Questions? Start a Support Ticket
User Registration
Customer Login

Knowledgebase

Portal Home > Knowledgebase > Articles Database > prevent DDOS how


prevent DDOS how




Posted by electronics2011, 11-03-2011, 04:46 PM
how do i harden servers so ddos is prevented?
Posted by flvps, 11-03-2011, 10:24 PM
You can harden your servers all you want but if your server has a set amount of bandwidth and somebody overloads that limit, there is not much you can do on your end. If this is an issue, I would speak to your provider. If you hide your domain name behind Cloudflare's DNS servers, this would help tremendously. Cloudflare's website will help you through this.
Posted by File1eu, 11-04-2011, 11:09 AM
Some simple solution, like mod_evasive can help against some attacks. DDOS protection is not easy to setup, that's why it's so expensive.
Posted by hostoger, 11-04-2011, 11:46 AM
I see this question so much doesn't anyone use the search? On-Topic: A good firewall, Hardware not a software firewall.
Posted by ddrager, 11-04-2011, 02:12 PM
On the software side I'll use a combination of mod_evasive and mod_security on apache, and csf (iptables) for a firewall to eliminate some sorts or DDOS attacks. Once you get to a particular level you just need to invest in a hardware firewall, it is more expensive but the only way to protect against large floods. It also helps to have a friendly provider who can help insulate against attacks and take proper measures when they do come in.
Posted by BassHost, 11-04-2011, 07:01 PM
This is true. Very true. Honestly, if you want some true DDOS protection, you are probably best off using a hardware based solution and or using some solutions like VeriSign's DDOS protection or using the DNS from CloudFlare. CSF has some options within its control panel to block DDOS and SYNFLOOD attacks, however, that means that you can detect the attack, get into CSF, turn those options on, and RESTART (<- keyword, RESTART) the iptables, rendering your firewall useless until CSF is fully restarted, and by that time, if it is a large enough and concentrated enough attack, then once CSF goes down for the restart, you will be DDOS'd beyond protection. ^^^^^ that is if you are using a software based DDOS protection / firewall such as CSF. However, even if you are able to detect the DDOS, by the time you have detected it, then it will be past the point of even logging into the server to enable those options. So your best bets are CloudFlare/Verisign or a hardware based solution. Verisign and hardware based options are going to be VERY expensive, unless your company / website is bringing in enough money to get that type of setup for your server(s). Sorry to be such a downer, but keep all that in mind.
Posted by electronics2011, 11-05-2011, 03:23 AM
hardware protection? well if u do it wont it affect the perfomance of the websites if the webserver is not hardwazre firewalled i think its perfomance will be better than case when there is no ddos attack
Posted by ddosguru, 11-05-2011, 01:46 PM
Because most of the answers are "spend lots of money," so the OP's (generally speaking) will keep asking the question until someone gives them an answer (wrong or otherwise) that does not involve spending money.
Posted by electronics2011, 11-05-2011, 01:50 PM
money is not the criteria of the topic just wanted to know the best solution to keep your server save from a ddos attack i understand the apache modules will help to a great extent along with csf wanted to know how far the hardware firewall is effective , wondered if the server performance is affected when a hardware firewall is used cause the packets have to go thru extra filtering etc.
Posted by gavint, 11-06-2011, 09:19 AM
There's no answer that is always correct as DDoS attacks vary significantly in nature. Attacks can vary from a UDP flood that saturates your internet connection(s), through to a SYN flood or session exhaustion attack, to a layer 7 attack that just looks like normal traffic (e.g. a request to load your homepage), the only difference being that the attackers are requesting it every couple of seconds using automated tools. Remember that attackers don't have to target your web servers as well, DNS servers are another common thing to attack - if your DNS doesn't work no-one is coming to your website even if the web servers are fine. Any kind of CDN that masks your entire site (such as Cloudflare) will most likely help a lot, then there are other providers such as Prolexic that can sit in front of your site too. UltraDNS, DNSMadeEasy and Amazon Route 53 can host your DNS for you on a highly resilient anycast setup. Any good firewall should be able to deal with a SYN flood. High-end firewalls such as Juniper's data centre SRX series have features such as AppDDoS which can detect and block layer 7 attacks. Application delivery controllers such as F5's BIG-IP, especially the ASM module, can be very effective at blocking layer 7 attacks by trying to detect real browsers (it does this by injecting JavaScript that looks for keyboard/mouse activity to try to block bots). There are also specialist DDoS mitigation hardware appliances from the likes of Arbor networks available. Apache modules are very unlikely to protect you from a serious attacker - Apache itself is inherently not scalable (it starts a thread or process for every client). This doesn't mean you shouldn't use Apache, just that it's very unlikely you can stop a determined attacker by "bolting on" an Apache module. If you are on a budget, CloudFlare is probably your best option, as most of the other options will cost you five or six figures. HTH. Gavin
Posted by brianoz, 11-07-2011, 08:42 AM
Want to avoid DDOSes? Don't do anything to p*ss off the hacker community, and don't host people who do! (seriously, it helps)
Posted by damoncloudflare, 11-07-2011, 04:00 PM
Hi, Just a quick note that CloudFlare can only help mitigate some DDoS attacks right now & not all (we'll look at providing more robust solutions down the road).
Posted by ddosguru, 11-07-2011, 05:03 PM
The gap between questionable and completely legitimate targets continues to close. The school of thought that DDoS can be avoided is quickly diminishing as access to attack tools and bandwidth continues to grow.


Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
Gigenet down? (Views: 804)
Global Net Aceess GNAX adds a gig to Sprint (Views: 752)
Ready to graduate (Views: 732)
Different drive sizes (Views: 720)
The cheapest SPAM filter solution (Views: 654)


Language:

Our Services

Client Menu

Legal

Terms of Service | Privacy Policy | Refund Policy | Affiliates
Copyright © 2015 DC International LLC in partnership with Bragin IT Solutions Inc. - All Rights Reserved.