I wanted to know how you guys protect your different machines from DDOS for example if it’s self-hosted I know a lot of providers do IP forwarding via AWS for example. But what would be the best practice for it?
I think if DDOS packets are reaching your machine, then you’re already screwed. DDOS protection via software is good and all and might even help in some low-volume attacks and perhaps some targeted L7 attacks, but if you get a udp flood or something similar, you need an anti-DDOS hardware device to actually have a chance at mitigating it.
Software DDOS protection is going to get overloaded quick trying to inspect and process all the traffic, let alone if your port can handle that rate of traffic anyway.
tldr - software DDOS protection might help small attacks, but any serious attack is going to need hardware to mitigate it. Pick a provider that has decent DDOS protection hardware and you’ll be good.
In my view, you can mitigate small attacks with software solutions like iptables, this can work quite well if you have a good system. For everything that’s bigger than your port size or what your network card can handle (packet size is the issue) you will need some external stuff.
If you run your own network, you can do flowspec and the like and try to mitigate it at the upstream level. But, this will require quite some work too.
Honestly, if you have your own Network, the easiest solution in most cases is just to get some decent DDoS protection from Voxility, Magic Transit or whoever is near you and let them handle the problem. If you have your services with the Datacenter, they probably have an option for DDoS protection that will serve you well in most cases.
I see the problem here is always their pricing. Because Hetzner current protection is really shitty… I tought about tunneling thing between server but yeah going from srv1 → to srv2 for gaming for exemple it’s not acceptable for the ping.
A lot of solution exsists but for some reason there isn’t any “cheap” solutions to at least start. I mean of course it has a cost to stop such an attack but yeah…
It depends but since a part is. But OVH problem is the pricing and they don’t have machine with Ryzen CPU for exemple. And with the recent outage… i don’t really trust them, their support is not awesome really not a lot of good points except their awesome ddos protection
Since I moved over to their service I haven’t had an outage on a server there for that reason. When I’ve been notified of inbound attacks hitting me, not even a single monitor went off on my side. I’m not a huge target but no stranger to attacks. Granted, and this may be important, attacks as a whole have been less frequent ever since hackforum took down their booter market.
‘Free’ DDoS protection you get with hosting providers will work if you have a basic attack. Usually they handle Amplification quite well for example as mitigating these can be as simple as a ACL or ACL ratelimit.
It’s when you get something non-standard, hybrid or your requirements get more complex (e.g DDoS protection of a public DNS server) that these mitigation systems fail. And honestly considering the price you are paying for them, what do you expect? It’s not economical for a company making $5-15/m from your dedicated server to task an engineer for hours to build a rule and monitor for a custom attack - on top of paying for the bandwidth.
Honestly OVH’s network is one of my least favorite networks. It’s the only network where I have seen internal pings of nearly 200ms (with a route within the same city) and that has a mitigation system that has regular false positives and with a support team unable to make any changes.
For self-hosted your best bet might be a proxy of some sort. It would depend on what sort of attacks you see (i.e. volumetric attacks vs something like layer 7 attacks require totally different approaches even though both fall under the blanket term of DDOS).
Is there a specific kind of DDOS attack that you see or anticipate?