Hello,
what do you recommend for DDOS protection in ubuntu servers?
I have found some paid CDN companies giving secure and protected connection solution, on the other hand there are also some tutorials explaining the installation of CDN server as an alternative.
Could you please let me know what pro function does paid CDN provides into system stability and security on Linux?
Thank you
Boris
@baris35 a single CDN server makes no sense, because the N in CDN means network. This can usually only be provided by a paid service. Or do you have multiple internet servers under your control? Or have I misunderstood something?
Hello Rodrigues,
A friend of mine has a dedicated server in Germany and company does not provide Ddos protection. Iptables rules below has no sense that's why he is still looking for a solution.
### 1: Drop invalid packets ###
/sbin/iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
### 2: Drop TCP packets that are new and are not SYN ###
/sbin/iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
### 3: Drop SYN packets with suspicious MSS value ###
#/sbin/iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
### 4: Block packets with bogus TCP flags ###
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
### 5: Block spoofed packets ###
/sbin/iptables -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP
/sbin/iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP
/sbin/iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP
/sbin/iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP
/sbin/iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP
#/sbin/iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP
#/sbin/iptables -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP
#/sbin/iptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP
#/sbin/iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP
### 7: Drop fragments in all chains ###
/sbin/iptables -t mangle -A PREROUTING -f -j DROP
### 8: Limit connections per source IP ###
/sbin/iptables -A INPUT -p tcp -m connlimit --connlimit-above 3 -j REJECT --reject-with tcp-reset
### 9: Limit RST packets ###
/sbin/iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP
### Protection against port scanning ###
/sbin/iptables -N port-scanning
/sbin/iptables -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN
/sbin/iptables -A port-scanning -j DROP
###extra
iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
iptables -A INPUT -p icmp -m limit --limit 2/second --limit-burst 2 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m limit --limit 2/second --limit-burst 2 -j ACCEPT
iptables -A INPUT –p tcp –m state --state NEW –j DROP
I recommended him to migrate his database in to Ovh or any other company which has good reputation with regards to Ddos phenomena
this set of rules is pretty advanced and I can't tell if this really works. For a real practical test you would need a large number of clients. But you could simulate this from one or only a few clients with e.g. hping3 or GoldenEye.
Is it really a DDoS? How does the colleague know? Or is the server just inadequately sized or misconfigured?
And before I switch to a paid service, I would first try to use free / open source software, see e.g. here: Intrusion detection system - Wikipedia.
Update: One more way is using iptables in conjunction with GeoIP.
Hello Rodriguez,
Nginx based server, no misconfiguration issue at server settings.
netstat -ntu|awk '{print $5}'|cut -d: -f1 -s|sort|uniq -c|sort -nk1 -r > report
report file returns to thousands of ip addresses from worldwide with different geographic location.
Also his hosting provider company notifies him when Ddos happens. They only stop the connections and waits until Ddos ends 
From now on, I will not reply this topic as it seems like we personally do something more at our ends or we should think of migration to a new company.
I will take a look at those sources/links which you shared.
Thank you so much for your time
Boris
Hey @baris35
Detecting DDOS attacks is not really something a "rookie" in writing detection code should tackle if they have a site which generates revenue and must be operational.
I have written a lot of DDOS code over the years, and I'm fairly good at it 
and am the person who created the concept of cyberspace situational awareness and multi-sensor data fusion as a cyber-defensive strategy for IDS back in the late 1990s.
See for example, my paper from 2000:
There is a big difference between "hacking around with iptables rules" and building a robust DDOS defense.
If you care about DDOS, and you have a critical system, you are best to run your server behind the DDOS defenses of an established hosting provider; unless you want to go down the deep rabbit hole of learning detection theory and operational cyber-risk management.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.