User Registration
Customer Login

Knowledgebase

Portal Home > Knowledgebase > Articles Database > Home Brewed DDOS Firewall


Home Brewed DDOS Firewall




Posted by hostingguy123, 08-29-2008, 01:47 AM
I am working on setting up my own ddos firewall to filter out ddos attacks. I have been reading through posts on the forum and here is a list of the software I found for ddos protection: psad, snort, vyatta, deflate, and iptables. If you think I should add or remove any software from this list, please advise. Side note, I have this list of software, but I am not sure how to configure them so they all work together. So, if you have any ideas on that let me know. I wanted to use linux for this home brewed ddos firewall project and specifically opensuse 11.0. Any help pointing me in the right direction would be great. Or if anyone knows any home brewed guides for building your own ddos firewall that would also be very helpful.
Posted by Master Bo, 08-29-2008, 06:37 AM
The security is a complex thing, one should not only be ready to ward off DoS/DDoS, but also know the weakest part of the system and monitor the possible vulnerabilities. I think that the mentioned pieces of sofwtare implement only particular aspects of DDoS defense stratefy, but one should have the complete knowledge of where attackeres can strike at. After all, the software isn't enough to deflect massive well-planned DDoS, if I am not mistaken. I suggest visiting something like Sectools and implement multiple approaches - scanning, deflecting, monitoring services, and so on.
Posted by hostingguy123, 08-30-2008, 12:04 AM
I looked through that site and I see a lot of good information and software, but not a lot about DDOS protection.
Posted by jayglate, 08-30-2008, 12:40 AM
The man hours involved in setting up your own anti-ddos system from scratch it would most likely be cheaper to buy one. We investigated doing the very same thing you are thinking about and we opted to buy one instead. Check out riorey.com and ask for dave sands and tell him jay from dedicatednow.com he will get you a discount.
Posted by hostingguy123, 08-30-2008, 04:26 AM
Can you tell me the general price range for his product. My budget is kind of tight right now, which is why I was looking at setting up a home brewed anti-ddos system.
Posted by hostingguy123, 09-01-2008, 05:58 PM
Anyone else have any ideas for me?
Posted by Exoware, 09-01-2008, 06:04 PM
I hear Prolexic is very good at DDoS mitigation.
Posted by Master Bo, 09-01-2008, 08:41 PM
There are two things to consider. First, 'budget' - software - means to ward off DDoS are rather resource-consuming. You can use, say, Snort or other intrusion detector and/or analyze logs to detect incoming DDoS and instruct built-in firewall to drop the inbound junk connections, but in case of really massive attack this will quickly exhaust the resources and/or hang the server. There should be hardware means to handle DDoS - and they are not cheap - and software ones should only handle whatever leaks through the 'outer wall'. If you outline your budget, one can offer better advice. Thanks.
Posted by hostingguy123, 09-01-2008, 11:32 PM
My budget is tight around ($500-$1000) but I already have the hardware element for the ddos protection. I have two possible systems that I can allocate strictly for ddos protection a 2.4GHz quad core or if I need it I also have a dual 2.4GHz quad core system. I would think the single quad should be enough to handle a pretty good size attack. With this hardware plus the software I listed do you think I can make a strong enough firewall to stop a ddos attacks?
Posted by Master Bo, 09-02-2008, 02:38 AM
To answer anything definite, one should know what hardware do you have and what software means do you plan to use in addition, what scale and type of DDoS do you need to survive.
Posted by hostingguy123, 09-02-2008, 03:45 AM
Hardware will be quadcore @ 2.4GHz with 4gb of ram. OS will be Suse Linux and ddos software is psad, snort, vyatta, deflate, and iptables. I am still taking suggestion on addition software too. As for the size of ddos attack at least 100MB/s, with that software and hardware how much do you think I can handle?
Posted by Master Bo, 09-02-2008, 04:34 AM
By hardware I meant, say, routers able to perform rate limiting, delayed binding and other techniques used to balance traffic and prevent DoS. Also, it is hardly useful to use all the pieces of software you are using. Ultimately, you will use iptables to block/deny connections and it is iptables that will be the bottleneck. Basically, you should be able to - set up your standard iptables rules to drop martians, reserved network addresses (bogus IPs) - rate limit your outer interface card The best means to test your setup is to emulate DDoS by establishing many connections and analyzing the situation. I have no data at hand how much memory iptables uses per rule and how quickly will its efficiency degrade. 'Attack' your system yourself and you will know its capacities. Also, don't forget to turn logging off in case of real attack - it could render you system unusable. Also: there can be no system able to sustain *any* DDoS. Roughly speaking, botnet containing 100000 zombies can defeat nearly any single server.
Posted by Xous, 09-02-2008, 09:44 AM
Hi, To withstand a DDoS of at least 100Mbit/s you would need a network up-link of 1Gbit/s (or two 100Mbit/s up-links). An unmetered 1Gbit/s up-link at most providers would exceed your budget. Depending on the type of site your hosting you may be better off to either look into a CDN service and/or have all three servers hosted in different data-centers mirroring the same content.
Posted by Luxore, 09-02-2008, 01:30 PM
PC hardware with linux software can handle a lot of situations but do not fool yourself into thinking that it can protect you from a serious ddos - it can't. Because of the way the ethernet card talks to the processer there is a very definite limit on how many packets per second you will be able to deal with, no matter how clever your software firewall is. A true hardware firewall implements the logic for examining, and then blocking or accepting packets, in custom hardware, making it able to handle many many many times more packets per second.
Posted by hostingguy123, 09-02-2008, 07:10 PM
I am not running anything fancy right now, just a simple port blocking firewall. Of the software I listed which do you think would be best to fit my needs? What is the best way to accomplish this, I know I can simulate a dos attach, but I don't know how to simulate a ddos attack. I am not excepting this to be the perfect ddos protection, I just want some level of protection against a ddos attack, since currently I am only running a port blocking firewall. Also, I currently have a up-link of 1Gbit/s.
Posted by hostingguy123, 09-04-2008, 03:43 PM
Anyone else have any ideas for me?
Posted by hostingguy123, 09-15-2008, 01:08 PM
Anyone else?
Posted by brianoz, 09-16-2008, 07:45 AM
Have you checked out APF and CSF?


Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
Joomla website Hacked by: ~Abo Al-EoS (Views: 821)
easyspeedy.com down already 1.5 hours (Views: 698)
Looking for chat program. (Views: 671)
Problems determining which reseller would be best (Views: 888)
Who's services are you reselling? (Views: 645)

Language:

Our Services

Client Menu

Legal

+1 512-782-9732

Find any answers
you need...



  • PCI Secure
  • Verefied by VISA
  • MasterCard SecureCode

    • Terms of Service | Privacy Policy | FAQs | Affiliates | Email
    Copyright © 2015 BraginHos / CHS Gateway inc. - All Rights Reserved.
    Our address: CHS GATEWAY INC c/o Regus Offices, 2598 E. Sunrise Blvd Ste 2104, Fort Lauderdale, Florida 33304, contact phone number: (+1) 512-782-9732, email: support@chsgatewayinc.com