[SOLVED] DDos-Protection



  • Hi!

    I got a webserver behind my pfSense, both port 80 and 443 are NATed, but usually users are redirected using HTTPS as a default.

    My question is: What can I do for DDos-Protection? I already installed snort, which is listening on the DMZ-interface.
    Plus I've seen that I can set a max. number of connections for the NAT-Rule, which is working (I've tried, I wasn't able to open more than x connections to the site with my browser).
    Is that a sensefull thing to do? Limiting it to 100-200 connections would perfectly satisfy my needs, there won't be more than this number of connections at a time…

    Edit: Max number of states is what I mean.
    Is there a difference to maximum nr of connections?



  • My question is: What can I do for DDos-Protection?

    Nothing.  If the world's largest online corporations can't protect their assets from DDoS (think Pokemon Go, PS4 network, XBox network, etc) then what do you think you're going to do?  IDS/IPS are useless against DDoS because the traffic is already hitting your WAN.



  • The issue is that the DDoS is going to clog your connection before you have any chance to react it and even if you manage to react you can't limit the traffic coming your way because your upstream router is going to keep sending those packets regardless of what your firewall does.



  • Ok… so there is absolutely no tricks or anything, one can do against it?
    I remember hosters marketing their "Anti-DoS"-Routers ...



  • I remember hosters marketing their "Anti-DoS"-Routers …

    I remember people selling the Golden Gate bridge…

    The only solution to DDoS is upstream help from your ISP when you get hit, or some service like CloudFlare to avoid it before it hits.  They have much-larger pipes & infrastructure than you and only they are in a position to filter the storm.


  • Rebel Alliance Global Moderator

    Why does this same question seem to come up every few weeks..

    There is NOTHING you can do about a volumetric dos at the end of the pipe, ie your firewall.  If the pipe is full the pipe is full..  Nothing you do to the packets as they come your end means anything..  Be it you try and process them or just plain drop them.. The pipe is full..

    Only measure against such attack is to move up the stream to where the pipe is fatter than your pipe, and keep the traffic from going down your small pipe.



  • Ok, I see… it's more a unchangable (in some way at least) physical problem.
    Thanks for your help!



  • @kpa:

    The issue is that the DDoS is going to clog your connection before you have any chance to react it and even if you manage to react you can't limit the traffic coming your way because your upstream router is going to keep sending those packets regardless of what your firewall does.

    Depends on what you mean by DDOS. There are asymmetric resource attacks against the FreeBSD network stack that only requires a few megabits of traffic per second and not even to fill up the state table and  it will take down an 8 core Xeon with a 10Gb uplink. O(NM) algorithms, effectively O(N^2) in DDOS, are very bad in the network stack. Think of it this way. If you have a state table size of 1mil and someone sends the right kind of traffic, a single packet with that O(NM) scaling can consume 1,000,000,000,000+ clock cycles. I don't know about you, but my computer can't afford to spend 1 trillion cycles per packet.

    If a single person with a DSL connection and the ability to spoof source addresses can take down your entire 40Gb network, the software needs to be fixed. At least one person in the FreeBSD community is working on fixing FreeBSD's DDOS issues. Rule of thumb for firewall/routers, if you run out of CPU before bandwidth, the code is poorly designed.



  • Yeah, good answer John.  Wish I would have thought of that and said it  ;D



  • check this link : https://javapipe.com/iptables-ddos-protection

    does this work ?



  • Those techniques will work against attacks that try to use features/bugs of your TCP/IP network stack to make the system unresponsive due to exhausted resources.  It won't do anything about DDoS due to oversaturated links.



  • @KOM:

    I remember hosters marketing their "Anti-DoS"-Routers …

    I remember people selling the Golden Gate bridge…

    Thanks for the laugh  ;D



  • There are some things you can do to mitigate some attacks

    Geoip blocking its not foolproof but can cut down alot of attacks

    Be sure to whitelist ips of update servers, google, lets encrypt etc to be sure to continue receiving the services

    If your not serving clients in some countries block the whole country


  • Rebel Alliance Global Moderator

    1st post jump into a 2 year old thread with junk... Welcome <rolleyes>

    You didn't even bother to read the 2 year old thread your reply too? What part do you not get about the PIPE is full did you not understand. Blocking IRAN or Russia at the end of the pipe at your firewall does ZERO!!!

    Post like that makes me miss the smite button ;)



  • This post is deleted!

Locked
 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy