-2

Alright, so my friend and I are setting up a new website. We expect heavy DDoS attacks, so our plan is to use nginx to proxy from various cloud servers so that people can't find our actual server's IP.

However, we need to link all these proxy servers up to one domain, so that when the domain (we'll say domain.com) is requested, it chooses a proxy server to send the user to and sticks them there. It also, however, needs to check if the server it's sending the user to is actually up and running (and has internet connectivity). If the server it's sending the user to is under attack, it kind of defeats the purpose of the proxy servers in the first place.

Any idea on how to do this?

Rob
  • 2,303
  • 9
  • 31
  • 50
  • 5
    ... what kind of website are you setting up that you EXPECT a DDoS? :-) – voretaq7 Jul 22 '11 at 20:42
  • 1
    @voretaq7: One that provides better products than our competitors – Rob Jul 22 '11 at 22:47
  • 4
    Must be an interesting product or niche...I don't know if "DDoS our competitors" is a standard practice in professional businesses. – Bart Silverstrim Jul 23 '11 at 12:06
  • @Bart Silverstrim, I suppose you don't run a very successful business, then. – Rob Jul 24 '11 at 21:57
  • 2
    Actually, when it's uncovered that a business is actively denial-of-servicing other companies, it's normally considered very unprofessional and a sign that your product isn't good enough to actually compete in the marketplace on it's own merit. Not to mention that it makes your company look seedy and untrustworthy, and if you're actively engaging in DDoS attacks on other companies, I don't see much incentive for other here on SF to help further your endeavors. – Bart Silverstrim Jul 24 '11 at 23:11
  • @bart not to mention the legalities about such a thing. – Jacob Jul 24 '11 at 23:43
  • @Bart Silverstrim, hence why I'm looking to block DDoS attacks? You don't see much incentive to help me block DDoS attacks? Are you also bad at reading? – Rob Jul 25 '11 at 04:26
  • 1
    Even if Bart didn't explain his point a view to a way even you can understand, he's right! There is no reason that you might suffer even a trial DDoS, expect if you are some black hat arse. – Anarko_Bizounours Jul 25 '11 at 07:25
  • @Anarko_Bizounours, actually, I've had many whitehat sites come under attack by jealous competitors that can't keep up with me. I understand you've probably never been very successful, and so of course no one's tried to get in the way of your success, but I am quite successful. People DDoS all the time, even as blackmail. What do you think, that DDoS tools are created solely for running XBL? No, they're created (the more well built ones at least) for hitting big servers and trying to make money off of them. – Rob Jul 25 '11 at 16:37
  • 1
    . . . I'm not a black or white hat, I'm just a sysadmin, and I don't care if you have success being a whitehat. If you are a successfull whitehat, why do you need help to protect your website against DDoS? The more I try looking into it, the more I think you don't know what you talking about. Well let's stay polite, and ignore each other. – Anarko_Bizounours Jul 26 '11 at 06:48
  • @Anarko_Bizounours: Since when did it matter what kind of morals I have when it comes to the immoral actions of my competitors? – Rob Jul 26 '11 at 08:40
  • 1
    @Rob, this is a q&a site for professional sysadmins - although your query/concern is borderline I need you to understand that we normally don't tolerate questions or answers that can lead to illegal activity. As I say this one isn't particularly contentious but for future reference we like to play on the PRO/legal side of things, there's lots of other forums and sites open for discussing less professional/dubious activities. I hope you understand. – Chopper3 Jul 26 '11 at 09:56
  • @Chopper3, I'm sorry, I didn't realize that protecting my server from DDoS attacks was illegal. – Rob Jul 26 '11 at 18:15
  • It's not, you're taking that the wrong way, along with the intentions of the other commentors. – Chopper3 Jul 26 '11 at 19:42
  • I'm asking about DDoS Mitigation, and everyone's telling me that I shouldn't be trying to defend my server from DDoS attacks, that it's immoral and unprofessional. – Rob Jul 26 '11 at 21:08

2 Answers2

5

I'm not sure why you want to round robin DNS here,it's completely useless here. The proper setup would be to set your A record to your load balancer. Then set a heartbeat to the Webserver to check if it is online. The idea behind helping during an attack is by spreading the load across several servers and to scale up to compensate and scale down after the attack.

Jacob
  • 9,114
  • 4
  • 44
  • 56
  • 2
    +1 - if you're really concerned you want to do the same kind of BGP-level load balancing that is used on the root servers (announce the address from multiple ISPs, let the network sort out which path to send your users through). A less hideously expensive solution is to run your site on something like Amazon's EC2 with their load-balancing... – voretaq7 Jul 22 '11 at 20:44
  • 1
    @voretaq7: What you describe is "anycast", and it's horrendously unreliable for TCP connections. – womble Jul 25 '11 at 05:24
  • @Womble - anycast for TCP is definitely not an ideal solution (as you implied, natural route changes can make it blow up). GeoIP-assisted DNS is probably a better real-world solution (less black magic required / chance of things breaking if the internet decides on a different routing for your packets, and still provides reasonable isolation: If one location gets knocked out the rest keep functioning, and a DDoS by hostname may be distributed to a point where it doesn't take the site down anyway) – voretaq7 Jul 25 '11 at 15:05
1

The only problem I see here is that round robin returns A records in sequential order, not checking if the IP address it's returning is actually online or not.

Bill Gates
  • 11
  • 1
  • Yes, thank you for that. I'm quite aware of that and hence why I'm asking how to do what I asked, rather than just a simple round robin. – Rob Jul 22 '11 at 20:16
  • 2
    You might want to take "round robin DNS" out of the question title if you're not planning on using it. – womble Jul 25 '11 at 05:25