Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [SOLVED] DDos-Protection

    Scheduled Pinned Locked Moved Firewalling
    15 Posts 8 Posters 20.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • U
      user12
      last edited by

      Ok… so there is absolutely no tricks or anything, one can do against it?
      I remember hosters marketing their "Anti-DoS"-Routers ...

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        I remember hosters marketing their "Anti-DoS"-Routers …

        I remember people selling the Golden Gate bridge…

        The only solution to DDoS is upstream help from your ISP when you get hit, or some service like CloudFlare to avoid it before it hits.  They have much-larger pipes & infrastructure than you and only they are in a position to filter the storm.

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          Why does this same question seem to come up every few weeks..

          There is NOTHING you can do about a volumetric dos at the end of the pipe, ie your firewall.  If the pipe is full the pipe is full..  Nothing you do to the packets as they come your end means anything..  Be it you try and process them or just plain drop them.. The pipe is full..

          Only measure against such attack is to move up the stream to where the pipe is fatter than your pipe, and keep the traffic from going down your small pipe.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • U
            user12
            last edited by

            Ok, I see… it's more a unchangable (in some way at least) physical problem.
            Thanks for your help!

            1 Reply Last reply Reply Quote 0
            • H
              Harvy66
              last edited by

              @kpa:

              The issue is that the DDoS is going to clog your connection before you have any chance to react it and even if you manage to react you can't limit the traffic coming your way because your upstream router is going to keep sending those packets regardless of what your firewall does.

              Depends on what you mean by DDOS. There are asymmetric resource attacks against the FreeBSD network stack that only requires a few megabits of traffic per second and not even to fill up the state table and  it will take down an 8 core Xeon with a 10Gb uplink. O(NM) algorithms, effectively O(N^2) in DDOS, are very bad in the network stack. Think of it this way. If you have a state table size of 1mil and someone sends the right kind of traffic, a single packet with that O(NM) scaling can consume 1,000,000,000,000+ clock cycles. I don't know about you, but my computer can't afford to spend 1 trillion cycles per packet.

              If a single person with a DSL connection and the ability to spoof source addresses can take down your entire 40Gb network, the software needs to be fixed. At least one person in the FreeBSD community is working on fixing FreeBSD's DDOS issues. Rule of thumb for firewall/routers, if you run out of CPU before bandwidth, the code is poorly designed.

              1 Reply Last reply Reply Quote 0
              • KOMK
                KOM
                last edited by

                Yeah, good answer John.  Wish I would have thought of that and said it  ;D

                1 Reply Last reply Reply Quote 0
                • P
                  pedropt
                  last edited by

                  check this link : https://javapipe.com/iptables-ddos-protection

                  does this work ?

                  1 Reply Last reply Reply Quote 0
                  • KOMK
                    KOM
                    last edited by

                    Those techniques will work against attacks that try to use features/bugs of your TCP/IP network stack to make the system unresponsive due to exhausted resources.  It won't do anything about DDoS due to oversaturated links.

                    1 Reply Last reply Reply Quote 0
                    • M
                      Mr. Jingles
                      last edited by

                      @KOM:

                      I remember hosters marketing their "Anti-DoS"-Routers …

                      I remember people selling the Golden Gate bridge…

                      Thanks for the laugh  ;D

                      6 and a half billion people know that they are stupid, agressive, lower life forms.

                      1 Reply Last reply Reply Quote 0
                      • C
                        crookiecookie
                        last edited by

                        There are some things you can do to mitigate some attacks

                        Geoip blocking its not foolproof but can cut down alot of attacks

                        Be sure to whitelist ips of update servers, google, lets encrypt etc to be sure to continue receiving the services

                        If your not serving clients in some countries block the whole country

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by johnpoz

                          1st post jump into a 2 year old thread with junk... Welcome <rolleyes>

                          You didn't even bother to read the 2 year old thread your reply too? What part do you not get about the PIPE is full did you not understand. Blocking IRAN or Russia at the end of the pipe at your firewall does ZERO!!!

                          Post like that makes me miss the smite button ;)

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • C
                            crookiecookie
                            last edited by

                            This post is deleted!
                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.