« Previous 1 2 3 4
Building a defense against DDoS attacks
One Against All
Commercial DDoS Protection
Numerous commercial providers also offer turnkey DDoS safeguards with support, logging, and alerting. These solutions range from cloud-based approaches to hardware appliances, which are usually integrated into the data center as firewall extensions.
For example, industry giant Cloudflare offers DDoS web protection with its application services, which works exactly like vDDoS when viewed from the outside. Under the hood, a reverse proxy receives and examines the access requests and forwards the legitimate traffic to the server with the content. For this method to work, the DNS entry for your website must point to the Cloudflare server. Note that your web server is only allowed to accept requests from Cloudflare, otherwise the DDoS protection is ineffective.
The advantage is that Cloudflare and comparable offerings seem to have more bandwidth in reserve than the attackers have been able to muster (thus far). Anyone expecting attacks in the multidigit gigabit per second range is well advised to use a commercial provider. Fun fact: This solution works so well that even the bad guys with their illegal web portals use it to protect themselves against even more evil villains.
Conclusions
In addition to ransomware attacks, DDoS attacks pose major challenges for companies. This foray through the defense arsenal from the open source world reveals a couple of highlights. The basic service begins with a hardened operating system followed by a security check, which is again followed by guard tools that keep an eye on logfiles, detect failed login attempts, and automatically create rules for the local firewall. Finally, websites can be protected against a flood of requests with various image puzzles in the form of captchas.
In larger environments, the DDoS sensor is located well away from the server farm and receives traffic information from routers and switches. If the throughput rates of individual clients are unusually high, the block is sent to the provider routers by a BGP update, and the game is over for the attacker. If these tools and tricks involve too much manual work or you anticipate massive DDoS attacks, the same protections are also available from commercial providers.
Infos
- Linux hardening guide: https://madaidans-insecurities.github.io/guides/linux-hardening.html
- OpenSCAP security guide for RHEL 7: https://static.open-scap.org/ssg-guides/ssg-rhel7-guide-C2S.html
- Lynis: https://cisofy.com/lynis/
- FireHOL Cybercrime IP feeds: https://iplists.firehol.org
- Fail2Ban: https://github.com/fail2ban/fail2ban
- CrowdSec: https://www.crowdsec.net
- vDDoS: https://vddos.voduy.com
- FastNetMon: https://github.com/pavel-odintsov/fastnetmon
- IPBan: https://github.com/digitalruby/ipban
- EvlWatcher: https://github.com/devnulli/EvlWatcher
- MHDDoS: https://github.com/MatrixTM/MHDDoS
« Previous 1 2 3 4
Buy this article as PDF
(incl. VAT)