DDOS Protection for a Dedicated Server

[Dreamplay]

I'm looking for a DDOS Protection Solution for my Dedicated Server  hosted at home. Not website protection. I can't seem to find any alternatives that doesn't break the bank. Anyone got any ideas?

[dalekphalm]

19 hours ago, Dreamplay said:

I'm looking for a DDOS Protection Solution for my Dedicated Server  hosted at home. Not website protection. I can't seem to find any alternatives that doesn't break the bank. Anyone got any ideas?

There really isn't going to be a practical solution for home-hosted DDOS protection. Certainly there are products that advertise this, but consider how DDOS protection works:

 

It filters out bad requests and just lets good traffic through. That's a ton of bandwidth and data it has to sort through. Good DDOS protection, like Cloud Flare, works well because they have huge data centres to process and filter traffic as fast as possible - and even with these services, some slowdown still happens - it just minimizes the impact so the site doesn't go down completely.

 

Example: Whenever LTT gets DDOS'd, the site still runs, but it runs like crap and is slow.

 

A regular firewall can already do what Cloud Flare does in a basic sense: Use rules to determine what traffic is allowed, and drop the rest. The problem is that your connection itself would likely get flooded, and even if the firewall drops the ddos connections, you get overwhelmed anyway. Cloud based DDOS protection works by running the traffic through their much larger and more powerful connection first, then passing it finally to the actual web server.

[Dreamplay]

3 hours ago, dalekphalm said:

There really isn't going to be a practical solution for home-hosted DDOS protection. Certainly there are products that advertise this, but consider how DDOS protection works:

 

It filters out bad requests and just lets good traffic through. That's a ton of bandwidth and data it has to sort through. Good DDOS protection, like Cloud Flare, works well because they have huge data centres to process and filter traffic as fast as possible - and even with these services, some slowdown still happens - it just minimizes the impact so the site doesn't go down completely.

 

Example: Whenever LTT gets DDOS'd, the site still runs, but it runs like crap and is slow.

 

A regular firewall can already do what Cloud Flare does in a basic sense: Use rules to determine what traffic is allowed, and drop the rest. The problem is that your connection itself would likely get flooded, and even if the firewall drops the ddos connections, you get overwhelmed anyway. Cloud based DDOS protection works by running the traffic through their much larger and more powerful connection first, then passing it finally to the actual web server.

Yeah I know, Cloudflare have got a service called spectrum which is ddos protection for any port. That's what I want. Unfortunally when it comes to cloudflare they only allow enterprise customers. I was wondering if someone else also allowed it that I couldn't find.

[dalekphalm]

6 hours ago, Dreamplay said:

Yeah I know, Cloudflare have got a service called spectrum which is ddos protection for any port. That's what I want. Unfortunally when it comes to cloudflare they only allow enterprise customers. I was wondering if someone else also allowed it that I couldn't find.

Honestly I'd do a google search and see if there's a local data centre in or near where you live. If so, many of them offer their own flavour of DDOS protection - and typically they don't care what kind of customer you are, as long as you're not doing anything illegal.

 

You might have to rent a proxy or a VPS as part of the deal though, to route the traffic.

 

Definitely worth looking into.

[Jarsky]

What are you looking for DDoS Protection for at home if not a website? maybe a proxy or vpn is more what you're after depending what you're running that's at risk?

 

There are various security measures you can take to minimise DoS attacks. Many routers have built in firewalls, make sure thats enabled - they often block SYN & UDP flood attacks, have the option to disable ICMP requests or sometimes have ICMP flood settings which covers the most common attack (smurf attack). You can always get dedicated firewalls as well, either software like pfSense, or hardware like a Unifi USG. You want to only open ports you need to as well. 

 

[Dreamplay]

23 hours ago, Jarsky said:

What are you looking for DDoS Protection for at home if not a website? maybe a proxy or vpn is more what you're after depending what you're running that's at risk?

 

There are various security measures you can take to minimise DoS attacks. Many routers have built in firewalls, make sure thats enabled - they often block SYN & UDP flood attacks, have the option to disable ICMP requests or sometimes have ICMP flood settings which covers the most common attack (smurf attack). You can always get dedicated firewalls as well, either software like pfSense, or hardware like a Unifi USG. You want to only open ports you need to as well. 

 

Game servers. It's much more economical to run them at own on a dedicated server than to rent them.

[dalekphalm]

1 hour ago, Dreamplay said:

Game servers. It's much more economical to run them at own on a dedicated server than to rent them.

If hosting your own game server, I'd start by being more selective with giving out the server info. Only do so to people who are your friends and you know won't fuck you with a DDOS.

 

Second, if that's not possible (or the info is already out there, and the ship has sailed, so to speak), then I'd consider perhaps using a proxy. Have your Server Info point to the proxy (either domain, if you have one, or IP) so that when someone "connects" to the server, they're actually connecting to the proxy first. The proxy then forwards the info to your actual game server, and should obfuscate the real IP of your server. Of course, they can still DDOS the proxy, but it's easier to get a new IP on a proxy, etc, then it is to deal with your home connection.

 

However, I think step one should be look at what firewall you currently have, and consider installing a proper hardware firewall (like a Cisco ASA, Ubiquiti, etc), or if you can't afford one, install a server firewall, like pfsense. Keep in mind that an edge firewall is going to work the best (edge firewall meaning it's the first device in your chain, outside of a modem).

[Jarsky]

I used to host a few dozen gaming servers, my datacenter provided the DDoS mitigation. You should enquire with your datacenter if its going to be hosted. 

If its at home though, i'd run a security gateway (firewall) which should be able to mitigate most types of attacks. Of course theres nothing you can do if they just completely flood your connection, and many ISP's frown on people hosting their own servers on home connections for that very reason.