Hi all, I was wondering what people are using these days to solve large DDoS attacks at web level (like many requests on valid urls etc). I'm not talking about commercial options in the cloud like Cloudflare etc; instead for self hosted ideally open source. Thanks
On the webservers themself you can use tools like fail2ban, which is already part of the ISPConfig installation. For large scale and good DDOS attacks you do nothing, because as long as you are not provider of the administator of the whole network, there is next to nothing you can do. Keep in mind that is very unlikly to get targeted by DDOS attacks when hosting normal services, as it is not that cheap. If you're hosting the servers at a big hosting company you don't have to do anything, they monitor their networks at have different meassurements in place to detect and stop unusual traffic.
I frequently get DDoS attacks that at ISP level cannot be blocked. For example, I got a non-profit site which use a large DB with complex queries. The attackers open thousands of connections from hundreds of IPs while simply hitting some URLs that they have to fetch large data. I can pretty much block anything else with some other tools, but this kind of attack is a pain as it brings down the whole server. Even the iptables are getting too slow to block so many IPs. If I put a limit on connections, it affects normal users as well and occassionaly the firewall I'm using (through csf) it hangs and nothing works; I have to restart it. I was looking for a front end WAF to block those and whatever traffic pass to be forwarded to the normal servers. Apart from those are many email attacks as well with brute force among others. I used modsecurity in the past, but I wasn't that happy; too complex to do simple things and many kinds of attacks were passing through. I got one of the sites under Cloudflare and to give you an idea it blocked about 5 million requests in 2 weeks.
If thats the case i guess cloudflare or other companies that offer the same service are the best bet. It is not an easy task to handle this on your own, and it is not a cheap one either if you try to do so. Save the headache and choose one of the providers that offer a service that fits your needs. I honor the selfmade open source approach, but i think you will not be satisfied and waste a lot of time on the topic if you try to do this on your own.
I'd use CF as well because there is no real need for me to maintain a very defensive system to avoid such attacks. Even with the free one you can adjust CF settings to accordingly fight them.
If you want to stop DOS attacks effectively, then your systems and network must be able to handle the load and traffic caused by that attack. besides having suitable software as a filter, most systems don't have enough resources for that if it's a larger attack with several GBit of network traffic, or your data center would shut down your server in the event of an attack as their network infrastructure is used too much. That's why providers like CloudFlare have huge resources and can handle the load and traffic caused by such an attack and filter it effectively. Therefore, using CloudFlare or a similar service is the best option today when it comes to large attacks. Local filters are only suited to filter out the usual 'noise' that comes from the internet in the form of login attempts, etc.
@ahrasis with cloudflare free plan you can't solve these attacks; you need to buy one of the premium as you have to put rules in place that are not supported by free plan.
For those who can not use Clouldflare, and have time to potter about, some ideas to ponder: - block in firewall known bad IP-addresses. http://iplists.firehol.org/ - try to find patterns in DDOS attack that could be blocked with Fail2ban filter - if websites run some CMS, maybe it has plugin to deal with DDOS?
These will only work if the website and connected network gear can scale and handle the load at all. Which most likly is not the case when i understand @Stelios correctly.
