How do you protect your machines from DDOS?

Hey guys,

I wanted to know how you guys protect your different machines from DDOS for example if it’s self-hosted I know a lot of providers do IP forwarding via AWS for example. But what would be the best practice for it?

By my side, I use multiple defence scripts I founded on GitHub at first and I am looking at this project for example : GitHub - AltraMayor/gatekeeper: First open source DDoS protection system and of course ip forwading for the moment.

What do you think?

1 Like

I think if DDOS packets are reaching your machine, then you’re already screwed. DDOS protection via software is good and all and might even help in some low-volume attacks and perhaps some targeted L7 attacks, but if you get a udp flood or something similar, you need an anti-DDOS hardware device to actually have a chance at mitigating it.

Software DDOS protection is going to get overloaded quick trying to inspect and process all the traffic, let alone if your port can handle that rate of traffic anyway.

tldr - software DDOS protection might help small attacks, but any serious attack is going to need hardware to mitigate it. Pick a provider that has decent DDOS protection hardware and you’ll be good.

3 Likes

In my view, you can mitigate small attacks with software solutions like iptables, this can work quite well if you have a good system. For everything that’s bigger than your port size or what your network card can handle (packet size is the issue) you will need some external stuff.

You could go with Corero or some other Application (or even build your own) but, you will need some serious bandwidth and compute power, talking multiple 10 to 100G. And even that will break at a certain point, Cloudflare wrote an article about that: No Scrubs: The Architecture That Made Unmetered Mitigation Possible

If you run your own network, you can do flowspec and the like and try to mitigate it at the upstream level. But, this will require quite some work too.

Honestly, if you have your own Network, the easiest solution in most cases is just to get some decent DDoS protection from Voxility, Magic Transit or whoever is near you and let them handle the problem. If you have your services with the Datacenter, they probably have an option for DDoS protection that will serve you well in most cases.

3 Likes

I see the problem here is always their pricing. Because Hetzner current protection is really shitty… I tought about tunneling thing between server but yeah going from srv1 -> to srv2 for gaming for exemple it’s not acceptable for the ping.

A lot of solution exsists but for some reason there isn’t any “cheap” solutions to at least start. I mean of course it has a cost to stop such an attack but yeah…

P̶r̶o̶v̶i̶d̶e̶r̶ ̶w̶i̶t̶h̶ ̶i̶n̶-̶h̶o̶u̶s̶e̶ ̶p̶r̶o̶t̶e̶c̶t̶i̶o̶n̶ ̶s̶h̶o̶u̶l̶d̶ ̶b̶e̶ ̶b̶e̶s̶t̶ ̶f̶o̶r̶ ̶i̶t̶,̶ ̶l̶i̶k̶e̶ ̶O̶V̶H̶?̶
Didnt read self-hosted

It depends but since a part is. But OVH problem is the pricing and they don’t have machine with Ryzen CPU for exemple. And with the recent outage… i don’t really trust them, their support is not awesome really not a lot of good points except their awesome ddos protection

Hetzner’s DDOS protection has been incredible for MXroute.

6 Likes

Oh oh oh oh finnaly someone saying it’s positive could you elaborate for me C: ?

Since I moved over to their service I haven’t had an outage on a server there for that reason. When I’ve been notified of inbound attacks hitting me, not even a single monitor went off on my side. I’m not a huge target but no stranger to attacks. Granted, and this may be important, attacks as a whole have been less frequent ever since hackforum took down their booter market.

3 Likes

They do have Ryzens now, but I don’t know if they come with the Gaming Anti-DDoS.

Really great news i will still look a bit for ddos protection but it’s really a good point to hear someone saying it works.

3 Likes

‘Free’ DDoS protection you get with hosting providers will work if you have a basic attack. Usually they handle Amplification quite well for example as mitigating these can be as simple as a ACL or ACL ratelimit.

It’s when you get something non-standard, hybrid or your requirements get more complex (e.g DDoS protection of a public DNS server) that these mitigation systems fail. And honestly considering the price you are paying for them, what do you expect? It’s not economical for a company making $5-15/m from your dedicated server to task an engineer for hours to build a rule and monitor for a custom attack - on top of paying for the bandwidth.

Honestly OVH’s network is one of my least favorite networks. It’s the only network where I have seen internal pings of nearly 200ms (with a route within the same city) and that has a mitigation system that has regular false positives and with a support team unable to make any changes.

Disclaimer: I own X4B a mitigation company.

3 Likes

Same here. I’ve only gotten a few DDoS notifications, but none of my monitoring has seen it down. It’s just Minecraft on them, so it’s not something hard to protect anyway.

2 Likes

Oh your plans are really intressting. How does it works exactly to connect to you is it ipforwarding?

@Poli GRE Tunnel (or IP-in-IP) or Reverse Proxy.

See An explanation of backend Port types :: X4B for the different options available.

2 Likes

Honestly, I only use iptables and some help from the IDC when my server is attack by ddos. I find ransomware much scarier.

1 Like

iptables

For self-hosted your best bet might be a proxy of some sort. It would depend on what sort of attacks you see (i.e. volumetric attacks vs something like layer 7 attacks require totally different approaches even though both fall under the blanket term of DDOS).

Is there a specific kind of DDOS attack that you see or anticipate?

Well it’s mainly layer 7 i think since it will be on game servers.

I just saw a little article in the Apache wiki for the DDOS can be intressting Security Tips - Apache HTTP Server Version 2.5

Maybe try something like a reverse proxy?