LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Linux Firewall and Geo Ips (https://www.linuxquestions.org/questions/linux-security-4/linux-firewall-and-geo-ips-4175439053/)

sachinsud 11-27-2012 10:35 PM

Hi,

I host game servers in India. My problem is in India we dont have any data center which provides ddos protection.

In game servers, we get UDP ddos attacks.

In order to overcome this problem, i want to disable international routing .
What i mean to say by that is , I want only people in India region should be able to ping my machine, I have been told that can be achieved by using geo ip files.
But i am not sure how it can be done.
Any software or any thing which you guys can refer?

I have also been told if i can use this
deflatedotmedialayerdotcom

It will help me from ddos udp. Any recommendations?

Thanks
Sachin

No Reply?? :(

NyteOwl 11-28-2012 12:07 PM

Basically you set up blocks for all IP ranges that are not originating in the country of choice, in your case India. Lists of these country specific ranges are available in numerous places on-line. Filtering by country IP is never 100% certain and must be updated regularly.

While doing blocks at server level is an important security element, most DDOS attacks are best mitigated at the border of the network, with the help of your datacentre. If they can't or won't help, and the attack is large enough even blocking them from the server will not keep them from slowing the network connection.

salasi 11-29-2012 09:18 AM

Quote:

Originally Posted by sachinsud (Post 4838480)
Hi,

I host game servers in India. My problem is in India we dont have any data center which provides ddos protection.

Real, robust, 'pre-configured' DDoS protection is hard to achieve. I doubt that you'll find anyone, anywhere, who will guarantee you that they can 100% protect against DDoS attacks as part of some standard hosting arrangement. What you will find is that some hosting suppliers are more able and willing to work with you through the details of a specific attack, and the help that they can give, than others.

You ought certainly to be aware that looking through the history of things that people report on LQ as DDoS attacks, it is probably the minority that are actually DDoS attacks. People confuse 'ordinary' DoS attacks (which are simpler to deal with) with DDoS atacks and some people even seem to think that any miscellaneous outbreak of packets that they don't understand must be a DDoS, possibly because that's the thing that they have heard of.

Quote:

Originally Posted by sachinsud (Post 4838480)
I have also been told if i can use this
deflatedotmedialayerdotcom

That thing has been around for a number of years. It is easy to see what it would do against a plain DoS attack, less clear that it would do anything useful against a true DDoS.

You also need to keep in mind that a true DDoS attack costs money to mount. If you annoy someone sufficiently, they might think that it is worthwhile and if you have a high value business model (eg, casino or on-line gambling?) that loses significant cash for every minute that it is inaccessible, it might be worth it for an evildoer to spend money on attacking you. Otherwise, probably not.

Quote:

In order to overcome this problem, i want to disable international routing .
What i mean to say by that is , I want only people in India region should be able to ping my machine, I have been told that can be achieved by using geo ip files.
You have some reason to think that Indians won't attack your server, but that others will?

unSpawn 11-29-2012 01:09 PM

Quote:

Originally Posted by salasi (Post 4839585)
That thing has been around for a number of years.

True and that IMNSHO is one of the reasons to advise against using it. It's also obsolete because DDoS-Deflate, like some other "anti DoS solutions" like Syn-Deflate, R-fx Fguard, DDoS-Defender or netshield.googlecode.com, are simply based on the wrong ideas using the wrong tools. It's even more sad that these kludges often are fobbed off on those desperate for a remedy instead of pointing them to documentation, let alone suggesting upstream action. Some common characteristics:
- detection / action driven (or hampered?) by a cron job,
- netstat input (which some tools don't even parse well enough) massaged by a sh*tload of user land tools,
- may offer to email reports,
- all rules end up in the filter table INPUT chain.

So instead of pointing out the fallacy of end point "protection" agains DDoS, instead of educating users about do's and don'ts (like taunting), instead of pointing to documentation like the SANS Reading Room or the Network DDoS Incident Response Cheat Sheet (PDF) offer, instead of letting the kernel part of the Netfilter framework bear the brunt of the work as far as rate limiting and filtering is concerned, instead of efficienty using using ipset for blocking, these tools put the the strain on user land (nice if the box is already facing resource exhaustion) degrading performance even more. ...and these are the "less bad" ones. People who get tricked into thinking that blocking things at the application level is useful are even worse off.


All times are GMT -5. The time now is 10:10 AM.