3

Can I prevent DOS attacks with a software or an hardware (firewall) is required?

I'm using ubuntu for my webserver.

Thanks

3 Answers3

2

Generally speaking you cannot effectively mitigate a DoS attack on the machine being attacked.

That said, there are things You can do to help, like blocking connections with the local firewall so they do not reach the web server, tuning your web server to only accept a limited number of connections from a specific IP or subnet, etc. -- The important thing to remember though is that your machine is still expending resources to deal with the attack, and a large enough attack will eventually overwhelm it.

Similarly you can't really mitigate a major DoS attack (one that threatens to saturate your bandwidth or max packets-per-second through your firewall) with a firewall at your end of the network -- If you're drinking through a straw and an attacker sticks a cherry on the end you will be denied your drink. It's better to have the point above you (your ISP) filter the traffic whenever possible (to continue the analogy - it would take a grapefruit to block their straw, and if your attacker only has cherries you're in a better position).

If you can give us more information (are you experiencing or expecting attacks? What kinds?) we may be able to give you better answers...

voretaq7
  • 79,345
  • 17
  • 128
  • 213
0

If your public service is only Apache, first thing you want to be sure that the number of MaxServers are not too many for you available memory or your webserver could go in trashing, not only for a DOS attack, but also for sustained traffic.

Secondly you may want to take a look to limitipconn (which allows web server administrators to limit the number of simultaneous downloads permitted from a single IP address). This helps mitigate the problem, but won't help for a distributed DOS.

Did you actually experience a DOS attack or is a theoretical question?

stivlo
  • 739
  • 3
  • 10
  • 24
  • Thank you! I'm using lighttpd. It has a very small RAM usage but I have to find a module to prevent this attack –  May 05 '11 at 07:23
  • Did it actually happen? Also remember the webserver itself may have a low footprint, for static page, but if you use PHP, Perl or other languages you may consume large amount of memory depending on your application. – stivlo May 05 '11 at 07:26
  • 2
    Here is a very similar question: http://serverfault.com/questions/71062/how-to-protect-lighttpd-from-dos-attacks-and-flooding – stivlo May 05 '11 at 07:27
0

the DoS or DDoS attacks have purpose and cost. Every MB of traffic costs. So its hard to prevent it(say im going to put yours servers down for 20k dollars), and you cant do nothing with it. BUT you can invest some resourses to make yours system more reliable:

1. Block by GeoIP some Chinese(Asian)
region.
2. Install and configure **ipset** -- it can handle much more connections than iptables
3. Prepare project image for some cloud hosting for fast deployment
4. Configure Frontend with nginx/or something similar and backends with apache/or other
5. You can buy some SSD hardware for **nginx's static** or make some RAM-hdd for static files. T
6. During DDoS you must check what type of attack it is. This attack
can just require index file and youcan make it static.
7. Its hard for me now to block poison traffic (slow http attacks)
so cant help with this.
8. Dont forget to optimize nginx/apache/php... configs.

This should help.

MealstroM
  • 1,517
  • 1
  • 16
  • 31