Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
05-14-2014, 10:18 PM
|
#1
|
Member
Registered: May 2012
Distribution: Debian 6, CentOS 6
Posts: 39
Rep:
|
Is there a way to route packets via VPS server to the main server?
Hi,
Let me explain this a little bit better.
Imagine that I have 2 servers.
A - VPS server with DDoS protection (only for filtering).
B - Dedicated server without DDoS protection (for hosting websites etc.).
I want to make all packets from foreign countries to go first trough server A and then to the server B. So if the main server B get's DDoS the server A would filter it and pass only legit packets.
Is there a way to to this, and if there is what should I do or try to do? I think I need to mess with the BGP routes but I'm not sure how to do it.
Best Regards!
|
|
|
05-16-2014, 05:39 AM
|
#2
|
Senior Member
Registered: Jan 2012
Distribution: Slackware
Posts: 3,348
Rep:
|
You cannot route IP packets on the global Internet to different destinations depending on the source address. BGP and routing protocols in general are all about advertising a route to a given destination, regardless of source. Also, packets being routed already have a fixed destination address, and that address cannot exist in two different places.
What you can do though, is to configure a DNS server to respond with different IP addresses for the same A or AAAA queries, depending on the source IP of the lookup request. You can use a GeoIP service to figure out which IP networks correspond to different regions. That way, clients from one region requesting the A record for "www.mysite.com" gets one answer (say, the IP address of server A), while clients from another region gets an answer pointing to a different IP address (that of server B).
You can then configure server A as a reverse proxy and have it fetch data from server B and throttle traffic to prevent DoS attacks.
|
|
|
05-16-2014, 08:13 AM
|
#3
|
Member
Registered: May 2012
Distribution: Debian 6, CentOS 6
Posts: 39
Original Poster
Rep:
|
I'm going to show you these traceroutes:
From Italy or any other country:
Code:
1 XXX.prometeus.net (193.XXX.XXX.XXX) 0.056 ms 0.030 ms 0.015 ms
2 gw-cdlan-2.prometeus.cdlan.net (217.171.46.253) 0.377 ms 0.436 ms 0.512 ms
3 ibgp-gw-core-a.cdlan.net (217.171.32.129) 0.355 ms 0.459 ms 0.498 ms
4 he.mix-it.net (217.29.66.125) 0.250 ms 0.292 ms 0.307 ms
5 10ge3-3.core1.zrh1.he.net (184.105.222.129) 4.327 ms 4.346 ms 4.354 ms
6 10ge15-2.core1.fra1.he.net (72.52.92.29) 11.117 ms 11.135 ms 11.485 ms
7 os.gigabitethernet2-12.core1.fra1.he.net (216.66.84.222) 22.153 ms 21.798 ms 21.816 ms
8 100ge.fw.optimate-server.de (109.230.212.53) 22.539 ms 22.560 ms 22.523 ms
9 * * *
10 193.104.XXX.XXX (193.104.XXX.XXX) 35.145 ms 35.111 ms 35.099 ms
From Serbia:
Code:
Tracing route to 193.104.XXX.XXX over a maximum of 30 hops
1 1 ms <1 ms 1 ms 192.168.1.1
2 5 ms 4 ms 5 ms 178-223-XXX-XXX.dynamic.isp.telekom.rs [178.223.XXX.XXX]
3 7 ms 5 ms 5 ms 212.200.15.117
4 10 ms 8 ms 13 ms 212.200.6.209
5 11 ms 10 ms 9 ms 212.200.6.162
6 10 ms 10 ms 10 ms kgb-hosting.sox.rs [193.105.163.46]
7 10 ms 10 ms 10 ms 193.104.XXX.XXX
Trace complete.
Is there a way to achieve that. As you can see from the first trace hop number 8 goes trough 100ge that I belive is used to mitigate attacks. But on the second trace we don't go trough that server.
I want to achieve that, what should I do, I also plan to host servers in Serbia?
I'm not really sure how they managed to to this, I'm in need for the same thing.
Best Regards!
Last edited by Vita; 05-16-2014 at 08:16 AM.
|
|
|
05-16-2014, 08:50 AM
|
#4
|
Senior Member
Registered: Jan 2012
Distribution: Slackware
Posts: 3,348
Rep:
|
Routers select the optimal route. They don't care about DoS attacks in the slightest.
How a packet gets from A to B may vary, depending on exactly where A is in relation to B, and the path may also change dynamically as backbone connections are added or lines go down, but the point is:
a) You cannot control this, as the routers on the Internet make these decisions autonomously based on BGP information, and
b) Traffic always end up at the host specified by the sender, and no BGP manipulation can change that.
In your original post you wanted traffic from certain sources to a server B to be sent through or via another host, A. That's not what BGP does.
|
|
|
05-16-2014, 10:11 AM
|
#5
|
Member
Registered: May 2012
Distribution: Debian 6, CentOS 6
Posts: 39
Original Poster
Rep:
|
I saw Remote DDoS protection, and read things about GRE tunnels and that they are used somehow to mitigate DDoS attacks. So I think I mixed some things.
As you can see from the RIPE report here
https://apps.db.ripe.net/search/quer...#resultsAnchor
You can see from there Optimate is maintainer and they host servers in Germany but the servers are located in Serbia. When we send packets trough Serbian ISPs packets go trough sox.rs but when other ISPs communicate with the servers on that ip they go trough 100ge.fw.optimate-server.de.
How is that made?
Best Regards!
Last edited by Vita; 05-16-2014 at 10:18 AM.
|
|
|
05-16-2014, 11:22 AM
|
#6
|
Senior Member
Registered: Jan 2012
Distribution: Slackware
Posts: 3,348
Rep:
|
Let's say you're in location X, and you want to force BGP to route traffic from locations A and B through Y. What you could do, is set up a GRE tunnel between X and a router at location Y. The tunnel will appear to be a direct link between X and Y, and the router at Y will advertise it as such over BGP.
As a result, all traffic from sources near Y will choose the path advertised by the router at that location, as it appears to represent the shortest path to X, even though it's really not. Assuming locations A and B are closer to Y than they are to X, traffic from those regions will be routed through Y.
This does not in and by itself mitigate any kind of attack. It might actually make the situation slightly worse, as GRE encapsulated packets take up slightly more bandwidth due to the extra header. However, the router at location Y is now free to throttle the traffic without affecting traffic going directly to X from other regions.
The crucial element is the router at location Y. You need some sort of point-of-presence near the region from you wish to throttle traffic, and the throttling has to happen at the remote end, or you'll simply be (D)DoS'ed by GRE packets instead.
Last edited by Ser Olmy; 05-16-2014 at 11:23 AM.
|
|
|
All times are GMT -5. The time now is 06:06 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|