Join the community today
Become a Member

Security Cloudflare Sysadmin DDOS protection?

Discussion in 'System Administration' started by rc112, Apr 4, 2018.

  1. rc112

    rc112 Member

    124
    14
    18
    Sep 22, 2017
    Ratings:
    +15
    Local Time:
    11:17 AM
    Hi @eva2000 Is Sucuri a good option for DDOS? Which plan is adequate under limited budget?

    I got terrible DDOS in the past 2 month. 3 Times!!! The first 2, I got past alright by enabling CloudFlare "I am under attack" but the the 3rd, nothing helps. I was there and consider of shutting off the host. :(

    So CSF or all the things in CMM are not enough for DDOS protection? Please Kindly advice and share. I can foresee a 4th coming soon. Thank you so much!
     
  2. eva2000

    eva2000 Administrator Staff Member

    36,055
    7,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,192
    Local Time:
    1:17 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
  3. rc112

    rc112 Member

    124
    14
    18
    Sep 22, 2017
    Ratings:
    +15
    Local Time:
    11:17 AM
    That is an excellent idea to have a specific thread for DDOS. From my experience, it is getting worse. What DDOS measure in CMM? Can we implement one like ones below? Thanks.

    vDDoS Proxy Protection
    firehol/netdata
     
  4. rc112

    rc112 Member

    124
    14
    18
    Sep 22, 2017
    Ratings:
    +15
    Local Time:
    11:17 AM
  5. eva2000

    eva2000 Administrator Staff Member

    36,055
    7,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,192
    Local Time:
    1:17 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Upstream = That means protection has to start before traffic reaches your server so nothing you install on your server will be enough. CSF firewall & fail2ban can only help a little for some forms of attacks and securities. But won't help much at all when behind a proxy like cloudflare, sucuri or incapsula as CSF firewall and fail2ban can't see visitor's real ip when using those services.
     
  6. rc112

    rc112 Member

    124
    14
    18
    Sep 22, 2017
    Ratings:
    +15
    Local Time:
    11:17 AM
    @eva2000 Thanks for your explanation. Just in view of what you just said, I came up with maybe setting up a server in front of you server? Would it be possible and effective? Maybe someone has done something like this. :D
     
  7. rdan

    rdan Premium Member Premium Member

    4,255
    1,034
    113
    May 25, 2014
    Ratings:
    +1,486
    Local Time:
    11:17 AM
    Mainline
    10.2
    What was the attack?
    Layer 7/Application attack?

    What happens with your site when under attack?
     
  8. Revenge

    Revenge Active Member

    408
    85
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +302
    Local Time:
    4:17 AM
    1.9.x
    10.1.x
    If someone targets your vps/server with a layer 4 attack, there is nothing you can do besides hoping your host have a very good dedicated anti ddos.

    Cloudflare or Sucuri can't do nothing if the attackers knows your server ip address. A layer 4 attack simple saturates all your network bandwidth, so no one will be able to enter your site.
     
  9. rc112

    rc112 Member

    124
    14
    18
    Sep 22, 2017
    Ratings:
    +15
    Local Time:
    11:17 AM
    @RoldanLT @Revenge I am not sure which layer it is but It is like what @Revenge described. I can see my CPU remained 100% all time and I or the customers cannot access the front/ backends and returned time out error. I can access using SSH though.

    Is it true either CloudFlare or Sucuri cannot fight against layer 4 DDOS?

    I think there must be more effective way or even open source way to fight against DDOS. I feel like it is like living under terrorism, you dont know when the bomb will kill you.
     
  10. Revenge

    Revenge Active Member

    408
    85
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +302
    Local Time:
    4:17 AM
    1.9.x
    10.1.x
    From what you are saying, its most likely a Layer 7 attack. A Layer 4 will not cause your cpu's going to 100%, it will just make your server inaccessible from the outside. But a Layer 7 attack will try to make your site down by using all your server resources, and this is a lot easier to defend. There are attacks that can bypass Cloudflare protection, but normally you can try to understand the attack and block it. Centminmod comes with many tools to do that, like CSF, fail2ban, nginx rules, etc.
     
  11. rc112

    rc112 Member

    124
    14
    18
    Sep 22, 2017
    Ratings:
    +15
    Local Time:
    11:17 AM
    Thank you @Revenge I think I need to study it a bit. There are way to much to learn for sys-admin.
     
  12. eva2000

    eva2000 Administrator Staff Member

    36,055
    7,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,192
    Local Time:
    1:17 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    If it's application layer 7 attacks, then only way is throwing more money and server resources at it in combination with so like CSF Firewall, nginx rate and connection limitation, front and backend level caching for your web apps to level nginx proxy_cache, php-fpm fastcgi_cache, and utilise memcached, redis caching and if you're creative some nginx lua and fail2ban. But there will be a point where it might not be enough and depends on server hardware resources and server network capacity.

    And even then if you're on VPS servers with shared neighbours, your VPS web host might suspend your DDOS attacked server when it reaches as certain limit - sometimes way before the threshold where your VPS can't handle it. Which is what happened on this forum with DDOS attack that my Linode VPS was handling well with less than 37% cpu utilisation with CSF Firewall and fail2ban like automatic firewall ban for ips from a wordpress pingback attack(s) but Linode found it not acceptable so null routed and suspended the VPS at 1.5+ Gbps DDOS attack size - Forum DDOS Attacked - Linode null routed. This was back when my forum's Linode plan offered 500Mbps connection speed before their upgrades to 1Gbps network default for all plans. So my Linode plan's VPS hardware could in theory handle the DDOS Attack but at 1.5Gbps size it was larger than Linode's acceptable 500Mbps network cap and would of been larger than Linode's current 1Gbps network can on my Linode plan unless I upgraded to Lindoe's 32GB and higher plans with 1.5Gbps, 3Gbps, 6Gbps and 10Gbps network connectivity from between US$120-960/month.

    So ultimately, you'd need a fatter and bigger network pipe server/reverse proxy like Cloudflare, Sucuri, Incapsula in front of your server as they have terabytes of network capacity which is needed when it gets to a size that either your server specs can't handle or when it gets to a size that is not acceptable by your VPS web host and/or dedicated server web host.
     
  13. rdan

    rdan Premium Member Premium Member

    4,255
    1,034
    113
    May 25, 2014
    Ratings:
    +1,486
    Local Time:
    11:17 AM
    Mainline
    10.2
    Then that is just Layer 7 or Application layer attack.
    Enable and configure CSF ct_limit and Nginx limit_conn.

    That will help a lot.
     
    • Informative Informative x 1
  14. rdan

    rdan Premium Member Premium Member

    4,255
    1,034
    113
    May 25, 2014
    Ratings:
    +1,486
    Local Time:
    11:17 AM
    Mainline
    10.2
    Don't trust Cloudflare if you're on Pro or Free plan only.
    They will disable the protection and direct all your request to your server if certain request is reach.

    Much better try Sucuri.
     
    • Like Like x 1
    • Informative Informative x 1
  15. eva2000

    eva2000 Administrator Staff Member

    36,055
    7,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,192
    Local Time:
    1:17 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Wasn't that sort of changed with Cloudflare - Cloudflare Announces Unmetered DDOS Mitigation For All Plans ?

    they now say
    ok they mean layer 3 and 4 ddos atatcks and not layer 7

    For folks who don't know various DDOS attack definitions read
     
    • Like Like x 1
  16. rdan

    rdan Premium Member Premium Member

    4,255
    1,034
    113
    May 25, 2014
    Ratings:
    +1,486
    Local Time:
    11:17 AM
    Mainline
    10.2
    Yeah, so if you got hit by large volume of Layer 7 attack under Pro or Free plan Cloudflare will redirect all the traffic to your server.

    Sucuri wins in terms of Layer 7 and is Cheap.
     
    • Informative Informative x 2
    • Like Like x 1
  17. Revenge

    Revenge Active Member

    408
    85
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +302
    Local Time:
    4:17 AM
    1.9.x
    10.1.x
    That was 2 years ago, time really flies.
    I hope everything is ok with your Mother.
     
    • Like Like x 1
  18. rc112

    rc112 Member

    124
    14
    18
    Sep 22, 2017
    Ratings:
    +15
    Local Time:
    11:17 AM
  19. rdan

    rdan Premium Member Premium Member

    4,255
    1,034
    113
    May 25, 2014
    Ratings:
    +1,486
    Local Time:
    11:17 AM
    Mainline
    10.2
    • Agree Agree x 1
  20. eva2000

    eva2000 Administrator Staff Member

    36,055
    7,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,192
    Local Time:
    1:17 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Indeed my mother is fine.. though she recently had cataract eye surgery too. But all good :)

    Yeah heard of them but haven't used

    +1 Sucuri, Cloudflare and Incapsula I all use. Sucuri isn't as fast in CDN level side compared to Cloudflare or Incapsula but Sucuri is cheapest when you take into account WAF + DDOS protection.
     
    • Like Like x 2
..