The DDoS attacks are getting worse.
-
has it been considered to have the whole system on a hosting service that has dDoS prevention build in?
-
ie like burstcoin.ro does it... their pages etc are very fast
-
Try cloudfare?
-
Try cloudfare?
-
@haitch Cool and thank you!
-
If you're looking for ddos protection on your hosts/network, this is one of the best solutions out there right now:
https://github.com/FastVPSEestiOu/fastnetmon
Complete BGP Flow Spec support, RFC 5575 Can process incoming and outgoing traffic Can trigger block script if certain IP loads network with a large amount of packets/bytes/flows per second Thresholds could be configured in per subnet basis with hostgroups feature Could announce blocked IPs to BGP router with ExaBGP GoBGP integration for unicast IPv4 announces Full integration with Graphite and InfluxDB Redis integration MongoDB integration Deep packet inspection for attack traffic netmap support (open source; wire speed processing; only Intel hardware NICs or any hypervisor VM type) SnabbSwitch support (open source, very flexible, LUA driven, very-very-very fast) Could filter out NetFLOW v5 flows or sFLOW packets with script implemented in LUA (useful for port exclude) Supports L2TP decapsulation, VLAN untagging and MPLS processing in mirror mode Can work on server/soft-router Can detect DoS/DDoS in 1-2 seconds Tested up to 10GE with 12 Mpps on Intel i7 3820 with Intel NIC 82599 Complete plugin support Could capture attack fingerprint in pcap format Have complete support for most popular attack typesMikrotic provides a plugin for their routeros:
https://www.mikrotik.com/software
https://github.com/pavel-odintsov/fastnetmon/tree/master/src/mikrotik_pluginYou can also run fastnetmon with other firewall/router distros, such as PfSense, or VyOs.
However, unless you run your own AS, ddos protection will be less effective, and only take you so far, which is why Cloudflare is definitely a good solution as long as you take care to configure your hosts to only accept connections from their edge servers, otherwise the ddos protection can be easily circumvented.
