How to protect against DOS attacks on a budget

Discussion in 'HOWTO-Related Questions' started by adamjedgar, May 5, 2018.

  1. adamjedgar

    adamjedgar Member

    Hi guys,
    bit of a learning question...
    for a startup what options are there for protecting against DOS when on a budget?

    Load balancing for example often charges according to the GB/hour so a sustained attack seems likely to cost a lot of money for ingress/egress charges...I am assuming CDN would be the same.

    Use an example of a GCE, AMAZON, or Azure instance using shared resources providing very basic webhosting services. Also, clients websites are using their own registrar name servers pointing A records to the VPS.

    Any ideas on a simple and effective setup would be appreciated. This is for a business that is moving on from using reseller hosting that is not an option.
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  3. adamjedgar

    adamjedgar Member

    that is certainly an option, however it appears that the protection system in place there is for ovh own servers?
    I am after a model that can be applied by someone who is setting up a webhosting business on cloud servers such as google AWS or Azure.
    One piece of information that i have gleaned from other forums on this topic is that service providers should never expose their server public ip addresses to the internet. I quote from Netsnipe directly on this topic...
    "The bottom line is that you NEVER expose your webserver's IP address and port(s) to the world. Always place it behind a load balancer or CDN and you let their front-end nodes take the hit and only reverse proxy legitimate HTTP/HTTPS traffic through."
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    You might want to take a look at CloudFlare.
    ahrasis likes this.
  5. adamjedgar

    adamjedgar Member

    I note that cloudflare advertises its pricing plans per domain (for example there is the free one and a $20 per month option).

    for a webhosting company hosting server, could i just require my hosting clients to pay their own fee for a cloudflare service? Or does the hosting server itself need protection? (if the hosting server still needs protection, and has multiple domains on it, can i just use one cloudflare account for the hosting server...or does it required individual cloudflare accounts for all of the domains as well?)

    I am mainly looking at learning how to protect the server itself but am not sure how this works when it has lots of domains on it.

    I see that one option is to setup a reverse proxy. I will look at the how to tutorial on that.

    also, for the reason of DOS attacks and the possible need to change the server ip address, would it be better to run my own name servers instead of relying on client domains to point A records at my server? (my guess is the answer would be yes, however then i wonder about the added complexity of having to protect additional nameservers, against being targeted as well as the webhosting server?)
    To simplify my entire line of there a How To tutorial available for a startup webhosting business that covers what is needed in setting up servers that goes into defending against security issues such as DOS?

    what I am after is an illustrative model that outlines the various aspects in visual form if possible.
    Last edited: May 6, 2018
  6. ahrasis

    ahrasis Well-Known Member

    No. There isn't any (that I could find) but I'd follow @till's suggestion for a start. At least (from my searches) I found most web hosting company suggest their users to use cloudflare services as well. I am not sure about their own servers using its services but I think their servers will be more "relaxed" if most of their users are using it.
  7. ISPConfig Developer ISPConfig Developer

    Running your own DNS is good, you want it to manage your domains - but don't rely 100% on them yet, use different providers for DNS and let them be notified for changes by your master.
    Therefore don't let your master DNS be publicly used for domains. If one of the DNS servers or providers getting attacked your domains are still reachable ( had that issue already ).

    Running own DNS servers are an additional risk getting abused yourself, however getting ddosed and beeing low on budget.... don't go together, your IP will be nullrouted sooner or later.
    Only thing is, you can try to defend your resources beeing hogged up or sending as much answers out as possible doing some preparations with your server setup but you may be able to stop this one kid who by random wanted to try something because knowledgewise and then stops again - but for everything else ... get real solutions.

    If you thinking of the need to have to change the IP ... well, if you chagne the IP of a domain, routing needs to be updated and... internet uses cache - so takes a while. Then depending on the attack it doesn't help if let's say attack is pointed to domain anyway and as soon as routing gets updated, new ip is screwed aswll + lots of work involved for updating n webs, configurations.

    Reverse Proxy won't automagically protect you, first it's another piece of software running and gets "attacked" first, then it forwards traffic to... yeah same server? so another daemon needing to process the attack ... in this case you may get down at least twice as fast. Only thing would be if you have some kind of analyzing going on so it won't send the request to lets say php-fpm saving some resources here.

    Regarding what package you need and how many domains you want to protect in which extend is up to you, just involves some reading maybe short phone call with cloudflare - but in general:
    Attacker<-->Cloudflare<-->Your server
    Like the reverse proxy scenario is meant to be used maybe:
    Attacker<-->RP/LB<-->Server1 or Server2 ....
    however if your RB/LB goes down ... puff again ( however there are some good,bad,expensive,cheap providers for LB/RB ).

    Cloudflare is acts as IP-Proxy, it tunnels traffic from outside to your server without exposing your IP of the server ( means attackers can't get attack it directly ). Just beware your phpinfo()-page, mails or other things might expose the IP to attackers.
    But you might want to use external providers offering bulk-mailing and disable phpinfo :)

    In a nutshell: Is the data / company you're hosting really that big deal you need to think in advance / at startup on how to protect everythings to it's finest? Maybe invest in some other Resources/Developments first.
    If a customer however really want's that kind of service.... get a server for him, cloudflare it and let him pay.
  8. adamjedgar

    adamjedgar Member

    hey that is really useful information

    I was actually thinking that i would intentionally not offer any email service via the hosting server. From the google cloud network (or at least GCE), the standard email ports are all blocked anyway...meaning that even hosts must use a third party alternative such as sendgrid.
    If i were to use reverse proxy/load balancing, then i am more than likely going to do it by spinning up additional GC resources and do it from their existing network (seems to make sense to me to do it this way if required).

    I am still confused about cloudflare...

    If service providers are advertising that clients get their own cloudflare for websites, why does the webhosting server need it?
    If the server does not use cloudflare and client websites on that server do use cloudflare, is a dos attack going to take their sites down? (my assumption is perhaps not?).
    so would a better plan of defense for the server, aside from the dns vulnerability at the nameserver end of things, an ip address that is hidden and/or changings regularly? can a reverse proxy being used to achieve this end...or as stated, if the r/proxy ip was targeted directly then "poof" anyway?

    For the 3rd party dns option...

    Is there an article that illustrates connecting ispconfig with an outside secondary dns server?
    How exactly does this work...i was assuming that the ispconfig machine would be the primary because it is the one which would be used to update the 3rd party nameserver by virtue of the fact that the records enterred by the customer would be on the ispconfig machine?? (or do i have this wrong...what is the model for this?)

    if the ddos attack is likely to target the nameservers...would i then be focusing more on defending dns against it rather than the webhosting server directly?
    Last edited: May 7, 2018
  9. ISPConfig Developer ISPConfig Developer

    yeah, sendgrid might be a good choice, outside Europe of course ( data protection law makes stuff complicated ).
    You can make a contract with cloudflare to use the host-api - Is this what you meant with every customer gets their own cloudflare?

    But remember, ddos protection needs to... interrupt ddos traffic. This can only work if Cloudflare is able to cut some traffic off you get, therefore it needs to route your traffic for protected websites. This is why the server ( wherever the traffic needs to show up to get a response ) needs it.
    You set cloudflare DNS / IP for your protected domains, visitor gets routed trough cloudflare to you and back. Think of "Man in the middle" but this time the man, hopefully, has good intentions and is called cloudflare.

    ISPConfig can mirror DNS entries on multi-server setup - that's about it. Using powerdns instead of BIND lets you specify IPs of DNS servers to notify on changes. Configured properly this works well.

    Depending on budget/importance you don't want to expose your primary DNS so it won't get attacked because someone dislikes you/your clients. Otherwise you'd have some issues updating your DNS / updating slave entries ( of other clients wanting service, too ).
    Uh yeah and your primary host would be targeted then, usually means web down, mail down .... Don't know about any Cloudflare API plugin for ISPConfig to keep DNS in sync.

Share This Page