2

We run a fairly large game server hosting company with about 60 machines running Server 2008, and DDoS attacks something we have been dealing with for a long time. Unfortunately, due to the prices of the market, there is no way that us or any other company could feasibly put hardware firewalls in all of our datacenters.

Our course of action has always been to just contact the datacenter, and they null route the IP address/Port for 24 hours. This of course is a very unappealing way of dealing with the issue, especially for our clients.

From what I understand, a software Firewall will only complicate the issues of a DDoS attack. I have read some about hardening the TCP/IP stack, but it sounds like there isn't much that can be done from Server 2008 to help with this.

Is there anything we can do?

Aidan Knight
  • 650
  • 3
  • 11
  • 19
  • So you have no firewalls in front of your servers? – joeqwerty May 16 '11 at 20:45
  • 7
    So, Mr. Sony tech, when is PSN coming back up? – Hyppy May 16 '11 at 20:47
  • 4
    If you can't feasibly put firewalls in, you can't feasibly run an internet facing business. – DanBig May 16 '11 at 20:48
  • We have Windows Firewall running on our shared hosting machines, but the clients that rent machines from us generally leave them off as it causes a lot of problems with game servers. – Aidan Knight May 16 '11 at 20:51
  • you need firewalls. Urgently. When one of your clients discovers some friendly hacker has been in and grabbed their customer database who do you think they will sue? Do your contracts have a clause which allows you to avoid liability? – Rory Alsop May 16 '11 at 22:36

2 Answers2

9

there is no way that us or any other company could feasibly put hardware firewalls in all of our datacenters

Yes, yes there is. Please re-evaluate your economics (How much does a firewall cost? How much do you lose per hour when you're down because of a DDoS? How much damage will be done to your reputation when someone finds an accidentally-open RDP port and breaks into some critical box on your network?).

You should be able to afford (redundant) dedicated firewalls at each datacenter - Firewalls are NOT expensive.
Proper tuning of your firewall (traffic throttling, shaping, etc.) will help mitigate DDoS attacks. At the very least it will offer some protection for your systems against simple worms or curious hackers poking around for remote logins.

In terms of DoS mitigation you can always go one step up the ladder: your ISP can null-route non-distributed attacks (as you've already mentioned, this is your current process - it's a good one) or rate-limit distributed ones (though expect this to get expensive if you're under attack frequently -- they'll eventually charge for those firewall changes).

Further up the ladder you can consider services like those offered by Arbor Networks for DDoS protection/mitigation, though these are typically targeted at the ISP/Service Provider level rather than individual companies. The prices for these solutions tend to be rather extortionate.

voretaq7
  • 79,345
  • 17
  • 128
  • 213
  • Good call on bringing the ISP in on it. Many decent ISPs offer automated DoS protection, though it falters on DDoS attackes. – Hyppy May 16 '11 at 21:04
  • A lot of ISPs I've worked for/with contract with Arbor for their "Peakflow SP" product -- It's decent at mitigating DDoS attacks, though sometimes its automated triggers space out & it just stares at the spike until someone explains that, yes, this is a DDoS and it needs to be handled. – voretaq7 May 16 '11 at 21:07
6

If you can afford sixty servers, with sixty licenses of Server 2008, and the payroll costs for sysadmins to support and developers to code enough games that need sixty servers to run, then you can afford dedicated firewalls.

Also, take it as truth that (almost) all other companies "feasibly put hardware firewalls in all of [their] datacenters."

As far as DDoS protection; If it's just a flood to fill your bandwidth, nothing on your side of your link is going to help that. If it's a server-resource attack, then a firewall will most likely be able to help if configured competently.

Hyppy
  • 15,458
  • 1
  • 37
  • 59
  • He mentioned game hosting, which suggest to me that he is hosting TF2, or other similar games. Didn't sound like he was developing any games at all. – Zoredache May 16 '11 at 21:01
  • A lot of DDoS attacks are still of the connection-pool resource-exhaustion type -- at least where TCP connections are targeted. A SYN Proxying firewall can often knock those out without breaking a sweat. – voretaq7 May 16 '11 at 21:01
  • I am not entirely sure you understand what we offer. We simply offer the hosting service, the games are developed by other companies. We use atleast a dozen different datacenters, many of which we rent the machines from monthly as opposed to owning them. – Aidan Knight May 16 '11 at 21:04
  • 1
    @Brett If that's the case, then the ISP/Colo facility should be able to provide some level of assistance with this issue. At the very least, a hardened Linux box running a firewall in front of your servers will be better than nothing. – Hyppy May 16 '11 at 21:45