3

I'm soon going to change my infrastructure when I buy a new server. I'm going to replace my D-Link DIR-655 router with an pFsense router (and probably use the 655 as an AP) using my old server hardware (Intel Atom 330, 1GB ram, Intel Pro Server MT Dual Gigabit nic). My new server will be SandyBridge based and run Apache+Samba.

Now while I'm setting up this new infrastructure at home I want to experiment with DDoS protection, I know there are some modules and stuff for apache that let me do it but since I will have an BSD based router the best solution would seem to set something up already in the router thus putting less strain on network hardware behind the router.

So basically with that background information I would like to ask how would I set up such a configuration and would it be the best solution?

Is it smart to set up DDoS protection in pFsense or should such a thing be handled by the webserver? One would think that it's best to drop the packages as early as possible.

Even though I probably won't be subject to an DDoS attack it's better to be safe then sorry.

Edit: I understand that my servers probably wont be able to handle a serious DDoS attack but by maximising the protection so that my infrastructure can handle a little bit bigger attacks then without protection I would probably be able to stop some script-kiddies with smaller "bot-nets" from brining down the server. So what I want to do is to have as good protection as possible software wise.

Even if it's not software related the fact that I'm only using Intel Pro Server nics should raise my odds some since they consume less cpu power then the average Realtek nics you'd see in the compromised systems. I don't want someone to be able to bring down my system just because it's not properly configured. But as mentioned earlier I will most likely never be subject to such an attack and this is mainly because I want to experiment with my options.

Hultner
  • 107

5 Answers5

6

You don't really protect yourself from DDOS from your end. You identify traffic and coordinate with your ISP to block it before it gets in your link. If you have to block it in your side, you already lost the battle because your tubes are already clogged (the packets must reach your FW before being dropped).

The ones that manage to stand to DDOS that way are really big people like amazon that have ginourmous connections and an elastic cloud infrastructure to accommodate the requests (and they do so while coordinating with their various ISPs to block traffic as I said above).

coredump
  • 12,921
2

Neither pFsense or Apache is really the right tool for effective DDoS mitigation. I see by your comments that you do have a big pipe. That + rate limiting is a pretty effective strategy. I suggest looking at a commercial tool like Toplayer (http://www.toplayer.com). I wish there was something in the open source arena, but right now I don't think there is anything available.

Antonius Bloch
  • 4,960
0

Well, it depends on what you are trying to protect yourself from. You are not going to be able to prevent any sort of large DDoS attack with PFSense on your home connection. Your home connection simply doesn't have enough bandwidth to stand up to it. It would be pretty easy to saturate your entire connection, at which point it doesn't matter what router you have.

What you can probably do is set PFsense up to rate limit connections to port 80 per remote IP. This would help with certain types of attacks, though it's nowhere close to being comprehensive.

devicenull
  • 5,630
0

In the PF-Sense, you must define the limit and of conections per Ip, but its only a little rock on the route. There is a example with PF

0

to answer your question (pfsense or apache), i will just ignore all other right answers (that you shouldn't try to block a DDoS in your end network but in your ISP backbone).

Assuming that you are concerned about SYN flood (DDoS has many variants and assuming all of them would make this answer to long AND subjective).

I would be concerned to block it in my pfsense. That's because in your apache deamon, even if you can have DDoS protection (again, i'm not entering in the question if you should or not,but it has some modules - you may also investigate mod_evasive, and in the case of exploits, mod_security - to try to defend itself against it), it will happen in a higher level than in pfsense. to try to make it simple: With apache it happens in the "socket" level and not in the "packet" level as pfsense is able to do. This difference is really important if we think about performance. A combination between both solutions (pfsense + mod_*) is as well a good option to give an extra life to your server.

VP.
  • 403