I have made research on several types of attacks, this page is a sample. Some attacks are not insanely harmful to overall system while most attack types are preventable by being careful or with the aid of automated software. As an example “block IP addresses that fail to log-in x successive times in y seconds” might work against brute-force password attacks on an elemetary level. However I could not come up with a solution against DoS attacks. Because:
(Please correct me if I am wrong)
The attacker can bombard the server with hundreds (or more?) of requests per second from a single port.
Assuming the requests are from the same IP address, it is possible to add a firewall rule to block that IP -maybe even by an automated security software-. However, is it still not a burden for firewall to apply hundreds of “extra” checks each second if the attacker keeps sending the requests? Does it not consume server bandwidth which is usually limited as well as the computational resources? Also isn’t there a computational limit for a firewall to start dropping/losing packages?
The attacker can modify the header of the packets and keep bombarding the server with always fresh IP addresses.
Would having the firewall block so many IP addresses not cause legal clients to be blocked out for a certain period? Most probably the first routing server will filter out packets with out-of-network source IP address, but still, will not the legal clients who are on the same network with the attacker be blocked too?
As far as I know, cloud servers distribute the load and just wait DoS/DDos attack to pass, while the administrator of the network from which the attack is coming takes action. But what is the minimal-loss-of-trust and minimal loss-of-prestige solution for a home server?
Thank you.
Answer
on internet you have no control over incoming traffic.
let’s say you have a 1Gbps internet pipe.
If you receive more than 1Gbps (with a single IP or splitted with a botnet), the pipe between your ISP and you will be full. no matter your badass firewall can drop the traffic at the early edge of your network.
it’s a good idea to have a separate device (router or firewall) that drop packets so it does not affect your applicative server performance.
yes, network devices has limits of pps (packets per seconds) they can handle. because it consumes CPU to handle a packet (dropped or accepted).
usually you don’t really block IPs but you just discard the packets that match a pattern.
real solutions are:
- your isp block the traffic.
- you have big enough pipes to receive the traffic and discard it.
interesting reads:
https://javapipe.com/blog/iptables-ddos-protection/
https://blog.cloudflare.com/how-to-drop-10-million-packets/
Attribution
Source : Link , Question Author : Xfce4 , Answer Author : exeral
