1

I'm trying to find a solution to prevent remote machines determining the source IP of my webserver. This is to hide the webserver's actual IP, helping avoid DDoS attacks.

Incoming requests are already on an HTTP proxy so the IP is not visible for that case, but my outgoing connections (pings & status queries) reveal the source IP to the attacker.

Essentially, I'd like for outgoing TCP and UDP packets to pass through a remote node (which would perform the NAT). The node would then forward the packet with the node's IP and receive any response, which would be passed back to the source machine.

It'd be great if I could specify multiple nodes too, for failover, but I don't know if this is possible.

Apologies if this is using the wrong terminology, my knowledge in this area is somewhat limited.

Edit 1

I have added some example images of what I am trying to achieve.

This is what I currently have, the attacker can trace my source IP from the requests. enter image description here (full size: http://puu.sh/25FNG)

This is what I want to achieve, where the source IP is hidden and if a node is attacked, it does not affect my root server. enter image description here (full size: http://puu.sh/25FR9)

Mr. Hedgehog
  • 128
  • 7

1 Answers1

0

If you want all the traffic to be NATed (common situation), then: 1. You must be on the same IP subnet with nat-remote-node and you must have the default route on your workstation to be set to nat-remote-node's IP address. It may be done through various ways depending on your OS. 2. On nat-remote-node: iptables -t nat -A PREROUTING -s your IP -o internet-faced-interface -j MASQUERADE

Of course, I talk about the most common case! Everything depends on your particular situation.

Failover could be reached in various ways. You should provide more info if you want help.

gevial
  • 1,324
  • 9
  • 13
  • I have added some diagrams to better explain the situation. – Mr. Hedgehog Feb 20 '13 at 16:47
  • Does your root server provide service to the world? In such case you can not prevent it from being say DDoSed in this way. – gevial Feb 20 '13 at 17:46
  • There is an incoming proxy to mask the IP on HTTP requests if that's what you mean? Otherwise, if you mean it can't be done like in the diagrams, how would I hide the IP? – Mr. Hedgehog Feb 20 '13 at 18:10
  • No, I mean - if you have a website on your root server (as far as i see on a diagram), it means you are listening port 80. In such case, you definitely cannot control who would be trying to connect to your server through port 80. However, if you aren't listening on any port or if you want to have incoming connections only from known host, there is a decision. – gevial Feb 20 '13 at 18:16
  • I have an incoming HTTP proxy so incoming connections are protected by a third-party (CloudFlare). This is not the problem. The problem is that when I make **outgoing** requests, the hidden webserver IP is in the packet, meaning the root webserver can be traced. – Mr. Hedgehog Feb 20 '13 at 18:19
  • 1
    Ok. You might set up a pool of VPS = a pool of "frontend" IP addresses. Then set up a point-to-point VPN connection from root to each VPS. Then set up default route and routes balancing on your root server, which now have 4 uplinks through VPNs (http://lartc.org/howto/lartc.rpdb.multiple-links.html - it should help with that). Now, if any of VPS is under attack and not responding, you can use the others or set up a new VPS from different provider. – gevial Feb 20 '13 at 18:42
  • I changed the question slightly to accommodate the answer. Any chance you could make it your main one? Thanks for the help slim. – Mr. Hedgehog Feb 21 '13 at 10:36