Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


The best approach to a lowend ddos protected website
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

The best approach to a lowend ddos protected website

emghemgh Member, BF Ambassador
edited May 2018 in General

Welcome to this lovely thread!

So I’m creating a simple, however not static site. It’ll be based on Wordpress for now. I plan on using Reddit to market it since I’m active there. However, that leaves me with two things:

• Heavy traffic spikes
• DDoS attacks, probably L4 & L7

So I thought about the best approach to do this without breaking the bank. Going for a normal VPS and routing with Cloudflare would be great, I’d get to mask the IP and such. However, I’d still be able to be taken down with L7.

I’ve also though about going to a webhost since they’ll usually be used to deal with these things, but on the other hand my traffic spikes might get them to not want me as their client, and I can’t risk downtime if I get up there.

Comments

  • emghemgh Member, BF Ambassador
    edited May 2018

    Isn’t software solutions on the server level considered bad in most cases? Or is that just for L4 floods?

  • ClouviderClouvider Member, Patron Provider

    @emgh said:

    Isn’t software solutions on the server level considered bad in most cases? Or is that just for L4 floods?

    You can’t deal with an Amplification locally normally because your pipe is saturated. Application attacks aren’t usually as bandwidth consuming and hence local mitigation technique can be very effective.

    Thanked by 4pike lion v3ng emgh
  • jsgjsg Member, Resident Benchmarker
    edited May 2018

    @Clouvider said:

    You can’t deal with an Amplification locally normally because your pipe is saturated. Application attacks aren’t usually as bandwidth consuming and hence local mitigation technique can be very effective.

    Yes, correct. But still a speed factor of 50 or 200 in how one deals with those attacks makes a difference and using WP puts one in a not easy to defend spot.

    @emgh ...

    Short answer: forget it.

    Longer answer: unless you develop some low level WordPress core module WordPress is a major factor in your problem set. Also WP puts you in a tight frame regarding url formats. Cookies are one good approach principally but only useful if they are used in the right way. A "protection engine" like the nginx module mentioned here is very highly likely useless because it's well known and because it works the wrong way.

    That developer chose the wrong algorithm plus the wrong algorithm type. A symmetric algorithm like AES will put about the same burden on the defender and the attacker and probably even put you with PHP at a disadvantage against an attacker using V8 or the like or even compiled code against you.

    What you need is asymmetry to your advantage with a high burden for the attacker. The basic problem class is quite similar to what scrypt, Argon and similar address.
    Your advantage is that a machine wasting a second on each attempt equates to an all but broken attack vehicle while a human user will accept that probably thinking "well, of course being reddit'ed slows a WP site down" and happily surf your site.

    My advice is to either buy quite expensive professional WP hosting and asking them right away about their attitude and preparations re. possibly massive attacks or to build a solution yourself maybe based on some Go or Erlang/Elixir kit or the like.

    Thanked by 1emgh
  • ClouviderClouvider Member, Patron Provider

    jsg said: aren’t usually as bandwidth consuming and hence local mitigation technique can be very effective.

    Yes, correct. But still a speed factor of 50 or 200 in how one deals with those attacks makes a difference and using WP puts one in a not easy to defend spot.

    I meant naturally if this is dealt with before it touches PHP or preferably before it touches the web server.

    Thanked by 1emgh
  • There's a WP to static site plugin that will help with resource consumption during attacks. I can't think of the name.

    Thanked by 1emgh
  • emghemgh Member, BF Ambassador

    @doughmanes said:
    There's a WP to static site plugin that will help with resource consumption during attacks. I can't think of the name.

    I guess that can be very good not only for attacks but on traffic spikes. Thanks.

  • mohamedmohamed Member

    @emgh

    best approach would be a HA solution, I would do nginx load balancing over multiply low end ddos protected servers from psychz/sharktech and voxility with HA mysql cluster.

  • emghemgh Member, BF Ambassador

    @mohamed said:
    @emgh

    best approach would be a HA solution, I would do nginx load balancing over multiply low end ddos protected servers from psychz/sharktech and voxility with HA mysql cluster.

    Yeah, that's not very lowend though.

  • mohamedmohamed Member

    @emgh

    a couple 10 lowend vpses at $3/mo is $30 sounds a lowend HA

  • What budget do you have available for this? L7 is usually complex,hyperfilter's web hosting comes to mind, but it's around $30/month,but you don't have to do anything,they got you covered.

    You could also do OVH web hosting,shouldn't be to bad either.

  • MikeAMikeA Member, Patron Provider

    If you have a basic VPS on a DDoS protected network and use CloudFlare to mitigate the HTTP/HTTPS attacks you should be fine. Even if the attacks get past CloudFlare, put CF in under attack mode. Even with Nginx and some deny blocks, with a few cores it can tank a good size attack anyways. Many attacks that do get past CF, at least that I've seen, are coming from very few IPs that can just be manually blocked. Don't know how they bypass CloudFlare but the ones that do have been usually from Google Cloud or AWS.

Sign In or Register to comment.