All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
The best approach to a lowend ddos protected website
Welcome to this lovely thread!
So I’m creating a simple, however not static site. It’ll be based on Wordpress for now. I plan on using Reddit to market it since I’m active there. However, that leaves me with two things:
• Heavy traffic spikes
• DDoS attacks, probably L4 & L7
So I thought about the best approach to do this without breaking the bank. Going for a normal VPS and routing with Cloudflare would be great, I’d get to mask the IP and such. However, I’d still be able to be taken down with L7.
I’ve also though about going to a webhost since they’ll usually be used to deal with these things, but on the other hand my traffic spikes might get them to not want me as their client, and I can’t risk downtime if I get up there.
Comments
https://github.com/kyprizel/testcookie-nginx-module for L7
Isn’t software solutions on the server level considered bad in most cases? Or is that just for L4 floods?
You can’t deal with an Amplification locally normally because your pipe is saturated. Application attacks aren’t usually as bandwidth consuming and hence local mitigation technique can be very effective.
Yes, correct. But still a speed factor of 50 or 200 in how one deals with those attacks makes a difference and using WP puts one in a not easy to defend spot.
@emgh ...
Short answer: forget it.
Longer answer: unless you develop some low level WordPress core module WordPress is a major factor in your problem set. Also WP puts you in a tight frame regarding url formats. Cookies are one good approach principally but only useful if they are used in the right way. A "protection engine" like the nginx module mentioned here is very highly likely useless because it's well known and because it works the wrong way.
That developer chose the wrong algorithm plus the wrong algorithm type. A symmetric algorithm like AES will put about the same burden on the defender and the attacker and probably even put you with PHP at a disadvantage against an attacker using V8 or the like or even compiled code against you.
What you need is asymmetry to your advantage with a high burden for the attacker. The basic problem class is quite similar to what scrypt, Argon and similar address.
Your advantage is that a machine wasting a second on each attempt equates to an all but broken attack vehicle while a human user will accept that probably thinking "well, of course being reddit'ed slows a WP site down" and happily surf your site.
My advice is to either buy quite expensive professional WP hosting and asking them right away about their attitude and preparations re. possibly massive attacks or to build a solution yourself maybe based on some Go or Erlang/Elixir kit or the like.
I meant naturally if this is dealt with before it touches PHP or preferably before it touches the web server.
There's a WP to static site plugin that will help with resource consumption during attacks. I can't think of the name.
I guess that can be very good not only for attacks but on traffic spikes. Thanks.
@emgh
best approach would be a HA solution, I would do nginx load balancing over multiply low end ddos protected servers from psychz/sharktech and voxility with HA mysql cluster.
Yeah, that's not very lowend though.
@emgh
a couple 10 lowend vpses at $3/mo is $30 sounds a lowend HA
What budget do you have available for this? L7 is usually complex,hyperfilter's web hosting comes to mind, but it's around $30/month,but you don't have to do anything,they got you covered.
You could also do OVH web hosting,shouldn't be to bad either.
If you have a basic VPS on a DDoS protected network and use CloudFlare to mitigate the HTTP/HTTPS attacks you should be fine. Even if the attacks get past CloudFlare, put CF in under attack mode. Even with Nginx and some deny blocks, with a few cores it can tank a good size attack anyways. Many attacks that do get past CF, at least that I've seen, are coming from very few IPs that can just be manually blocked. Don't know how they bypass CloudFlare but the ones that do have been usually from Google Cloud or AWS.