanhazip.com, sends you a push bullet notification that it's changed (if you need it) and updates Cloudflare's DNS entry on that domain, you can single out A records on the API too.

This was made last year and may not work with the current API, I haven't used it in a while..

#!/bin/bash

IP=$(curl http://icanhazip.com/)

#### Push Bullet ####

curl -u PBAPIKEY: https://api.pushbullet.com/v2/pushes \
        -d "type=note"\
        -d "title=IP UPDATE"\
        -d "body=$IP"

#### Update domain on cloudflare.com####

curl https://www.cloudflare.com/api_json.html \
  -d 'a=rec_load_all' \
  -d 'tkn=TOKEN' \
  -d 'email=EMAIL' \
  -d 'z=domainname.com'

SplitIce

@ATHK said:

@SplitIce said:
The most important question is do you have a static IP?

Everything becomes alot more difficult if the IP is dynamic.

No it doesn't, there's tons of Dynamic DNS type things like no-ip or dyndns ... There's also Cloudflare and it's nifty API that you can easily make a bash script for..

Well, that's more complicated than just an IP. More possible failures too.

Anyway I was primarily referring to issues if you want to do anything more complete than a HTTP reverse proxy (i.e a TCP or UDP RP, Tunnel, or BGP + Tunnel).

This, and Cloudflare is HTTP(s) only.

deadbeef

If it's for file hosting & owncloud, you can get cheap storage vps from providers that advertise here. And also of course, cheap dedis from OVH/Hetzner. Plop some reverse proxy/gre tunnel from a low end provider if DDOS is a real thing and voila - cheap ghetto ddos protected file/media server 24/7