How to effectively increase firewall against dos/ddos?

Status
This thread has been locked.

twanneke8

Feedback score
0
Posts
53
Reactions
27
Resources
0
Hello everyone,

My teams Kimsufi development server has recently been receiving hits from a dosser. It has been put in rescue mode twice now thanks to their anti DDOS system. The attack conducted was a SYN flood.

What's the most effective way to protect yourself against these types of attacks and possibly other attacks without having to put money on the table (so with a firewall)?

We can probably do this relatively easy for SYN flood dos attacks by just auto banning the IP with iptables. So are there any other attacks we should prepare for?

Kind regards,

Toon Sevrin
Founder
Exorath
 
PebbleHost
High performance, consistent uptime and fast support. Minecraft hosting that just works.

Overlord

Supreme
Feedback score
2
Posts
569
Reactions
276
Resources
0
You can honestly only block so much without expensive protection.

You can block some DOS attacks with iptables, it's outlined pretty well on Google. DigitalOcean goes as far as to give you the commands to block certain floods.

DDoS, depends. Application layer, you can minimise how much power is needed to affect the application using modernised tactics, like caching and minimised queries. Distributed network based attacks, no luck.

This'll stop some basic attempts to take your server down, but anything more than that will get through.
 

twanneke8

Feedback score
0
Posts
53
Reactions
27
Resources
0
You can honestly only block so much without expensive protection.

You can block some DOS attacks with iptables, it's outlined pretty well on Google. DigitalOcean goes as far as to give you the commands to block certain floods.

DDoS, depends. Application layer, you can minimise how much power is needed to affect the application using modernised tactics, like caching and minimised queries. Distributed network based attacks, no luck.

This'll stop some basic attempts to take your server down, but anything more than that will get through.
Very informative, thank you. I was thinking the same thing, but buying expensive ddos protection or even an ovh server for a development server is way to overkill for us right now. Maybe not linking the ip of the server to our dns would reduce the amount of people able to ddos us :)
 

twanneke8

Feedback score
0
Posts
53
Reactions
27
Resources
0
Here's a bright idea: don't give out the IP address. :)

You say development, but that doesn't clue me into what kind.
Is it for a Minecraft Server? a Website? etc..

You can always mask the IP and protect yourself from nearly any L4 attacks with Cloudflare. Then again, Application Layer as Overlord said are much harder to protect against.

Just be careful with your server and you shouldn't run into too much trouble.
Yeh, we are doing that already :) It's not hard to root through cloudflare though, to get the original ip. Anyway, we did some testing and stuff and kimsufi has basic ddos protection (they can block attackers) and we never got attacked (Someone actually exploited their way into our server and used it to ddos other people).
 
Status
This thread has been locked.
Top