firewall recommendations?

[Guest acdcman200]

Due to my main computer being ddosed and after discovering my brother had others doing it, i need to purchase a firewall. I have 1000 dollars to spend on one. I need something that i can connect that will help prevent ddos attacks. Ive already contacted my internet service provider and they say theres nothing they can do to change my ip address (or there just not willing to.) I don't want to use a vpn as the slow down my internet way to much. If you can please recommend me something that is extremely reliable. honestly im thinking about something enterprise grade level. if you can think of good ones please write the name of it in the comments. or if you have personal experience with this please pm me. 

Thanks guys

[Enderman]

restarting your router should change your IP address...

or enabling ping blocking in the settings

[TJStamp]

build one yourself? I have a virtualised pfsense firewall which is exceptionally good and feature rich. The OS itself is completely free and you can run it on almost any x86 hardware so long as you have 2 independent network interfaces on it.

 

https://www.pfsense.org/about-pfsense/

[Guest acdcman200]

restarting your router should change your IP address...

or enabling ping blocking in the settings

its non changing ip adress its static

[Guest acdcman200]

build one yourself? I have a virtualised pfsense firewall which is exceptionally good and feature rich. The OS itself is completely free and you can run it on almost any x86 hardware so long as you have 2 independent network interfaces on it.

 

https://www.pfsense.org/about-pfsense/

i need something more realiable than that the thing is im also running servers off my connection. so i need high speed for everything

[Enderman]

its non changing ip adress its static

well that sucks

usually consumer  internet connections use dynamic

[Guest acdcman200]

well that sucks

usually consumer  internet connections use dynamic

yeah, thats why the only way to solve it is to use a firewall, i have my machine connected to a second intent connection but theres like a 100 megabyte diffrence so i dont want to be on this connection longer than i have to be. 

[Goldensapling]

If you have $1000 to spend why not just get a new ISP hooked up? 

[Guest acdcman200]

If you have $1000 to spend why not just get a new ISP hooked up? 

we have the best internet we can get here

[Goldensapling]

we have the best internet we can get here

ah, I see, well, I'm out of ideas then

[TJStamp]

Reliable enough? This is tried and tested enterprise grade software capable or protecting entire data centers with a single appliance. It is more than reliable and powerful enough to protect a couple of servers hanging off an home internet connection.

[Guest acdcman200]

Reliable enough? This is tried and tested enterprise grade software capable or protecting entire data centers with a single appliance. It is more than reliable and powerful enough to protect a couple of servers hanging off an home internet connection.

alright will try it on a spare computer i own, what kind network cards are you using in yours

[Guest acdcman200]

ah, I see, well, I'm out of ideas then

also does your potato thing ever end?

[TJStamp]

pfsense is based on freeBSD so almost any gigabit ethernet connection should be fine.

 

TekSyndicate have covered this before in a pretty good video, LTT never has though *cough*

 

[Goldensapling]

also does your potato thing ever end?

No. No it does not. Potato is an infinite life form.

[Guest acdcman200]

No. No it does not. Potato is an infinite life form.

lol nice.

[Darren]

Get a VPN, it's your best realistic choice. Dropping $1000 on a firewall does nothing for you since the whole point of a DDoS is to flood your internet pipe. Your pipe will still be congested no matter what appliance you have.

 

A VPN will hide your real IP and there are good enough services to not have a detrimental effect on your speed. Shop around, find the closest provider and use it.

 

Again, a VPN is your best choice. Dropping $1,000 on a firewall will get you nowhere.

 

Another problem you could address is how he finds out your IP. Hell, if he persists, threaten him with legal action. Performing or arranging a DDoS is illegal, and you can charge him for it.

 

Another problem you could address is why is he doing it? Did you piss him off?

[Eniqmatic]

@Darren Just because he has $1000 to spend, doesn't mean he will.

 

Why would you use a VPN for this application, you just wouldn't.

 

How do you think big corporations that have static IP's block constant attempts at DDoS? VPN? Lol.

[Darren]

@Darren Just because he has $1000 to spend, doesn't mean he will.

 

Why would you use a VPN for this application, you just wouldn't.

 

How do you think big corporations that have static IP's block constant attempts at DDoS? VPN? Lol.

 

Absolutely, your prosumer should act like, say, a university with a /16 who has a 2x10Gbps conenction and buy appliances to do mitigation. What a brilliant idea, you're hired.

[Eniqmatic]

PFSense and any real firewall has the tools required to handle this. I suggest getting some experience before hopping on your keyboard with that attitude.

 

PFSense is a brilliant appliance with the advantage of being free and runs on a lot of hardware.

[Darren]

PFSense and any real firewall has the tools required to handle this. I suggest getting some experience before hopping on your keyboard with that attitude.

 

PFSense is a brilliant appliance with the advantage of being free and runs on a lot of hardware.

 

Well now you've actually suggested something, which is what I was fishing for.

 

Sure, I don't have the most experience but I'm not seeing how if he has someone throwing 10gig at him through a 50meg connection, how something on his end is going to be a huge deal of help without involving someone else, his ISP, legal etc. There are ways of solving his particular problem without throwing money at it, which was my point from the start.

[Eniqmatic]

Well now you've actually suggested something, which is what I was fishing for.

 

Sure, I don't have the most experience but I'm not seeing how if he has someone throwing 10gig at him through a 50meg connection, how something on his end is going to be a huge deal of help without involving someone else, his ISP, legal etc. There are ways of solving his particular problem without throwing money at it, which was my point from the start.

 

Much more civilised, thanks, I appreciate that.

 

PFSense won't cost any money either other than a one or two network cards, which are super cheap for even Intel NICS. You can then either run it virtual, or on old hardware you have lying around. So all in all would maybe cost the same as a VPN. Except not every month.

 

A decent firewall can block and reject IP's, create a blacklist, close open ports which your ISP leaves open, configure the amount of concurrent connections and configure rate limit as well as whole host of other tools. 

[schizznick]

Eniqmatic I have t agree with you on PFSense it's a great OS, however Darren is correct, by the time the packets get to the PFSense gateway they are already on his pipe. The only thing that PFSense can do is maybe mitigate it a little. Once the Access shelf encodes the bytes onto his line he's screwed. This should be something the ISP does in an Internet Services Gateway or IPS. 

 

As a side note a VPN will also not help because his actual IP remains the same. The VPN hide's his IP but he still has it. If someone, ie his brother, knows the IP a VPN will not change it.

 

Just my 2 cents.

[Guest acdcman200]

Reliable enough? This is tried and tested enterprise grade software capable or protecting entire data centers with a single appliance. It is more than reliable and powerful enough to protect a couple of servers hanging off an home internet connection.

alright i have purchased 2 networking cards and ill be installing them in a old custom desktop i have lying around. Ill look up to configure it and get it running. If it dosent stop the ddos then ill go purchase a firewall, im thinning something from mushroom networks. What kinds of network cards would be good for this sitation

[dalekphalm]

Eniqmatic I have t agree with you on PFSense it's a great OS, however Darren is correct, by the time the packets get to the PFSense gateway they are already on his pipe. The only thing that PFSense can do is maybe mitigate it a little. Once the Access shelf encodes the bytes onto his line he's screwed. This should be something the ISP does in an Internet Services Gateway or IPS. 

 

As a side note a VPN will also not help because his actual IP remains the same. The VPN hide's his IP but he still has it. If someone, ie his brother, knows the IP a VPN will not change it.

 

Just my 2 cents.

This is definitely the most concise response here so far. PFSense won't help. A VPN won't help. A DDoS works by flooding the incoming pipe with connection requests. Even refusing those requests takes up resources. Especially since PFSense is on the wrong end of the network line to do any mitigation at all.

 

DDoS mitigation services work as a middle man between your connection. Your true IP Address is never exposed in this scenario. As one IP Address is flooded by the DDoS attack, the mitigation service slips your connection to a new IP Address, and bounces you around, filtering out as much traffic as possible.

 

If your true IP Address is already exposed then I don't really see anything that can be done. Using a VPN won't change the IP Address your Modem has, it will just protect you from having your IP Address exposed in the future. Anyone who already knows it won't suddenly forget about it. A VPN doesn't block or cancel out traffic on your regular IP Address, because the VPN service is connecting to that regular IP Address, and using it to communicate with you.

 

The only real solution I can see is changing your IP Address. Once you do that, using a VPN to protect your IP from further exposure is a good way to prevent DDoS exposure, but it won't help until you have a new, "secret" IP Address. @acdcman200 you need to convince your ISP to give you a new IP Address. If all else fails, and this is a serious issue, then you could cancel your connection, wait for it to be disconnected, then have the service hooked up again - that would definitely give you a new IP. But I would straight up ask your ISP why they won't give you a new IP Address. Furthermore, DDoS attacks are illegal in basically almost every country. Why are your brothers friends DDoSing you to begin with? Is he that big of an asshole? How old is he? Does he live at home? If you cannot convince him to stop, then you need to go to your parents or the police.

 

@Eniqmatic

@Darren