Simple Machines Community Forum

SMF Support => Server Performance and Configuration => Topic started by: wynnyelle on January 13, 2013, 09:50:24 PM

Title: DDoS Protection needed
Post by: wynnyelle on January 13, 2013, 09:50:24 PM
So my site has become the recent target of malicious denial of service attacks. I'm looking into what I can do to at least have SOME kind of layer of protection for it. Where would I even start?
Title: Re: DDoS Protection needed
Post by: Kill Em All on January 13, 2013, 10:19:08 PM
Have you looked at cloudflare? I personally can't say I have any experience with it, but I have heard good things about it.
http://www.cloudflare.com/

Your host might be able to set something up themselves too.
Title: Re: DDoS Protection needed
Post by: CoreISP on January 13, 2013, 11:06:05 PM
CloudFlare != DDoS protection.
It's unfortunately not a uncommon misconception and it actually goes for all the CDN's really.

So people can have a more in-depth analysis of why CloudFlare isn't a true DDoS protection by default and not comparable to hw based equipment at any time:
1.) To kick it off, the free version offers 0.0% DDoS mitigation. You have to look at the business class as an entry-level to be eligible for their DDoS protection.
2.) Even with the DDoS protection, you are facing multiple problems:
  1.) CloudFlare only mitigates attacks that come through their IP's, as such:
  2.) If the real IP of the server is discovered, CloudFlare is taken out of the equation = no protection.
  3.) By default, a CloudFlare setup makes it childs play to get the real IP = See 2.2
  4.) By using CloudFlare, even while you took some steps to ensure the real IP cannot be found easily, you are still only protected for the http front-end. Attacker signing up at forum: get welcome email = hello real IP! == See 2.2
  5.) Unfortunately, sometimes CloudFlare passes along your real IP for DMCA purposes; whether the requests are legit or not, making you end up at: See 2.2.

That means that in order to get any protection from CloudFlare at all you:
1.) Cannot use the free version, at least the entry business model is mandatory
2.) Need to take multiple steps, both on cloudflare as on the server, to make sure the IP will be far more difficult to obtain than usual (And that doesn't even include old historical records that can be found on the internet...) though I don't dare say it's 100%, it's not unheard off that it's been found regardless.
3.) Can no longer use your own server(s) to send out email; it must be loaded off to a third party or server on another range. (Depending on the volume, that may again also imply extra costs.)
4.) For protections sake, using easy subdomains to connect to stuff like FTP will be out of the question. (Though not really problematic...)
And last but not least, 5.) See previous list, point 2.2 ;)

On a sidenote, keep in mind that SSL needs some changing around as well and requires the use of CloudFlare as "Man in the Middle" for your encrypted traffic to pass through. Naturally, connecting directly to the servers SSL will result in: see previous list, point 2.2. :P

Real DDoS protection cannot be offered for free nor is CloudFlare a true anti-DDoS mechanism that can be compared to hardware + network level equipment, it will mitigate it yes but ways that can take CloudFlare out of the equation make you end up with no protection and thus losing your money and uptime regardless if that situation occurs.
True DDoS protection, for as far as that's possible and usually also limited to x amount of gbps and/or packets per second to be mitigated, will not cost you less than $1000 USD per month per server and even that is actually acceptably cheap. For example if you intend to block a 10Gbit/sec attack, don't expect to be done with a mere $1k a month. On top of it all, one might still be charged for some, and sometimes even all, traffic that is generated...

In conclusion, while CloudFlare's paid version may help after making multiple rather aggressive changes to the server setup and making damn sure you change CloudFlare's default setup and may do it's job well, especially for the prices, the guarantees you have are absolutely zero point zero. (Get what you pay for (TM))
It all boils down to the IP, if that has once been found; moving to a whole new set is mandatory and naturally figuring out how they obtained it is, otherwise you can keep playing hide and seek forever.
Title: Re: DDoS Protection needed
Post by: wynnyelle on January 13, 2013, 11:19:28 PM
thank you so much for clearing that up!!

now can anyone point me in the right direction?
Title: Re: DDoS Protection needed
Post by: mashby on January 13, 2013, 11:26:06 PM
All I did was Google "DDoS Protection"
and this one was paying for Google ads and also was #3 on the list of normal results:
http://www.prolexic.com/
Not sure it's the right direction, but it might be.
Title: Re: DDoS Protection needed
Post by: CoreISP on January 13, 2013, 11:31:57 PM
All I did was Google "DDoS Protection"
and this one was paying for Google ads and also was #3 on the list of normal results:
http://www.prolexic.com/
Not sure it's the right direction, but it might be.

It sure is, if you have deep pockets. :)
Prolexic services start around $4k per month.
Title: Re: DDoS Protection needed
Post by: Kill Em All on January 13, 2013, 11:46:24 PM
Very interesting, thank you so much for correcting me on that CoreISP. On that note, I really have no other suggestions besides asking your host unless CoreISP has a suggestion.
Title: Re: DDoS Protection needed
Post by: wynnyelle on January 14, 2013, 12:33:07 AM
CoreISP is my host :)

I highly recommend him too.
Title: Re: DDoS Protection needed
Post by: Kill Em All on January 14, 2013, 01:16:31 AM
Well that's convenient. :P
Title: Re: DDoS Protection needed
Post by: vpn on January 15, 2013, 12:52:01 PM
If the attack is not too large you can try staminus.net (http://www.staminus.net/WHT) (I am not related to them I just saw their offer at WHT)
Title: Re: DDoS Protection needed
Post by: Storman™ on January 15, 2013, 04:04:04 PM
I agree with CoreISP, essentially you can't stop a full blown DDoS attack on your own, you can only manage it, and then you really need the intervention of your hosting company to essentially filter the "nasty" traffic out, and more some. Thats going to cost upwards of $1000 a month at least unfortunately (and in most cases several thousand dollars a month). Essentially cost is related to how many packets are heading your way, and we're talking millions per second, so the intervention required is not a piece of simple software.

Unless you are a well healed corporation with deep pockets then you can't really stop one I'm afraid.  ???
Title: Re: DDoS Protection needed
Post by: Colin on January 15, 2013, 04:39:06 PM
Unless you are a well healed corporation with deep pockets then you can't really stop one I'm afraid.  ???
And that is exactly why they are so wide spread.
Title: Re: DDoS Protection needed
Post by: Kindred on January 17, 2013, 07:51:41 PM
you could ask Butchs to help you configure the forum firewall mod...
Title: Re: DDoS Protection needed
Post by: Night09 on January 17, 2013, 08:14:28 PM
If core is the host can it be confirmed its a DDOS and have the attacking IP's been logged ?
Title: Re: DDoS Protection needed
Post by: CoreISP on January 18, 2013, 02:30:44 PM
Forum firewall mod gives zero protection against DDoS.

@Nightbre:
Yes, it was a ddos of approximately 3.5Gbit/sec.
Title: Re: DDoS Protection needed
Post by: Night09 on January 18, 2013, 08:37:17 PM
Forum firewall mod gives zero protection against DDoS.

@Nightbre:
Yes, it was a ddos of approximately 3.5Gbit/sec.

If you have the IP's you can report it to homeland security and they will investigate it.  That amount of DDOS hitting me would certainly drop my server. :P