A
A
Alexey Kuzmin2013-01-12 16:12:18
Network administration
Alexey Kuzmin, 2013-01-12 16:12:18

DoS Gateway

Good day.
There is a small non-commercial project, the main computing power of which is “hosted” in an apartment (4 servers of the proliant G3 level on zeons and two self-assemblies on modern desktop CPUs). Recently, one of the “offended” started a DoS (for now, maybe there will be a DDoS in the future) SYN flood attack and the current router can’t cope with this load - 100% CPU usage, pings to the Internet are unstable and long. Router D-Link DIR 620. Internet l2tp 100Mbps.
We found another server in the bins, though not HP, but Kraftway with P4 3GHz and 4GB of RAM, with two network interfaces.
The task is to make a router out of craftway that will distribute the Internet to servers and fight off DoS (DDoS) to people, it is highly desirable to have a web interface (or client software) in which more than mrtg will be visible, for example, traffic distribution across servers, routing rules.
The question is which OS and software are best suited for solving the above tasks.

Z.Y. We tried Mikrotik RouterOS - we have to organize work with the l2tp beeline in a very original way (the dynamic address of the vpn server is not supported - I had to fence scripts) and in the unconfigured version the system freezes tightly - it does not even respond to Numlock - the reliability of such a system scares a little.

Answer the question

In order to leave comments, you need to log in

3 answer(s)
L
lubezniy, 2013-01-12
@lubezniy

IMHO, the only kosher option is to transfer the servers to the data center (at least transfer the nodes accessible from the outside) and provide DDoS protection by the data center provider or a specialized office. In addition to the router, the provider also has equipment that is unlikely to like DDoS on its channel (restrictions may begin).

S
Sergey, 2013-01-12
@bondbig

you can try to hide behind using cloudflare.com. They will definitely protect against pioneer attacks, and in the basic version - for free. But it would be desirable to change the static home IP at the same time, because. if the “offended” attacks by IP, then it will not be possible to defend themselves with such services.
Based on the existing server, there is little chance of collecting more or less decent protection against (D)DoS, I can “fill up” such a “server” with requests from one machine.

D
ddosguard, 2013-11-19
@ddosguard

DDoS protection on a single machine (or router) is often doomed to failure. It is enough to exceed the capabilities of the machine in terms of processor, memory or channel. It's pretty simple when it comes to DDoS (Distributed Multiple Machine Attack). A guaranteed option is to become a proxy to specialized services, after changing the real address of the machine and provide for measures so as not to burn it (for example, in the mail, etc.).
In our practice, we ( ddos-guard.net) quite often we encounter similar cases and successfully solve them. We have an online consultant on our site, there is always someone from the team who can advise on DDoS protection issues. Even if one of our commercial solutions does not fit, we will help with consultations and cases, for free, in the name of a safe Internet.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question