Skip to content

Instantly share code, notes, and snippets.

@shikendon

shikendon/ddos-mitigation-notes.md

Last active November 8, 2023 10:34
Show Gist options
  • Star 9 You must be signed in to star a gist
  • Fork 3 You must be signed in to fork a gist
  • Save shikendon/8d85fe5ca1ca2ad5c6eb848139f71681 to your computer and use it in GitHub Desktop.
Save shikendon/8d85fe5ca1ca2ad5c6eb848139f71681 to your computer and use it in GitHub Desktop.
Download ZIP
Best Practices for DDoS Protection and Mitigation on Linux
Raw
ddos-mitigation-notes.md

Anycast

Google Cloud Locations (e.g. 8.8.8.8) Google Cloud Locations

TWNIC IP位址申請服務

  • NT$25,000/年

BGP Providers: https://bgp.services

Recommended: Vultr, Packet, SoftLayer

iptables

DDoS protection - Using Netfilter/iptables @ DevConf.cz Feb 2014

  • Disable TCP loose mode
  • Disable TCP forwarding
  • Enable SYN cookies
  • Enable TCP timestamping
  • Use SYNPROXY module (Optional)

/etc/sysctl.conf

net.netfilter.nf_conntrack_tcp_loose = 0
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_timestamps = 1
net.ipv4.ip_forward = 0

How To Build Your Own DDoS Protection With Linux & IPtables

  • Use the raw table and the PREROUTING chain
  • Use the mangle table and the PREROUTING chain

Iptables tables and chains Diagram

Packet dropping performance without XDP

XDP (Kernel 4.8+)

How to drop 10 million packets per second

Packet dropping performance with XDP

Pricing of DDoS-For-Hire

Quote from Stress****

Monthly Price
15 Gbps 9.99 USD
60 Gbps 179.99 USD
225 Gbps 1999.99 USD
@Calvin-Huang
Copy link

根據分享口頭補充

UDP 攻擊通常是從美國
TCP 攻擊通常來自歐洲 (偽造IP)

@kahlaoui2021
Copy link

big up bro

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment