All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Litespeed Reverse Proxy - Free Testers Required - Hungary - Anti-DDoS up to 80Gbps
Hello,
I'm looking for site owners with an active site that may targeted by attacks, I will also accept personal or non-production sites with top-level domains, as long as you are able to evaluate thoroughly. The solution will be entirely based on Litespeed Web Server with an enterprise license. In my opinion, the performance of Litespeed is comparable to nginx when configured correctly.
DDoS filtering: We are able to mitigate Layer 3 and 4 attacks (e.g. UDP, TCP, SSYN, ICMP).
Filtering is supported by Magyar Telekom. Custom mitigation devices at the DC are also used.
Hardware based application layer filtering is not currently carried out, and is dependent on Litespeed's features. This is yet to be fully optimised. We are currently going to specialise in high capacity filtering for common attacks (not HTTP).
Our service should be compatible with CloudFlare or other CDN type services, but there could be no need to run another proxy on top of another. We can also whitelist IP spaces.
I can protect server origins with custom ports (not port 80 - running on 8080). SNI SSL can be enabled upon request.
Purpose of using a reverse proxy:
- To protect from common large DDoS attacks
- To hide your server IP
- To provide additional layer of security (S/W WAF)
- To circumvent internet restrictions (e.g. in China, you need ICP to operate on port 80. You could run on another port, and/or use our proxy directly. DTAG is currently connected to China Telecom).
What unique about this?
- Litespeed enterprise solution
- Hungarian location (Eastern/Central Europe with excellent peering to DTAG, Magyar Telekom, TeliaSonera and Interoute). RETN (best for CIS) is also available as a private peer. It is not OVH or a common provider
How long will this be in beta for?
I expect this to last for a couple of weeks.
What feedback do I need to provide?
This can be a casual job, which you occasionally inform me of any errors such as connection timeouts, performance degradation or incorrect blocking of IP addresses.
What do I receive for being a beta tester?
You will receive one month proxy or cPanel hosting for free (any package). Discounts may also be included!
What will be the pricing in the future for this service?
We're still considering the price but our basic plan should start at $5 USD per month without any discounts.
Do you control panel?
Unfortunately not for reverse proxies. This is all done manually by hand.
Can you do traffic redirecting for other non-web services?
For now, we currently only do web based reverse proxies. In the future, we may look into other traffic redirections for gameservers, voiceservers, UDP binded ports.
How do I obtain this?
Please PM me with your domain name and origin IP (current server IP). Please make sure you are deeply interested and not just a one day evaluation. I will setup it straight away. Please do remember this is in BETA. I'm open for any feedback.
Test IP - send me a PM!
Comments
So why pay for something you can get free (nginx)? Or even use Varnish?
I have an existing owned Litespeed license, so I've decided to use this webserver to create a reverse proxy solution.
I'm fully aware of nginx+varnish combinations and it can deliver very high performance. However, the purpose of this beta is to try something different.
It's funny to see that some people can't see anything better than free.
How does Litespeed defend from layer3/4 attacks though? Litespeed is strictly a web server aka application based server. Layer 3 and 4 are based on actual connections such as TCP, ICMP, etc.
We're using hardware firewalls and mitigation devices to defend against Layer 3 and 4 attacks. This is stated in the thread. So we have multiple 'layers' of protection. That's why the guaranteed protection capacity is huge.
Litespeed is purely for serving content and acts as a basic web application firewall for HTTP.
Uhh... that's not true. I just don't see why a ridiculous price should be paid for Litespeed when a free counter part (nginx or varnish) already exists, that's all. In fact, I think Nginx will outbench Litespeed.
I have paid for software that does tasks more efficiently or to even support the developers themselves.
@deployvm
So how do you prevent layer3/4? Do you have the servers complete traffic connect through your site?
For Layer 3 and 4, it's done at network level through hardware devices as I've mentioned before. We will only blackhole if it exceeds 80Gbps - very rare. All udp/syn/icmp packets are inspected, and once abnormalities are detected, filtering will start automatically.
The protection is completely transparent, so no specific software configuration is required.
So all traffic (TCP, HTTP, ICMP, etc.) Would be routed through your server(s) before reaching the clients? Are you going to have the client restrict all access except only through your reverse proxy? Also, would the client lose any data (Headers, request information, etc)?
>
>
Yes in a sense, this is only a basic reverse proxy, which all traffic will be exchanged with the origin/backend IP only. This is the only way, unless I build a cluster (it's possible) for H.A.
The backend IP will not be visible or intercepted with the 'internal' communication. I can force https or SSL based connections (encryption) - if that's what you are concerned about. In other cases, it should not be simply exposed. If you run a PHP mailer or SMTP agent, then your backend could be exposed by tracing email headers. That's a different situation.
No HTTP headers should be lost. We do not explicitly modify any http headers or requests. The proxy should be transparent in delivering requests. This service is to provide another layer of security..
In some regards, it is similar to a CloudFlare service (reverse proxy only excluding all the added features like DNS, CDN etc).
Well even if the backend would be able to be reached, you should have the client restrict all access to the server (INCOMING) just to your IP range(s) so even an attempted backend DDoS would not cause any issues.
The client could use iptables to block all port 80 or http access (if custom port), and only allow access to the frontend IP only. This is entirely possible. This will block any attempts for http attacks directly.
A software firewall cannot block incoming bandwidth attacks. So, they must contact their DC and ask for ACLs to completely drop UDP from reaching their server. SYN flood protection is also a possibility through iptables.
One of the purposes of a reverse proxy is to hide the origin IP. Cases of the backend IP being intercepted by external communications will be unusual.
Seems easier to get a BuyVM DDoS protected IP and just do a GRE tunnel.
You can do that, as Voxility solutions are quite effective now. I've worked with Limehost.ro back in 2011-2012 when they had mainly Cogent peering and Fortinet 310B firewalls. It was 15EUR only for such firewall implementations.
I'm providing a unique service (in Hungary) with own custom filtering. Upstreams are Magyar Telekom, Telia and Interoute. The service level will be different. You just need to modify the A record and you can have quick protection - removes the hassle for inexperienced endusers.
As i now in Hungary none of the datacenters provide DDOS protection. Only null-route. And if you could handle 80gbps... then you maybe have to pay thousands euro per month. As 1gbps is very expensive in Hungary. 80gbps..?
Explain. How.
I cannot reveal exactly reveal my contracts, but I'm working with a Hungarian datacentre that can indeed provide 80Gbps protection. It's mostly Magyar Telekom as upstream I do have guaranteed 1Gbps bandwidth to my server.
To Tele2 ISP:
root@magyar [~]# wget -O /dev/null http://speedtest.tele2.net/1GB.zip -4
--2015-08-02 04:17:58-- http://speedtest.tele2.net/1GB.zip
Resolving speedtest.tele2.net... 90.130.70.73
Connecting to speedtest.tele2.net|90.130.70.73|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1073741824 (1.0G) [application/zip]
Saving to: â/dev/nullâ
100%[====================================>] 1,073,741,824 89.0M/s in 11s
2015-08-02 04:18:10 (90.3 MB/s) - â/dev/nullâ
Host Loss% Snt Last Avg Best Wrst StDev
1. 10.3.2.39 0.0% 5 0.4 0.5 0.4 0.5 0.1
2. 8x.xxx.xx.xx 0.0% 5 0.8 0.9 0.7 1.1 0.2
3. 8x.xxx.xx.xx 0.0% 4 0.9 1.0 0.8 1.2 0.2
4. 81.183.2.164 0.0% 4 1.6 1.0 0.7 1.6 0.4
5. xe-9-0-0.ic0-ip2.net.telekom.hu 0.0% 4 0.8 0.8 0.7 0.9 0.1
6. 81.183.0.62 0.0% 4 1.2 4.5 1.0 14.9 6.9
7. 193.159.167.145 0.0% 4 15.9 15.8 15.7 15.9 0.1
8. 217.239.49.210 0.0% 4 17.2 17.1 17.1 17.2 0.1
9. fra36-peer-1.ge-0-0-0-unit0.tele 0.0% 4 17.5 21.6 17.5 33.6 8.0
10. fra36-core-1.bundle-ether2.tele2 0.0% 4 18.8 17.9 17.5 18.8 0.6
11. d90-130-70-73.cust.tele2.se 0.0% 4 16.9 16.9 16.8 17.1 0.1
@deployvm said:
Well.. happy to hear my Hungarian friend
--
Sok sikert !
it bet its doclerweb
@Butters said:
>
Nope, it's not Doclerweb. Doclerweb's network lacks Magyar Telekom as an upstream.
Ok last try :P deninet?
Not directly Deninet either
Webenlet aka uplink.hu or Szervernet
Those don't provide protection from my knowledge. No need to keep guessing! If you would like to test, give me a site and you can find out who the ISP is. It's a very old ISP in Hungary.