1

I am looking for some information in regards DDoS in the follow scenario:

I have a server that is behind a Cisco Guard and it will be DDoS'ed, I only care about a set list of IPS that by not means are the attackers.

Is it possible to null all other ips but this list to actually get any response to my server or in the long run no matter what I do if they have enough DDoS power I will just go down like a flie ?

Is there any recommended company out there that can actually cope with a DDoS ?

My server will mainly run several clients that will get connected to a external server and all it needs access to is my local MySQL the the private network so I can access it.

There will be no other services runnings such as web or ftp etc at least not to the external ips of the server if i ever have to have any of these service they will be on the private network.

The MySQL will be available externally only to 1 safe ip not known by anyone but me and internally at localhost + private network.

Are there any solutions ?

user9517
  • 114,104
  • 20
  • 206
  • 289
Prix
  • 4,703
  • 3
  • 23
  • 25

1 Answers1

2

If you want to limit the allowed source IPs to a known subset, that's great from the point of view of DDoS protection. DDoS works by saturating the pipe; if you stop the naughty traffic high enough up the chain (where the pipes aren't infinite, but they're close enough for our purposes) you can basically survive any DDoS. The trick is getting the allow/deny list close enough to the "core" of the Internet that the size of the pipe that the DDoS will flow through (to the point where it gets dropped) is large to handle it.

What you have to do is spec out the maximum expected volume of any potential DDoS (in BPS and PPS) and talk to vendors to let them know what you need in terms of volume and responsiveness. Ensure that they're capable of applying your blacklist immediately when required. The feature you want to be asking about is commonly called "real-time black hole routing". If you're running BGP in any form, it's fairly trivial to do this (as discussed in http://jonsblog.lewis.org/2011/02/05). If you're not running BGP, you'll need to identify with your provider(s) the mechanism by which you can initiate the blackholing (if you have to call a NOC to put it in place, don't bother -- it's trivially automatable).

Test this feature when you first get up and running, and test it again periodically to make sure it still works. You don't want to have to scream at your provider because their blackholing stopped working during a big DDoS.

womble
  • 95,029
  • 29
  • 173
  • 228
  • that is very interesting would you happen to know vps or dedicated server that would happen to be able to do this without problems ? I was initially checking softlayer but their response was that they do not allow or do this... – Prix Jul 04 '11 at 09:10
  • I don't have any specific recommendations, you'll just have to keep asking providers until you find one that will do it. Don't expect it to be cheap, though, so the budget mobs like softlayer probably aren't your first tier of options. – womble Jul 04 '11 at 23:50