DDoS protection? (syn, http, udp, icmp, tcp)

Hello,

i want to make a good protection on my VPS, at the moment i use mod_evasive, but it isnt really good...

i have tested then this script here:
http://www.inetbase.com/scripts/ddos/install.sh (http://directadmin.com/forum/showthread.php?t=14500&highlight=mod_evasive).
have started it over ./ddos.sh -k 100 now i get always this message:
vps4:/usr/local/ddos# iptables: Bad rule (does a matching rule exist in that chain?)
does it means, that the ip what want to visit the site, is already blocked or does it mean that there is a error in config? i have already iptables --flush done but error comes again.
can i use this script with mod_evasive parallel?

i need a protection vs
- http
- syn
- udp
- icmp
- tcp and ipspoofing

have tested APF too, but there i have a other problem.
venet0:0 = serverip in the internet (91.xx.xx.xx)
venet0 = 127.0.0.1
when i enter venet0:0 at the apf config, they say me, that this cant be used. with venet0 starts apf, but its localhost :\

does anybody knows a good and easy ddos protection who protects vs that kind of attacks what i have told about?

and one other important question - where can i see the blocked ips at APF and where in iptables?

thanks for your answer

sorry for my bad english

Try this http://directadmin.com/forum/showthread.php?t=27316

(And please check the fix here for ddos if you have problem with email without ips http://directadmin.com/forum/showpost.php?p=138713&postcount=19)

CSF would do everything you mentioned. I created an install script for it a while back for VPS's. Just uninstall any other firewall and DDoS protection, then run:

Hello,

First of all there is no perfect protection from DDoS.

And there is no single tool that will protect from all types of DDoS attacks. The only guaranteed protection from Denial of Service Attacks is if your ISP or Data Center has physical firewalls installed.

But, I am not trying to discourage you. You can have software protection to some level. Trust me, I learned it hard way.

Try to use links provided in this forum, abou DDoS-deflate. Incorporate it with either APF or iptables.

If you are on Linux based machines, make sure your kernel configs are set up properly. In other words, syncookies are enabled in addition to some other network tuning.
Search google. There is plenty of information there.

Usually you can always prevent syn floods, udp and icmp floods with APF and/or iptables to some extent. But yet again, if you have 100 Mbit Ethernet, and you are being attacked with several Gigabit packet flaw. Then the only survival from having a doomsday is to hope your ISP has a physical firewall. Then you can request support from them.

Let me tell you. Gigabit attacks are easily possible if your IP address is in the hands of some BotNet gurus. BotNet DDoS attacks can be really brutal. Not one ip, but thousands of them at the same time, some fake, some real.

If you are encountering http-floods. Mod_evasive is not going to help you.

The best solution, again to some extent, on software level is to have a proxy installed, such as Squid. Using squid you can filter a lot of http requests before they reach your server.

So, in conclusion, there is no easy and fast way. You just try, and choose the best option possible.

Thx for answers.

to ddos_deflate
fixed

to mod_evasive
mod_evasive works fine, but is there any option that add automaticly blocked ips to iptables?

to apf
have tested APF too, but there i have a other problem.
venet0:0 = serverip in the internet (91.xx.xx.xx)
venet0 = 127.0.0.1
when i enter venet0:0 at the apf config, they say me, that this cant be used. with venet0 starts apf, but its localhost :\

@littleoak
Thank you, i will test you script.

Sorry for doublepost.

First:
ddos_deflate works now fine, but can i set that it should check every 10 seconds?

Second:
When my server stands under ddos i cant do something at SSH, i must input the command 100 times until it works, follow error msg:
bash: pipe error: Cannot allocate memory
bash: start_pipeline: pgrp pipe: Cannot allocate memory
etc.
There is enough memory free (about 800mb), when i stop apache everything works again fine.

Must i optimize my apache config? what i can change? i have 1gb memory and debian 4.0.

blub0r said:

Sorry for doublepost.

First:
ddos_deflate works now fine, but can i set that it should check every 10 seconds?

Second:
When my server stands under ddos i cant do something at SSH, i must input the command 100 times until it works, follow error msg:
bash: pipe error: Cannot allocate memory
bash: start_pipeline: pgrp pipe: Cannot allocate memory
etc.
There is enough memory free (about 800mb), when i stop apache everything works again fine.

Must i optimize my apache config? what i can change? i have 1gb memory and debian 4.0.

Click to expand...

Maybe you need optimazation on your server,or more ram..