The background of this article is the current Russia conflict, which is causing DoS and DDoS attacks to increase.
We explain these and similar attacks in our Denial of service attack and Distributed reflective denial of service articles and go into the techniques of the individual scenarios there.
One way to protect yourself from DoS attacks is to have a firewall in front of your servers and not just on local systems. Preferably beforehand at the network level before requests to the reverse proxy with a Web Application Firewall (WAF) coming.
Behavior-based rules can be implemented on both firewalls to prevent unwanted actions on the server itself.
Rate limiting with the WAF, upstream load balancers and a horizontally scaling cluster complete the overall picture.
A DDoS can be prevented with it. Of course, this is again a question of money and the technical know-how you need for the configuration and maintenance of the individual technologies.
That's why many resort to external providers for something like this. For example Cloudflare, to name one of the largest providers. But Google with Project Shield also offers this service free of charge for a certain group of users.
However, this does not mean that at least some of the protection mechanisms mentioned above are not implemented. True to the motto defense in depth, take as many measures as possible without losing the usability of the services.
Cloudflare offers several models ranging from $0 to $200 per month. You can also get special offers here.
As always, the process begins with account creation. About the Cloudflare Dashboard you can register.
Immediately afterwards you should add your website. The root domain is meant here, i.e. without www e.g. Cylinders, Dishes, prosec-networks.com. The same mask then opens again in order to enter further domains. After all domains have been added, continue with the settings.
On the left up Modern click and in the new mask -Setup .
Here at the latest you have to decide on a tariff.
After the tariff choice comes the DNS configuration.
Here you have to check which A , AAAA and CNAME entries should be protected.
Once the registrations are made, you have to change the name servers in your domain registrar to Cloudflare's. The domain registrar is usually the provider from which the domain was purchased.
Changing the name servers can take up to 24 hours.
Depending on the booked tariff, you can then adjust the rules.
If you no longer want to protect a domain with Cloudflare, you can stop the protection in the settings or remove it completely from Cloudflare.
The Advanced Actions area is a bit hidden, at the bottom right.
Project Shield has no plans, it's free.
There is only one condition, you have to be “qualified” to use it.
Because state authorities use this service, we do not disclose any further information here.
More information is available at projectshield.withgoogle.com .
The Cloudflare protection is good, but if the actual public IP of the web server is known, the best protection is useless because it can be bypassed.
On the firewall in front of or from the web server itself, only data traffic from the DDoS provider and your own IP addresses should be allowed, so that the protection does not bypassed can be.
Any entries for other services running on the same IP should be removed. If possible, these should be addressed directly via the IP. Something like that must also be considered when configuring the local firewall. Alternatively, Cloudflare offers the Spectrum service for all payment tariffs. This enables services like SSH and FTP too proxies and route through Cloudflare.
In addition, the wildcard entries for the domain should be removed, as this will reveal the public IP.
After switching to a DDoS protection provider, the public IP address should be changed if possible. Such information can sometimes still be obtained years later from historical data. As we all know, the internet never forgets. Certificates and the source code should also be free of the IP address.
The website should also only be accessible via HTTPS, so port 80 can be closed completely.
Furthermore, it should be noted that the Apache web server must be able to resolve the host name from the VHOST configuration. That's why you shouldn't use the default configuration, but create an independent one, only for this domain, and create an entry for yourself in the hosts file.
The provider can also provide active support during a DDoS attack. By activating blackhole routing, you can use the Border Gateway Protocol (BGP) to keep entire autonomous systems (AS) away from your own services. Accidentally eg Meta that in October 2021 made. For blackholing via BGP you need the data from your provider, who usually have their own AS. Over ASNlookup you can find out the AS number with the IP or the company name.
The owner of the AS can then block the traffic to the attacked IP or, to be more precise, let it run into a black hole. Of course, one can also try to identify the AS of the attacker and block it, but this means that many uninvolved parties will no longer be able to access their own services.
This should be the last measure you take to protect yourself. However, it is the most effective since the data traffic is already discarded in the attacker's AS. This protection requires increased coordination and communication in advance with the provider.
We recommend that you ensure that your online presence is fundamentally secured. When services don't work due to attacks, it always leaves a bad impression or, in the worst case, limits the ability to work. Even with simple and, above all, quick measures, you can massively increase the security of your services.
