Hello Guys, I have been real busy trying to mitigate the situation I was in and was not able to concentrate on this thread.
I found a solution to host the domain to a different provider who actually offers different DDoS mitigation strategies. They are filtering traffic on their border routers thus not letting them pass through. SYN and HTTP flood in my case, easy to identify and mitigate. They were able to stop some of the traffic, let's say 70% and rest of the scrubbing was done by ipfilter.
I have DNS TTL set to 10 minutes, so changing the IP did not helped. Whenever I changed, I was always welcomed at the new IP with the shear traffic.
Yes, netfilter will eat up the RAM in case of a well tuned DDoS attack. I tried, csf, apf and shorewall but they all ended up doing nothing. The amount of data was not that much, it varies from 18 to 30 Mbps and once I measured it around 185 Mbps. Lucky did not see those G attacks
Number of PPS were though the main concern. I got an easy 25K PPS which actually nailed down my good old cisco 5505 and Firebox 500.
Now that the DDoS has stopped, and the ISP is also taking care of it for me, I am concentrate of developing a solution which can actually help me to slow down an attack. I have been reading about pf (openbsd/freebsd) and the synproxy. It sounds compelling. But in case say, 25,000 Packets Per second, I think I would have to really really fine tune the OS to take such load? I have seen ppl deploying firewall running with freebsd using pf on their border routers to mitigate DDoS.
Would like to thank again for everyone who posted such good info. I'll try to setup a local domain with pf and see what load it can go through. Will keep ya guys posted
