0

A little background on why I'm asking this question. We've been recently getting DDoS and other attacks on our Direct Access servers, and when these attacks come in, it dramatically slows down the network connections on all the other servers in our network. We would like to try and put these two servers behind a proxy or something similar, so that when attacks come in again they'll bring down the proxy server, breaking the connection between the DA servers and clients, but avoiding the network slowdown elsewhere. This is just a temporary solution until we get a physical router with firewalls to prevent this.

As I'm still fairly inexperienced in the ways of network administration, I'm not exactly sure how we could accomplish this. I've been pointed in the direction of Squid for transparent proxying, but every guide I've come across is to put Squid in between clients and the internet, while I need something in between the internet and one or two servers.

I've also looked into the possibility of just using IPtables' PREROUTING rules to just forward connections to other servers, but when testing with SSH, it seems to just intercept the connections and not forward them on. This is probably because I don't exactly know how to configure IPtables to do this, though.

For reference, these are the IPtables rules I'm using. The first rule is to test SSH connections, and the second is for port 443, since incoming connections to Direct Access, as far as I understand, only need https. I have it set up so the proxy server has the DNS name of the target server assigned in our DNS management system, denoted here by "remoteserver.example.edu". The idea is the client attempts to connect to Direct Access by the DNS name "remoteserver.example.edu", which connects to the proxy, which then immediately forwards it to the DA server by IP address.

iptables -t nat -A PREROUTING -p tcp -d remoteserver.example.edu --dport 22 -j DNAT --to-destination remoteserverip:22
iptables -t nat -A PREROUTING -p tcp -d remoteserver.example.edu --dport 443 -j DNAT --to-destination remoteserverip:443

So I'd like to ask if anyone has any idea of how to accomplish the goal of putting a buffer in front of a pair of servers to mitigate network slowdown of malicious attacks. I'm open to Squid configuration tips, IPtables rules, or some other solution. Thanks in advance.

David Parady
  • 1
  • What you should be looking into is DDoS mitigation. I don't really think a local reverse proxy is going to be much help for this. – Michael Hampton Oct 23 '16 at 19:58

2 Answers2

0

You need to use nginx for this type of issues, not Squid. You may even get away with nginx sitting on the same box with your apache, depending on attack intensity and type of content you're serving.

Peter Zhabin
  • 2,276
  • 8
  • 10
0

I would use nginx on a separate server as a temporary solution. A quick example would be something like this;

  • Fire up a new internet facing box to act as a reverse proxy
  • Have this new box send traffic to the web servers

A basic config file for /etc/nginx/conf.d/basic-reverse-proxy.conf would look something like this

upstream backend {
  least_conn;
  server 10.1.0.101; 
  server 10.1.0.102;
}

# This server accepts all traffic to port 80 and passes it to the upstream. 
# Notice that the upstream name and the proxy_pass need to match.

server {
  listen 80; 

  location / {
    proxy_pass http://backend;
  }
}

This will just just pass any traffic on port 80 to the backend servers. "least_conn" means nginx will attempt to send traffic to the server with the least connections. The more backend servers you have then the more you can spread the traffic.