DDos Protection troughout a server

[wizardHD]

So me and my team have a server room in our office where our projects and websites are hosted but our problem is that we get ddos'd nearly daily and we cant do anything about it. even if we shut down out servers the internet still doesnt work and still gets attacked. my question would be if we could intervene an extra server between the modem and the network switches since we have one staying around with a high computing power to review our traffic.

is this even possible or do we have to buy those expensive servers from like riorey.com?

Since we have a lot of capacity in those servers we cannot switch to cloudflare and those providers.

any ideas? help would be very appreciated. Thanks in advance!

 

 

[Electronics Wizardy]

Have you looked at solutions like cloudflare?

 

What firewall setup do you have now? Some tweaking can help, but if your at the limit of your isp connection there really isn't much you can do other than getting a faster link, and the cloud is normally a cheaper way to do this.

[wizardHD]

2 minutes ago, Electronics Wizardy said:

Have you looked at solutions like cloudflare?

 

What firewall setup do you have now? Some tweaking can help, but if your at the limit of your isp connection there really isn't much you can do other than getting a faster link, and the cloud is normally a cheaper way to do this.

we have a normal linux firewall on our servers and our isp doesnt really have one if you mean the settings in our modem. we have 50tb in our storage which needs to be online so cloudflare isnt really a thing. but the problem is also if we turn of our servers and close all ports, the ddos keeps going and our internet is just away

[Electronics Wizardy]

2 minutes ago, wizardHD said:

we have a normal linux firewall on our servers and our isp doesnt really have one if you mean the settings in our modem. we have 50tb in our storage which needs to be online so cloudflare isnt really a thing. but the problem is also if we turn of our servers and close all ports, the ddos keeps going and our internet is just away

Have you talked to you isp about this? See if they can block anything on their end.

 

What firewall do you have? Id get a ngfw like from untalge, sonicwall, cisco firepower, and others.

[wizardHD]

4 minutes ago, Electronics Wizardy said:

Have you talked to you isp about this? See if they can block anything on their end.

 

What firewall do you have? Id get a ngfw like from untalge, sonicwall, cisco firepower, and others.

we have for our servers the default opensuse firewall and in our modem (cisco epc3925) we only have one check box

 

 

also the last update for this modem was from 2014.

 

this ngfw is for the servers right? but when we turn the servers off the ddos still persists and we dont have any internet

[LtStaffel]

1 minute ago, wizardHD said:

we have for our servers the default opensuse firewall and in our modem (cisco epc3925) we only have one check box

 

-snip-

 

also the last update for this modem was from 2014.

 

this ngfw is for the servers right? but when we turn the servers off the ddos still persists and we dont have any internet

You definitely need a better firewall and try to contact your ISP. I can't advise you much on the ISP side, but on the firewall side I can give some pointers.

 

I highly doubt you have the funds necessary to put in a serious Next Generation Firewall (NGFW), so instead I'd recommend building your own. I'm assuming you are relatively able with things like Linux and networking (if not, you really need someone local with more expertise, preferably a friend, to help you out with this). Build the smallest PC you can and put a couple high speed Ethernet NICs in it (PCIe expansion cards) and install pfSense. That will thoroughly outperform anything else in the few-hundred-dollar price range.

 

If you need something even cheaper, then get a small embedded box to run pfSense on. There are a few options depending on your price-range.

 

If you decide you really need to go with a prebuilt solution, then do your research on what kind of throughput you need, how many concurrent connections you will have, and if you need more advanced features than just IP blocking. http://firewalls.com will help you if you go this route.

 

Lastly, there are also cloud options like others have mentioned (CloudFlare chiefly). You can also look into those if you'd rather have it all done for you, but it will probably cost a lot more in the long run and really only give you DDoS protection whereas a firewall gives you more control over your network.

[LtStaffel]

29 minutes ago, wizardHD said:

So me and my team have a server room in our office where our projects and websites are hosted but our problem is that we get ddos'd nearly daily and we cant do anything about it.

clarifying question: Does any of this stuff you're serving need to be accessed from outside the office? If it needs to be accessed from outside your office, does it need to be world-accessible, or can you afford to whitelist IPs or have a VPN to get in?

[wizardHD]

11 minutes ago, LtStaffel said:

You definitely need a better firewall and try to contact your ISP. I can't advise you much on the ISP side, but on the firewall side I can give some pointers.

 

I highly doubt you have the funds necessary to put in a serious Next Generation Firewall (NGFW), so instead I'd recommend building your own. I'm assuming you are relatively able with things like Linux and networking (if not, you really need someone local with more expertise, preferably a friend, to help you out with this). Build the smallest PC you can and put a couple high speed Ethernet NICs in it (PCIe expansion cards) and install pfSense. That will thoroughly outperform anything else in the few-hundred-dollar price range.

 

If you need something even cheaper, then get a small embedded box to run pfSense on. There are a few options depending on your price-range.

 

If you decide you really need to go with a prebuilt solution, then do your research on what kind of throughput you need, how many concurrent connections you will have, and if you need more advanced features than just IP blocking. http://firewalls.com will help you if you go this route.

 

Lastly, there are also cloud options like others have mentioned (CloudFlare chiefly). You can also look into those if you'd rather have it all done for you, but it will probably cost a lot more in the long run and really only give you DDoS protection whereas a firewall gives you more control over your network.

so you mean that i should just put some ethernet cables from the router in the pcie cards? or do you mean this

but the pfsense firewall icon would be the server right?

[wizardHD]

4 minutes ago, LtStaffel said:

clarifying question: Does any of this stuff you're serving need to be accessed from outside the office? If it needs to be accessed from outside your office, does it need to be world-accessible, or can you afford to whitelist IPs or have a VPN to get in?

it should be since we push updates trough this which are partially really big

[LtStaffel]

Just now, wizardHD said:

so you mean that i should just put some ethernet cables from the router in the pcie cards? without an output to the switch? like only input?

No, I'm saying you should put a firewall between your modem and router such that all traffic going in or out of your network must pass through the firewall both ways.

 

No offense but, do you know what a firewall is? I think it's exactly what you need here and you seem knowledgeable on everything but firewalls, so I'd suggest you do some reading up on what they are and what they do. If you think you know anyone who's into network security and could help you with this, then I'd recommend you get them involved so they can help you more easily in ways that are hard to do over a forum.

[wizardHD]

9 minutes ago, LtStaffel said:

No, I'm saying you should put a firewall between your modem and router such that all traffic going in or out of your network must pass through the firewall both ways.

 

No offense but, do you know what a firewall is? I think it's exactly what you need here and you seem knowledgeable on everything but firewalls, so I'd suggest you do some reading up on what they are and what they do. If you think you know anyone who's into network security and could help you with this, then I'd recommend you get them involved so they can help you more easily in ways that are hard to do over a forum.

i know what a firewall is but since i have never done this (setting it up) i would be curious on how to plug the cables in

[Lurick]

16 minutes ago, LtStaffel said:

No, I'm saying you should put a firewall between your modem and router such that all traffic going in or out of your network must pass through the firewall both ways.

 

No offense but, do you know what a firewall is? I think it's exactly what you need here and you seem knowledgeable on everything but firewalls, so I'd suggest you do some reading up on what they are and what they do. If you think you know anyone who's into network security and could help you with this, then I'd recommend you get them involved so they can help you more easily in ways that are hard to do over a forum.

A firewall or anything else isn't going to do anything here if they have a single connection though. If that's saturated with traffic there is going to be nothing they can do and a firewall is just going to drop the traffic but it won't stop it from coming to the outside interface unless the ISP steps in and does something.

 

Edit:

To clarify, even if they have multiple connections from multiple ISPs if they are 100% saturated with traffic then a firewall won't do anything because the traffic is still hitting the outside interface(s). Yes a firewall is important but if your link capacity is oversaturated with traffic the firewall is going to drop the attacks but they still saturate the link(s) leaving you offline.

[wizardHD]

8 minutes ago, Lurick said:

A firewall or anything else isn't going to do anything here if they have a single connection though. If that's saturated with traffic there is going to be nothing they can do and a firewall is just going to drop the traffic but it won't stop it from coming to the outside interface unless the ISP steps in and does something.

so i can basically do nothing against it?

[Lurick]

2 minutes ago, wizardHD said:

so i can basically do nothing against it?

A firewall won't add extra capacity to your line so unless your ISP steps in and does something about it, which you should be asking them to do and I hope you already have, there isn't much you can do unfortunately.

 

Edit:

A firewall is important still though but if you're being overrun then it won't really help much right now.

[wizardHD]

7 minutes ago, Lurick said:

A firewall won't add extra capacity to your line so unless your ISP steps in and does something about it, which you should be asking them to do and I hope you already have, there isn't much you can do unfortunately.

 

Edit:

A firewall is important still though but if you're being overrun then it won't really help much right now.

how for e.g. does linus do it since he also hosts a server in his internet?

[Lurick]

Just now, wizardHD said:

how for e.g. does linus do it since he also hosts a server in his internet?

Through some DDoS mitigation implemented upstream by the ISP (usually not much) and I believe they route through cloudflare or another dedicated DDoS mitigation provider as well. Once you grow as a company though where you start leveraging things like BGP Flowspec, having multiple peering agreements and other enterprise level mitigation techniques can come into play to stop or mitigate these attacks.

[LtStaffel]

1 hour ago, wizardHD said:

so i can basically do nothing against it?

@Lurick is correct in that if your line is saturated, then the only way to still serve stuff is to have someone with a line big enough to eat the data. You should be able to get cloudflare DDoS protection without hosting all of your stuff on their servers. What would happen is that all traffic going to you would first go through them, and if a ddos happens then cloudflare eats the data and only passes on what you want from there.

 

PS: Your picture in your edit is correct

[Akolyte]

5 hours ago, wizardHD said:

how for e.g. does linus do it since he also hosts a server in his internet?

Yeah, if you're using a server for a small business I wouldn't worry about ISP-level DDoS mitigation. 

 

generally you've got two types of attacks:

 

• Application
  • When a hacker exploits a vulnerability specific to an application or protocol to bring down / deny access to your service.  An example of this might be exploiting a Skype specific vulnerability, slowing the call protocol and preventing you from taking or receiving calls, or hijacking the DNS servers of an organisation to redirect to non existent IP addresses.  These are just (bad) examples.
• Flood
  • This is when someone directly floods your internet, this takes a lot of bandwidth and is usually done with botnets, such as the Marai botnet which used a huge number of compromised IoT devices to access a service all at once, flooding it's network bandwidth and making it inaccessible.  It's normally in generic flood attacks that ISP mitigation will come in.

 

What I would personally suggest for your server, would be to integrate an IPS (Intrusion Prevention System) which will analyse all incoming traffic and block known attacks. It will blacklist addresses for a period of time to ensure the attack does not succeed. 

 

You just need to have resources available, the suggested implementation is by using a virtualised IPS, which simply means you would have to have enough resources and bandwidth on a VM host.  The amount I would recommend for a very small business is 4GiB RAM and 4 Cores. 

 

For you I would suggest 8GiB.

 

My suggestion for a firewall OS on a VM would be:

OPNSense, IPFire with Snort Added, Or Untangle.

 

If you do not have these resources available, you can rent a server in the cloud such as Oracle Cloud, Google Cloud, Azure, etc. And route services through it, and rely on their DDoS protection.  You can do this by using a VPN/SSH Tunnel and some networking application such as HAProxy or Ngnix to do that.

 

[wizardHD]

11 hours ago, Akolyte said:

Yeah, if you're using a server for a small business I wouldn't worry about ISP-level DDoS mitigation. 

 

generally you've got two types of attacks:

 

• Application
  • When a hacker exploits a vulnerability specific to an application or protocol to bring down / deny access to your service.  An example of this might be exploiting a Skype specific vulnerability, slowing the call protocol and preventing you from taking or receiving calls, or hijacking the DNS servers of an organisation to redirect to non existent IP addresses.  These are just (bad) examples.
• Flood
  • This is when someone directly floods your internet, this takes a lot of bandwidth and is usually done with botnets, such as the Marai botnet which used a huge number of compromised IoT devices to access a service all at once, flooding it's network bandwidth and making it inaccessible.  It's normally in generic flood attacks that ISP mitigation will come in.

 

What I would personally suggest for your server, would be to integrate an IPS (Intrusion Prevention System) which will analyse all incoming traffic and block known attacks. It will blacklist addresses for a period of time to ensure the attack does not succeed. 

 

You just need to have resources available, the suggested implementation is by using a virtualised IPS, which simply means you would have to have enough resources and bandwidth on a VM host.  The amount I would recommend for a very small business is 4GiB RAM and 4 Cores. 

 

For you I would suggest 8GiB.

 

My suggestion for a firewall OS on a VM would be:

OPNSense, IPFire with Snort Added, Or Untangle.

 

If you do not have these resources available, you can rent a server in the cloud such as Oracle Cloud, Google Cloud, Azure, etc. And route services through it, and rely on their DDoS protection.  You can do this by using a VPN/SSH Tunnel and some networking application such as HAProxy or Ngnix to do that.

 

So it would bascially work like this: i have 2 network ports on my server, one goes directly from the modem to the server and the other one from the server to the switch. on this server i install the software for example opnsense. tell if i am wrong

 

which hardware components would i need? network cards? if yes how much? can you recommend some which work with linux

 

we have a 20 core cpu lying around so that wouldnt we the problem. we would have enough computing power

[Electronics Wizardy]

6 hours ago, wizardHD said:

So it would bascially work like this: i have 2 network ports on my server, one goes directly from the modem to the server and the other one from the server to the switch. on this server i install the software for example opnsense. tell if i am wrong

 

which hardware components would i need? network cards? if yes how much? can you recommend some which work with linux

 

we have a 20 core cpu lying around so that wouldnt we the problem. we would have enough computing power

You can also just buy these systems in deticated hardware box, that would probably be simpler to setup. Depending on your bandwidth, there are untangle boxes, sonicwall systems, fortinet and others who make these appliances. 

 

Can you make a network diagram? What subnets do you have?

 

You should have the public servers on a different subnet than the desktops and other devices, and only allow needed traffic.

 

Id really suggest you hire someone to help here who knows about network design and security, you seem to be a bit over your head here.

 

But id really suggest you host this in the cloud with a service that is made to reduce ddos attacks. This basically removes the ddos issue, allow for much more growth and bandwidth if needed.

 

 

 

 

[LtStaffel]

18 hours ago, Akolyte said:

Yeah, if you're using a server for a small business I wouldn't worry about ISP-level DDoS mitigation. 

 

generally you've got two types of attacks:

 

• Application
  • When a hacker exploits a vulnerability specific to an application or protocol to bring down / deny access to your service.  An example of this might be exploiting a Skype specific vulnerability, slowing the call protocol and preventing you from taking or receiving calls, or hijacking the DNS servers of an organisation to redirect to non existent IP addresses.  These are just (bad) examples.
• Flood
  • This is when someone directly floods your internet, this takes a lot of bandwidth and is usually done with botnets, such as the Marai botnet which used a huge number of compromised IoT devices to access a service all at once, flooding it's network bandwidth and making it inaccessible.  It's normally in generic flood attacks that ISP mitigation will come in.

 

What I would personally suggest for your server, would be to integrate an IPS (Intrusion Prevention System) which will analyse all incoming traffic and block known attacks. It will blacklist addresses for a period of time to ensure the attack does not succeed. 

 

You just need to have resources available, the suggested implementation is by using a virtualised IPS, which simply means you would have to have enough resources and bandwidth on a VM host.  The amount I would recommend for a very small business is 4GiB RAM and 4 Cores. 

 

For you I would suggest 8GiB.

 

My suggestion for a firewall OS on a VM would be:

OPNSense, IPFire with Snort Added, Or Untangle.

 

If you do not have these resources available, you can rent a server in the cloud such as Oracle Cloud, Google Cloud, Azure, etc. And route services through it, and rely on their DDoS protection.  You can do this by using a VPN/SSH Tunnel and some networking application such as HAProxy or Ngnix to do that.

 

Why this over pfSense?

[wizardHD]

13 hours ago, Electronics Wizardy said:

You can also just buy these systems in deticated hardware box, that would probably be simpler to setup. Depending on your bandwidth, there are untangle boxes, sonicwall systems, fortinet and others who make these appliances. 

 

Can you make a network diagram? What subnets do you have?

 

You should have the public servers on a different subnet than the desktops and other devices, and only allow needed traffic.

 

Id really suggest you hire someone to help here who knows about network design and security, you seem to be a bit over your head here.

 

But id really suggest you host this in the cloud with a service that is made to reduce ddos attacks. This basically removes the ddos issue, allow for much more growth and bandwidth if needed.

 

 

 

 

Yeah i think you are write since i only have experience with programming and linux things. Never setted up a network like this. We probably gonna move the update server to cloudflare and make a secure tunnel for our servers to work from home

[Akolyte]

On 9/9/2020 at 8:41 AM, LtStaffel said:

Why this over pfSense?

OPNSense is a fork of PFSense but mostly re-written.  In my experience it's more stable and has a lot of useful features installed by Default, such as an IPS, which wasn't installed in PFSense when I last used it.

 

Most Importantly though, PfSense is only available for free for non-commercial use and is owned by Netgate.   OPNSense is using a BSD License and can be used for commercial purposes for free, you just have to buy any premium support. 

 

20 hours ago, wizardHD said:

Yeah i think you are write since i only have experience with programming and linux things. Never setted up a network like this. We probably gonna move the update server to cloudflare and make a secure tunnel for our servers to work from home

Cloudflare is really good.  You may still want to get a bastion host with a cloud provider like AWS or Azure as well.  Your team could use it as a jumphost maybe. 

 

I wouldn't rely solely on one solution.