Alexandre Egger wrote:
Jeoren,
Anycast is an option, but as you said expensive, but worst than that, complex to maintain. On top of that, it requires skilled boys and their salaries will go up quite quickly or you leave some company to do it for you at a price, you probably do not want to afford, when you are a normal person and know the price of a baguette.
I did mention "which will cost you some cash" and "semi-partial solution" for a reason ;)
But again, if you look how DDoS attacks are, you can protect many services in various ways. Maybe some tips If you are a small SME with restricted budget but some geeks in your company.
The cheapest solution: don't attract the bad people.
If you don't piss somebody or make them jealous they won't have a need to attack you either.
I have noticed that medium attacks against small ISP often target DNS severs. One option is to get your zone hosted at some anycast-driven DNS services for a fair price. When the attack occurs, you let them mitigate it fir you.
Which might mean they cut your service as clearly you will be affecting also the availability of their other clients...
That, but there is an easier and much more effective DDoS: hit the page that is 'heavy to produce'. The mere simple factor problem: they sent you something small, you need to do a lot of work and/or give a big result. If that can be triggered then the site goes down, because 10.000 hosts asking the heavy page will bring it to its knees. As such, for those heavy ones, have separate infrastructure available.
The second thing is to have the MX record at another host than the real location.
Won't help you much if you don't actually provide a way to read that mail from the second MX, mail will nicely get queued yes, but you won't be able to read it... (sync between the two MX's and running IMAP on both solves that, maildir filenames are unique, you just need to glue in the sync also in the imap daemon so that the sync doesn't restore files ;)
With Exim MTA, you can easily hide the real source IP with some tuning into exim.conf (both directions).
You can indeed strip the 'local' headers so that internal infrastructure is hidden. But then those external relays will still be hit. Better have large amount of them. Also, this basically comes down to doing the distribution of your servers /
You can do the same with WEB servers, using reverse-proxies such as Squid, lighttpd, pound or get a CDN company to do it for you (Edgecast is quite affordable <300$/month entry price). Finally hide the company gateway IP, you can again have a proxy at some datacenter and tunnel all web traffic thru VPN/SSH Tunnel.
That is indeed an excellent solution, but you are then just doing that: "anycast", though using probably updateable-DNS/BGP combinations ;)
Cheap solution: get some el-cheapo 'root' servers, install bind or your preferred DNS server, install pound (for the record I love it ;) or varnish if you want caching, then hide your master server in a dark corner of the Internet.
Now, when somebody attacks one out your 20 cheap ones, just remove them from DNS. They would then have to ddos all 20 have them, possibly at various ISPs to get them all down. Users will only notice a minor annoyance during the time DNS changes. Of course DNS becomes your vulnerability, thus, just register all your hosts as NS glue. The target then becomes the TLD servers (which might not be nice).
For that matter, just look at what Virus/Scammer/Malware etc people do to keep their 'business' up and running. (no, I don't suggest you go around infecting hosts and running your business of that ;)
Good advices still applies. Have knowledge. Know your network. Know your system. Know your applications. Tune them. Run clean code. Update, Patch, Upgrade. Filter all what you don't need. Hide maximum informations.
Fully agreed.
Greets, Jeroen