How well does software anti-DDOS at VPS level work?

Not an expert on anti-DDOS but was wondering about how VPSes on say DO, Linode or providers who do not offer anti-DDOS services can protect themselves. Came across this list of software that can be used at the VPS level to mitigate DDOS attacks: https://www.globalsign.com/en-sg/blog/how-to-prevent-a-ddos-attack-on-a-cloud-server/

Some of them look quite easy to implement out of the box and am considering using a lightweight one to at least have some protection. Would be grateful for some advice on their usefulness.

Deals and Reviews: LowEndBoxes Review | Avoid dodgy providers with The LEBRE Whitelist | Free hosting (with conditions): Evolution-Host, NanoKVM, FreeMach, ServedEZ | Get expert copyediting and copywriting help at The Write Flow

Comments

  • RahulRahul OG
    edited November 2019

    poisson said: a lightweight one

    It may work and be lightweight in case of a small attack, but in the event of a large DDoS attack the CPU usage on the vps will go through the roof.

    Also the bogus packets still reaches your vps and will be accounted for so in the mix there will be packet loss.

    Hardware based stuff like OVH's VAC are the only defence.

  • Some of those tips may be helpful for a poor-man's protection, but here we're talking about a simple VPS, not even a dedi. Some of those tips don't really apply, e.g. PF_RING. You may prevent some cpu spikes dropping bad packets in iptables' raw table, or spare your service some heavy load with some WAF, yet you're still relying on your provider's infra and they may not be comfortable with a gazillion packets/second sent to their host.
    You could imagine to create some poor-man's balancers e.g. with floating IPs, still the same would generally apply.

    The good news is that you're probably not a target for DDoS to begin with and you could proactively do a lot to prevent yourself from being a target if you're not handling questionable or otherwise hot content. Hardening your box and keeping it up-to-date is a nice first step. I'd hint to give a look at lynis if you want to further expand on this, and obtain some (generic) pointers. iptables, modsecurity, nginx, haproxy, fail2ban, ipsets and whatnot may complement and help a lot too.

    So. Looking at those and similar tips to protect your VPS may be useful, but don't expect those to be enough if you're a target for some reasons. Some kind of edge filtering is required and nowadays most providers do provide some levels of protection (for some reasons you only hear about OVH when in my experience their overall product is sub-par: marketing does wonders. Sure they're probably good enough for any conceivable purpose a VPS could be used for)

  • mfs said: The good news is that you're probably not a target for DDoS to begin with

    Is this still true? Almost every day I'm hearing about some new ransomware attack or DDoS extortion attempt. I wish it wasn't true, but it feels like the internet is becoming a more hostile place every year that goes by.

  • mfsmfs OG
    edited November 2019

    Well you excerpted a quite longer paragraph, yet yes, it's true. There's no crooks out there ready to hunt down everyone's blog like nobody's business.
    If you harden your box so that it

    • doesn't unwillingly participate itself in nefarious stuff like amplification attacks
    • doesn't act as an open relay
    • doesn't engage in botnet-alike activities

    you can idle it safely if you don't host questionable content (or provide a service like e.g. a game server)
    Ransomware is quite a different ball game, it seems you're mixing in too heterogeneous stuff. DDoS extortion attempts... won't likely happen

    if you're not handling questionable or otherwise hot content

    So yeah, if your surname is "Assange" you'd better cover your back. Other than that, there has been much marketing around a preposterous need to "hide" your real server IP against nefarious hackers out there, even if it isn't really the case.
    Basic hardening is too neglected imho even if it should be the first thing to check
    A problem does exist with IoT but it's yet another chapter

    Thanked by (1)ChungusMungus
  • Well, If I remember correctly, Linode has 10Gbit downlink to the Node itself, so I could in theory tank a bit?
    In general, you filter, where you have the biggest pipe, which is not your VPS.

    Or you confusing DDoS with DoS which you can hold easily most of the time on the machine itself.

  • @mfs I appreciate your comments. Yes of course ransomware/extortion is a bit different to ordinary DDoS. I was just trying to say that everything feels worse these days. For instance, if you misconfigure MySQL, one day you might find your whole DB encrypted along with a ransom note. And extortion isn't limited to "politically exposed" types - at least one provider here has talked about being targeted.

    I tend to be a little paranoid and possibly read too many security blogs, so it is good to hear the other side. And it's true that there are certain companies who have a vested interest in making us all more nervous... (You might call it CloudSCARE).

    Thanked by (1)mfs
  • MikeAMikeA Hosting ProviderOG

    @Neoon said:
    Well, If I remember correctly, Linode has 10Gbit downlink to the Node itself

    Linode is 40G.

    ExtraVM - High RAM Specials
    Yours truly.

  • But are they willing to tank attacks with that connectivity?

    Amitz, a very stable genius (it's true!) and Grand Rectumfier of the official LESLOS® (LES League of Shitposters).
    Certified braindead since 1974 and still perfectly happy.

  • MikeAMikeA Hosting ProviderOG
    edited November 2019

    @Amitz said:
    But are they willing to tank attacks with that connectivity?

    no clue, they don't tell anyone, I tried asking and they basically just said "we'll do what we can until we can't". Seems like no, but if there are attacks they will use ACLs or something if needed.

    Thanked by (2)Amitz vimalware

    ExtraVM - High RAM Specials
    Yours truly.

  • Thanks for the kind thoughts, everyone. From the replies, it appears that these solutions mainly mitigate the bandwidth part but probably not the CPU part for a VPS. I guess if they don't cost much in terms of system overheads can probably install one and forget it just as an additional layer of protection.

    This one claims to act like a CloudFlare and offers layer 7 mitigation: https://vpsboard.com/threads/install-vddos-proxy-protection-antiddos-dos-syn-floods-http-floods-attack.9620/

    Sounds like a more advanced setup but not sure how it performs under real attacks.

    Deals and Reviews: LowEndBoxes Review | Avoid dodgy providers with The LEBRE Whitelist | Free hosting (with conditions): Evolution-Host, NanoKVM, FreeMach, ServedEZ | Get expert copyediting and copywriting help at The Write Flow

  • You can initiate syn flood attack protection with CSF, though they don't advise doing so, unless under attack.

    It wisnae me! A big boy done it and ran away.
    NVMe2G for life! until death (the end is nigh)

  • spliticesplitice Hosting ProviderOG

    Mitigating on most VPS's you will be limited to the CPU you can use on a single RX queue. This combined with virtualization overheads really limits your PPS even if you can get a dedicated core. Virtio-multiqueue can help, but it's not commonly deployed.

    X4B - DDoS Protection: Affordable Anycast DDoS protection including Layer 7 mitigation with PoPs in the Europe, Asia, North and South America.
    Latest Offer: Brazil Launch 2020 Offer

  • edited November 2019

    There was quite a lot of interesting discussion about homebrewed mitigation platforms built with dual E5 systems.
    Lots of interesting comment sfrom @combahton_it over at the old place. here's one I quickly googled: https://www._OLDplace_lowendtalk.com/discussion/comment/1759162/#Comment_1759162

    The key is to keep packets out of the kernel space, with special purpose NICs and extra special sauce.

Sign In or Register to comment.