Is there a way to route packets via VPS server to the main server?

Vita · 05-14-2014, 09:18 PM

Hi,

Let me explain this a little bit better.
Imagine that I have 2 servers.
A - VPS server with DDoS protection (only for filtering).
B - Dedicated server without DDoS protection (for hosting websites etc.).

I want to make all packets from foreign countries to go first trough server A and then to the server B. So if the main server B get's DDoS the server A would filter it and pass only legit packets.

Is there a way to to this, and if there is what should I do or try to do? I think I need to mess with the BGP routes but I'm not sure how to do it.

Best Regards!

Ser Olmy · 05-16-2014, 04:39 AM

You cannot route IP packets on the global Internet to different destinations depending on the source address. BGP and routing protocols in general are all about advertising a route to a given destination, regardless of source. Also, packets being routed already have a fixed destination address, and that address cannot exist in two different places.

What you can do though, is to configure a DNS server to respond with different IP addresses for the same A or AAAA queries, depending on the source IP of the lookup request. You can use a GeoIP service to figure out which IP networks correspond to different regions. That way, clients from one region requesting the A record for "www.mysite.com" gets one answer (say, the IP address of server A), while clients from another region gets an answer pointing to a different IP address (that of server B).

You can then configure server A as a reverse proxy and have it fetch data from server B and throttle traffic to prevent DoS attacks.

Vita · 05-16-2014, 07:13 AM

I'm going to show you these traceroutes:

From Italy or any other country:

Code:

 1  XXX.prometeus.net (193.XXX.XXX.XXX)  0.056 ms  0.030 ms  0.015 ms
 2  gw-cdlan-2.prometeus.cdlan.net (217.171.46.253)  0.377 ms  0.436 ms  0.512 ms
 3  ibgp-gw-core-a.cdlan.net (217.171.32.129)  0.355 ms  0.459 ms  0.498 ms
 4  he.mix-it.net (217.29.66.125)  0.250 ms  0.292 ms  0.307 ms
 5  10ge3-3.core1.zrh1.he.net (184.105.222.129)  4.327 ms  4.346 ms  4.354 ms
 6  10ge15-2.core1.fra1.he.net (72.52.92.29)  11.117 ms  11.135 ms  11.485 ms
 7  os.gigabitethernet2-12.core1.fra1.he.net (216.66.84.222)  22.153 ms  21.798 ms  21.816 ms
 8  100ge.fw.optimate-server.de (109.230.212.53)  22.539 ms  22.560 ms  22.523 ms
 9  * * *
10  193.104.XXX.XXX (193.104.XXX.XXX)  35.145 ms  35.111 ms  35.099 ms

From Serbia:

Code:

Tracing route to 193.104.XXX.XXX over a maximum of 30 hops

  1     1 ms    <1 ms     1 ms  192.168.1.1
  2     5 ms     4 ms     5 ms  178-223-XXX-XXX.dynamic.isp.telekom.rs [178.223.XXX.XXX]
  3     7 ms     5 ms     5 ms  212.200.15.117
  4    10 ms     8 ms    13 ms  212.200.6.209
  5    11 ms    10 ms     9 ms  212.200.6.162
  6    10 ms    10 ms    10 ms  kgb-hosting.sox.rs [193.105.163.46]
  7    10 ms    10 ms    10 ms  193.104.XXX.XXX

Trace complete.

Is there a way to achieve that. As you can see from the first trace hop number 8 goes trough 100ge that I belive is used to mitigate attacks. But on the second trace we don't go trough that server.

I want to achieve that, what should I do, I also plan to host servers in Serbia?
I'm not really sure how they managed to to this, I'm in need for the same thing.

Best Regards!

Ser Olmy · 05-16-2014, 07:50 AM

Routers select the optimal route. They don't care about DoS attacks in the slightest.

How a packet gets from A to B may vary, depending on exactly where A is in relation to B, and the path may also change dynamically as backbone connections are added or lines go down, but the point is:

a) You cannot control this, as the routers on the Internet make these decisions autonomously based on BGP information, and
b) Traffic always end up at the host specified by the sender, and no BGP manipulation can change that.

In your original post you wanted traffic from certain sources to a server B to be sent through or via another host, A. That's not what BGP does.

Vita · 05-16-2014, 09:11 AM

I saw Remote DDoS protection, and read things about GRE tunnels and that they are used somehow to mitigate DDoS attacks. So I think I mixed some things.

As you can see from the RIPE report here
https://apps.db.ripe.net/search/quer...#resultsAnchor

You can see from there Optimate is maintainer and they host servers in Germany but the servers are located in Serbia. When we send packets trough Serbian ISPs packets go trough sox.rs but when other ISPs communicate with the servers on that ip they go trough 100ge.fw.optimate-server.de.

How is that made?

Best Regards!

Ser Olmy · 05-16-2014, 10:22 AM

Let's say you're in location X, and you want to force BGP to route traffic from locations A and B through Y. What you could do, is set up a GRE tunnel between X and a router at location Y. The tunnel will appear to be a direct link between X and Y, and the router at Y will advertise it as such over BGP.

As a result, all traffic from sources near Y will choose the path advertised by the router at that location, as it appears to represent the shortest path to X, even though it's really not. Assuming locations A and B are closer to Y than they are to X, traffic from those regions will be routed through Y.

This does not in and by itself mitigate any kind of attack. It might actually make the situation slightly worse, as GRE encapsulated packets take up slightly more bandwidth due to the extra header. However, the router at location Y is now free to throttle the traffic without affecting traffic going directly to X from other regions.

The crucial element is the router at location Y. You need some sort of point-of-presence near the region from you wish to throttle traffic, and the throttling has to happen at the remote end, or you'll simply be (D)DoS'ed by GRE packets instead.