3

I'm soon going to change my infrastructure when I buy a new server. I'm going to replace my D-Link DIR-655 router with an pFsense router (and probably use the 655 as an AP) using my old server hardware (Intel Atom 330, 1GB ram, Intel Pro Server MT Dual Gigabit nic). My new server will be SandyBridge based and run Apache+Samba.

Now while I'm setting up this new infrastructure at home I want to experiment with DDoS protection, I know there are some modules and stuff for apache that let me do it but since I will have an BSD based router the best solution would seem to set something up already in the router thus putting less strain on network hardware behind the router.

So basically with that background information I would like to ask how would I set up such a configuration and would it be the best solution?

Is it smart to set up DDoS protection in pFsense or should such a thing be handled by the webserver? One would think that it's best to drop the packages as early as possible.

Even though I probably won't be subject to an DDoS attack it's better to be safe then sorry.

Edit: I understand that my servers probably wont be able to handle a serious DDoS attack but by maximising the protection so that my infrastructure can handle a little bit bigger attacks then without protection I would probably be able to stop some script-kiddies with smaller "bot-nets" from brining down the server. So what I want to do is to have as good protection as possible software wise.

Even if it's not software related the fact that I'm only using Intel Pro Server nics should raise my odds some since they consume less cpu power then the average Realtek nics you'd see in the compromised systems. I don't want someone to be able to bring down my system just because it's not properly configured. But as mentioned earlier I will most likely never be subject to such an attack and this is mainly because I want to experiment with my options.

Hultner
  • 107
  • 2
  • 9

5 Answers5

6

You don't really protect yourself from DDOS from your end. You identify traffic and coordinate with your ISP to block it before it gets in your link. If you have to block it in your side, you already lost the battle because your tubes are already clogged (the packets must reach your FW before being dropped).

The ones that manage to stand to DDOS that way are really big people like amazon that have ginourmous connections and an elastic cloud infrastructure to accommodate the requests (and they do so while coordinating with their various ISPs to block traffic as I said above).

coredump
  • 12,573
  • 2
  • 34
  • 53
  • Well what about smaller DDoS attacks. – Hultner Apr 14 '11 at 12:45
  • See devicenull answer about rate limiting connections per IP. On apache you can research about keepalive and timeouts, but even a *small* DDOS is too much for a single server, unless it's a monster single server. – coredump Apr 14 '11 at 12:48
  • I've seen about keepalive and timeouts for apache but didn't know if it were possible to do on the router side of things that's a part of the reason that i post here. I though that some sort of protection must be better then no protection. It should at least not be a problem to handle a DOS attack, right? – Hultner Apr 14 '11 at 13:13
  • From one host, yes. A DDOS, no luck. – coredump Apr 14 '11 at 13:19
  • But technically 2+ DOS-attacks from the same attacker are an DDoS attack and I bet there are lots of smaller (D)DoS attacks using only a handful of hosts which might not even bring down the server but will bring down their speed thus creating a problem even if it's not a critical problem. So if there's an attack which is just enough to bring down my server to unbearably speeds then some sort of protection would be enough to make the site usable and make the attacker give up realising he don't have the sufficient network for the attack. Maybe apache can communicate with the pfsense-firewall? – Hultner Apr 14 '11 at 13:52
  • Firewalls and apache are in different layers, so I don't think there's much communication to go around. I agree with you that you can be targeted by localized DOS and that rate limiting on the firewall and on apache can help, but there is a limit where it can help on DOS/DDOS prevention (and rate limiting/QOS and maybe an IDS/IPS is pretty much it). – coredump Apr 14 '11 at 13:55
  • If apache experience problems with keepalive connections from a few hosts then shouldn't it technically be able to send a signal to the NAT&Firewall (pFsense) which blocks those IPs instead of doing it in the webservers local firewall thus limiting the strain on the internal network? – Hultner Apr 14 '11 at 14:08
  • That's your job as a sysadmin, or at least of a script you made to monitor the logs, or IDS you installed :) – coredump Apr 14 '11 at 14:12
  • Yeah but if there are great tools out there with features I've not even though about why not use them instead of reinventing the wheel? I'm not even a sysadmin even if I'm forced to do some sysadmin work. But I do find this an interesting subject and love to learn from the best. :) – Hultner Apr 14 '11 at 14:24
  • I really don't know any automated way of doing that aside from the ones I described. – coredump Apr 14 '11 at 14:25
  • I have to agree with coredump here, there is not much you can do against a DDoS attack with pFsense or your webserver. The problem is that even a weak DDoS can flood your network connection BEFORE the traffic even gets to your pFsense box. So unless you have a big pipe (at least 1G) there isn't too much you can do to mitigate even small DDoS attacks. You can do a little DoS mitigation, rate limiting and such. I know it's not the answer you want to hear, but you should award the answer to coredump. – Antonius Bloch Apr 17 '11 at 21:22
2

Neither pFsense or Apache is really the right tool for effective DDoS mitigation. I see by your comments that you do have a big pipe. That + rate limiting is a pretty effective strategy. I suggest looking at a commercial tool like Toplayer (http://www.toplayer.com). I wish there was something in the open source arena, but right now I don't think there is anything available.

Antonius Bloch
  • 4,480
  • 6
  • 28
  • 41
  • You should also look into IDS/IPS if you want to detect and foil script kiddies: snort integrates well with pFsense, and I've been meaning to try out OSSEC (http://www.ossec.net). – Antonius Bloch Apr 17 '11 at 21:30
  • You might want to consider Vyatta as a replacement for pFsense. Better network performance means better performance under pressure like DDoS. – Antonius Bloch Apr 18 '11 at 01:10
0

Well, it depends on what you are trying to protect yourself from. You are not going to be able to prevent any sort of large DDoS attack with PFSense on your home connection. Your home connection simply doesn't have enough bandwidth to stand up to it. It would be pretty easy to saturate your entire connection, at which point it doesn't matter what router you have.

What you can probably do is set PFsense up to rate limit connections to port 80 per remote IP. This would help with certain types of attacks, though it's nowhere close to being comprehensive.

devicenull
  • 5,572
  • 1
  • 25
  • 31
  • My home connection is a 5x1Gb/s fiber optic connection (yes real fiber into the house not RJ45 as people always tend to ask that). The real question is if it's wise to do it in pFsense or if apache itself have to handle it. – Hultner Apr 12 '11 at 01:55
  • @hultner It's going to take a lot of power to push 5GBs – Jacob Apr 20 '11 at 01:51
0

In the PF-Sense, you must define the limit and of conections per Ip, but its only a little rock on the route. There is a example with PF

0

to answer your question (pfsense or apache), i will just ignore all other right answers (that you shouldn't try to block a DDoS in your end network but in your ISP backbone).

Assuming that you are concerned about SYN flood (DDoS has many variants and assuming all of them would make this answer to long AND subjective).

I would be concerned to block it in my pfsense. That's because in your apache deamon, even if you can have DDoS protection (again, i'm not entering in the question if you should or not,but it has some modules - you may also investigate mod_evasive, and in the case of exploits, mod_security - to try to defend itself against it), it will happen in a higher level than in pfsense. to try to make it simple: With apache it happens in the "socket" level and not in the "packet" level as pfsense is able to do. This difference is really important if we think about performance. A combination between both solutions (pfsense + mod_*) is as well a good option to give an extra life to your server.

VP.
  • 403
  • 3
  • 15