-1

I need help to configure a box for DDOS protection and provide external ip addresses to "internal" (which aren't really internal) servers. I have 32 IP addresses from my ISP.

I want to configure a linux box with DDOS protection and put servers behind that box. Everything using those IP addresses. Something like this:

ISP <---> Anti-DDOS / Gateway <---> serverA/serverB/serverC/etc... xx.xx.xx.190 xx.xx.xx.189 xx.xx.xx.171 -> xx.xx.xx.188

To be precise, i still didn't started to configure the boxes and i already found a similar topic here but for ipv6.

Note: The servers need to have the public ips configured (No NAT or private IPs are to be used). Note 2: No, my ISP doesn't provide me a DDOS protection.

What you recomend for software and configuration? My operating systems are Linux Debian only but can use others OS (no windows please!)

Regards

Webix
  • 1

1 Answers1

0

There are multiple ways to achieve this. For example by making a Linux Bridge (follow this tutorial for a bit). Another way is (for example) making a loadbalancer with IPVS (you can then bind the external IPs on the loopback interface on each client).

Jeroen
  • 1,341
  • 7
  • 16
  • Hello Jeroen. Thanks for your reply and suggestion. On that Linux Bridge can i have some kind of DDOS protection? What do you recomend? Actually i am using iptables with some sort of packet analysis with conn_track on another box. But i see it's not fully efficient. – Webix Aug 25 '15 at 08:39
  • We have a dedicated (hardware) DDoS appliance for that, because it has custom ASICs. The problem with a linux box is that it will be limited on interrupts / cpu processing. I would recommend using a really good quality NIC and run irqbalance (if not already). However, it will never be able to reach the performance that a specialized appliance has. To block and detect attacks, you can either write something yourself with IPtables or use firewall packages (CSF). There are also commercial solutions like Clavister (software). – Jeroen Aug 25 '15 at 10:07
  • Thanks for your suggestion. But after having invested in so many dedicated servers, there's no more budget this year for a dedicated DDoS appliance. I can manage to make the bridge but i don't see how can i integrate the CSF (or any other) on that. – Webix Aug 25 '15 at 13:19