Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [SOLVED] DDos-Protection

    Scheduled Pinned Locked Moved Firewalling
    15 Posts 8 Posters 20.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • KOMK
      KOM
      last edited by

      My question is: What can I do for DDos-Protection?

      Nothing.  If the world's largest online corporations can't protect their assets from DDoS (think Pokemon Go, PS4 network, XBox network, etc) then what do you think you're going to do?  IDS/IPS are useless against DDoS because the traffic is already hitting your WAN.

      1 Reply Last reply Reply Quote 0
      • K
        kpa
        last edited by

        The issue is that the DDoS is going to clog your connection before you have any chance to react it and even if you manage to react you can't limit the traffic coming your way because your upstream router is going to keep sending those packets regardless of what your firewall does.

        1 Reply Last reply Reply Quote 0
        • U
          user12
          last edited by

          Ok… so there is absolutely no tricks or anything, one can do against it?
          I remember hosters marketing their "Anti-DoS"-Routers ...

          1 Reply Last reply Reply Quote 0
          • KOMK
            KOM
            last edited by

            I remember hosters marketing their "Anti-DoS"-Routers …

            I remember people selling the Golden Gate bridge…

            The only solution to DDoS is upstream help from your ISP when you get hit, or some service like CloudFlare to avoid it before it hits.  They have much-larger pipes & infrastructure than you and only they are in a position to filter the storm.

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              Why does this same question seem to come up every few weeks..

              There is NOTHING you can do about a volumetric dos at the end of the pipe, ie your firewall.  If the pipe is full the pipe is full..  Nothing you do to the packets as they come your end means anything..  Be it you try and process them or just plain drop them.. The pipe is full..

              Only measure against such attack is to move up the stream to where the pipe is fatter than your pipe, and keep the traffic from going down your small pipe.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • U
                user12
                last edited by

                Ok, I see… it's more a unchangable (in some way at least) physical problem.
                Thanks for your help!

                1 Reply Last reply Reply Quote 0
                • H
                  Harvy66
                  last edited by

                  @kpa:

                  The issue is that the DDoS is going to clog your connection before you have any chance to react it and even if you manage to react you can't limit the traffic coming your way because your upstream router is going to keep sending those packets regardless of what your firewall does.

                  Depends on what you mean by DDOS. There are asymmetric resource attacks against the FreeBSD network stack that only requires a few megabits of traffic per second and not even to fill up the state table and  it will take down an 8 core Xeon with a 10Gb uplink. O(NM) algorithms, effectively O(N^2) in DDOS, are very bad in the network stack. Think of it this way. If you have a state table size of 1mil and someone sends the right kind of traffic, a single packet with that O(NM) scaling can consume 1,000,000,000,000+ clock cycles. I don't know about you, but my computer can't afford to spend 1 trillion cycles per packet.

                  If a single person with a DSL connection and the ability to spoof source addresses can take down your entire 40Gb network, the software needs to be fixed. At least one person in the FreeBSD community is working on fixing FreeBSD's DDOS issues. Rule of thumb for firewall/routers, if you run out of CPU before bandwidth, the code is poorly designed.

                  1 Reply Last reply Reply Quote 0
                  • KOMK
                    KOM
                    last edited by

                    Yeah, good answer John.  Wish I would have thought of that and said it  ;D

                    1 Reply Last reply Reply Quote 0
                    • P
                      pedropt
                      last edited by

                      check this link : https://javapipe.com/iptables-ddos-protection

                      does this work ?

                      1 Reply Last reply Reply Quote 0
                      • KOMK
                        KOM
                        last edited by

                        Those techniques will work against attacks that try to use features/bugs of your TCP/IP network stack to make the system unresponsive due to exhausted resources.  It won't do anything about DDoS due to oversaturated links.

                        1 Reply Last reply Reply Quote 0
                        • M
                          Mr. Jingles
                          last edited by

                          @KOM:

                          I remember hosters marketing their "Anti-DoS"-Routers …

                          I remember people selling the Golden Gate bridge…

                          Thanks for the laugh  ;D

                          6 and a half billion people know that they are stupid, agressive, lower life forms.

                          1 Reply Last reply Reply Quote 0
                          • C
                            crookiecookie
                            last edited by

                            There are some things you can do to mitigate some attacks

                            Geoip blocking its not foolproof but can cut down alot of attacks

                            Be sure to whitelist ips of update servers, google, lets encrypt etc to be sure to continue receiving the services

                            If your not serving clients in some countries block the whole country

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator
                              last edited by johnpoz

                              1st post jump into a 2 year old thread with junk... Welcome <rolleyes>

                              You didn't even bother to read the 2 year old thread your reply too? What part do you not get about the PIPE is full did you not understand. Blocking IRAN or Russia at the end of the pipe at your firewall does ZERO!!!

                              Post like that makes me miss the smite button ;)

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              1 Reply Last reply Reply Quote 0
                              • C
                                crookiecookie
                                last edited by

                                This post is deleted!
                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.