1

I already have IPTables blocking all unnecessary traffic. Is mod_evasive the best solution for something like this? What do you use on your server?

Ben
  • 3,630
  • 17
  • 62
  • 93

1 Answers1

5

The only real protection from a DDoS can be done at the network layer, upstream of your server. By the time DDoS traffic hits the NIC of your server, it has already passed through multiple pieces of routing and switchgear likely causing some amount of havoc along the way. Even if you block at the host firewall level, your NIC and kernel still need to examine each packet coming in, and depending on the nature of the attack, they may not have a prayer of keeping up with the load compared to the upstream routing gear that would be doing this in hardware.

EEAA
  • 108,414
  • 18
  • 172
  • 242