News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

DDoS Protection needed

Started by wynnyelle, January 13, 2013, 09:50:24 PM

Previous topic - Next topic

wynnyelle

So my site has become the recent target of malicious denial of service attacks. I'm looking into what I can do to at least have SOME kind of layer of protection for it. Where would I even start?

Kill Em All

Have you looked at cloudflare? I personally can't say I have any experience with it, but I have heard good things about it.
http://www.cloudflare.com/

Your host might be able to set something up themselves too.


My Site: KEAGaming.com

Manual Installation of Mods
Prevent Spam and Forum Attacks
Please do not PM or email me for support unless offered, help should be publicly displayed to others.

LiroyvH

#2
CloudFlare != DDoS protection.
It's unfortunately not a uncommon misconception and it actually goes for all the CDN's really.

So people can have a more in-depth analysis of why CloudFlare isn't a true DDoS protection by default and not comparable to hw based equipment at any time:
1.) To kick it off, the free version offers 0.0% DDoS mitigation. You have to look at the business class as an entry-level to be eligible for their DDoS protection.
2.) Even with the DDoS protection, you are facing multiple problems:
  1.) CloudFlare only mitigates attacks that come through their IP's, as such:
  2.) If the real IP of the server is discovered, CloudFlare is taken out of the equation = no protection.
  3.) By default, a CloudFlare setup makes it childs play to get the real IP = See 2.2
  4.) By using CloudFlare, even while you took some steps to ensure the real IP cannot be found easily, you are still only protected for the http front-end. Attacker signing up at forum: get welcome email = hello real IP! == See 2.2
  5.) Unfortunately, sometimes CloudFlare passes along your real IP for DMCA purposes; whether the requests are legit or not, making you end up at: See 2.2.

That means that in order to get any protection from CloudFlare at all you:
1.) Cannot use the free version, at least the entry business model is mandatory
2.) Need to take multiple steps, both on cloudflare as on the server, to make sure the IP will be far more difficult to obtain than usual (And that doesn't even include old historical records that can be found on the internet...) though I don't dare say it's 100%, it's not unheard off that it's been found regardless.
3.) Can no longer use your own server(s) to send out email; it must be loaded off to a third party or server on another range. (Depending on the volume, that may again also imply extra costs.)
4.) For protections sake, using easy subdomains to connect to stuff like FTP will be out of the question. (Though not really problematic...)
And last but not least, 5.) See previous list, point 2.2 ;)

On a sidenote, keep in mind that SSL needs some changing around as well and requires the use of CloudFlare as "Man in the Middle" for your encrypted traffic to pass through. Naturally, connecting directly to the servers SSL will result in: see previous list, point 2.2. :P

Real DDoS protection cannot be offered for free nor is CloudFlare a true anti-DDoS mechanism that can be compared to hardware + network level equipment, it will mitigate it yes but ways that can take CloudFlare out of the equation make you end up with no protection and thus losing your money and uptime regardless if that situation occurs.
True DDoS protection, for as far as that's possible and usually also limited to x amount of gbps and/or packets per second to be mitigated, will not cost you less than $1000 USD per month per server and even that is actually acceptably cheap. For example if you intend to block a 10Gbit/sec attack, don't expect to be done with a mere $1k a month. On top of it all, one might still be charged for some, and sometimes even all, traffic that is generated...

In conclusion, while CloudFlare's paid version may help after making multiple rather aggressive changes to the server setup and making damn sure you change CloudFlare's default setup and may do it's job well, especially for the prices, the guarantees you have are absolutely zero point zero. (Get what you pay for (TM))
It all boils down to the IP, if that has once been found; moving to a whole new set is mandatory and naturally figuring out how they obtained it is, otherwise you can keep playing hide and seek forever.
((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

wynnyelle

thank you so much for clearing that up!!

now can anyone point me in the right direction?

mashby

All I did was Google "DDoS Protection"
and this one was paying for Google ads and also was #3 on the list of normal results:
http://www.prolexic.com/
Not sure it's the right direction, but it might be.
Always be a little kinder than necessary.
- James M. Barrie

LiroyvH

Quote from: mashby on January 13, 2013, 11:26:06 PM
All I did was Google "DDoS Protection"
and this one was paying for Google ads and also was #3 on the list of normal results:
http://www.prolexic.com/
Not sure it's the right direction, but it might be.

It sure is, if you have deep pockets. :)
Prolexic services start around $4k per month.
((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

Kill Em All

Very interesting, thank you so much for correcting me on that CoreISP. On that note, I really have no other suggestions besides asking your host unless CoreISP has a suggestion.


My Site: KEAGaming.com

Manual Installation of Mods
Prevent Spam and Forum Attacks
Please do not PM or email me for support unless offered, help should be publicly displayed to others.

wynnyelle

CoreISP is my host :)

I highly recommend him too.

Kill Em All



My Site: KEAGaming.com

Manual Installation of Mods
Prevent Spam and Forum Attacks
Please do not PM or email me for support unless offered, help should be publicly displayed to others.

vpn

If the attack is not too large you can try staminus.net [nofollow] (I am not related to them I just saw their offer at WHT)
VPN Tutorials [nofollow]
VPN Support Forums [nofollow]

Storman™

I agree with CoreISP, essentially you can't stop a full blown DDoS attack on your own, you can only manage it, and then you really need the intervention of your hosting company to essentially filter the "nasty" traffic out, and more some. Thats going to cost upwards of $1000 a month at least unfortunately (and in most cases several thousand dollars a month). Essentially cost is related to how many packets are heading your way, and we're talking millions per second, so the intervention required is not a piece of simple software.

Unless you are a well healed corporation with deep pockets then you can't really stop one I'm afraid.  ???

Colin

Quote from: Storman™ on January 15, 2013, 04:04:04 PM
Unless you are a well healed corporation with deep pockets then you can't really stop one I'm afraid.  ???
And that is exactly why they are so wide spread.
"If everybody is thinking alike, then somebody is not thinking." - Gen. George S. Patton Jr.

Colin

Kindred

you could ask Butchs to help you configure the forum firewall mod...
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Night09

If core is the host can it be confirmed its a DDOS and have the attacking IP's been logged ?

LiroyvH

Forum firewall mod gives zero protection against DDoS.

@Nightbre:
Yes, it was a ddos of approximately 3.5Gbit/sec.
((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

Night09

Quote from: CoreISP on January 18, 2013, 02:30:44 PM
Forum firewall mod gives zero protection against DDoS.

@Nightbre:
Yes, it was a ddos of approximately 3.5Gbit/sec.

If you have the IP's you can report it to homeland security and they will investigate it.  That amount of DDOS hitting me would certainly drop my server. :P

Advertisement: