[Question] Preventing DDoS - eviltoast

I self host all of my services but utilize a VPS as a gateway for access. Primarily to allow access to a media server and file storage for friends and family.

Recently I’ve been shut down by my VPS provider on multiple occasions because they claim my server was DDoS’d at 2gigabits/s. I don’t see any evidence of this in my logs.

Regardless, I set up Traefik proxy to geoblock any IPs outside of my country. Literally a few mins after doing so and confirming via VPN that it was working I got shut down and received an email that my network was severed temporarily due to a DDoS Blackhole event.

The questionable nature of their detection system aside, it’s got me wondering…does ip blocking actually help mitigate DDoS attacks?

The server still needs to process the incoming connection before it filters it, so I’m assuming the attack is still accomplishing it’s intent which is to overload the server. Can somebody more knowledgeable provide some insight?

  • Dr. Jenkem@lemmy.blugatch.tube
    link
    fedilink
    arrow-up
    6
    ·
    1 year ago

    Setup cloudflare, I believe the free tier includes ddos protection. Then setup your ingress to only allow cloudflare IPs, either with iptables or even better if your vps supports it with a network policy.

    • brownmustardminion@lemmy.mlOP
      link
      fedilink
      arrow-up
      3
      ·
      1 year ago

      I appreciate the tip but as a privacy minded self-hoster I try to avoid companies like cloudflare. Surely there has to be a way to diy DDoS protection?

      • deadbeef@lemmy.nz
        link
        fedilink
        arrow-up
        2
        ·
        1 year ago

        A 2 gigabit event isn’t big enough to be considered a real attack, a service like cloudflare can sink a 2 terrabit attack every day of the week.

        Building a DDoS protection service ( that isn’t just black holing traffic ) starts with having enough bandwidth to throw away the attack volume plus keep your desired traffic working and have a bit of overhead to work your mitigation strategies.

        What this means is to DIY a useful service you start by buying a couple of terrabits of bandwith in ‘small’ chunks of a hundred gigabits or so in most peering locations around the globe and then you build a proxy layer like cloudflare on top of it with a team of smart dudes to automate outsmarting the bad guys.

        I don’t like cloudflare either, but the barriers to entry in this industry are epic.

      • fraichu@lemmy.ml
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        Can you go IPv6 only with dynamic dns + recycling ip every day? My raspberry pi doesn’t get bot traffic. I have 22, 80, 443 and a few other ports open on public ipv6 address.

        • brownmustardminion@lemmy.mlOP
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          I imagine that’s essentially what I’ve accomplished with Traefik already. The question I have is if Geoblocking does much to mitigate a DDoS. I know for sure it’s at least useful to block third world scammers and bots from running hacking scripts against my server.

          • Gecko@fosstodon.org
            link
            fedilink
            arrow-up
            2
            ·
            1 year ago

            @brownmustardminion DDoS usually involves attacks from multiple geographical locations simultaneously. You will eliminate a large threat surface by restricting which countries are allowed for incoming. Of course this won’t prevent targeted attacks from hackers who know you and want revenge and can setup bots in a single location but these are rare. Most attempts are by script kiddies.

  • MangoPenguin@lemmy.blahaj.zone
    link
    fedilink
    arrow-up
    5
    ·
    1 year ago

    Blocking doesn’t really help with DDOS, since the traffic is still hitting the server and from the standpoint of the VPS provider it doesn’t look much different.

    Some VPS providers offer DDOS protection as an addon, but just moving to a different provider might solve it. If you’re just hosting stuff for friends/family it doesn’t seem like there would be much reason to DDOS your IP, unless the IP was recycled from something before that people are still attacking.

    • brownmustardminion@lemmy.mlOP
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      I’ve had the IP for a couple of years so I can rule that out. The only thing different than usual is I recently added a backup server to the VPS network. I’ve been doing a remote backup from one server through the VPS to the backup server over the past week. It’s a 4TB backup averaging 4MBps.

      My guess is that the VPS provider’s algorithm is bungling the bandwidth calculations, possibly refreshing the bandwidth amount incorrectly which to the black hole detector appears as a sudden spike in bandwidth rather than a steady flow.

      I’m going to keep running the backup and compare how long after the backup starts that I get a black hole trigger. If it’s relatively consistent then that might be the problem.

  • ollie@lemmy.world
    link
    fedilink
    arrow-up
    4
    ·
    1 year ago

    I’d say switch vps providers, one with proper DDoS protection.

    blocking regions can help but once the pipe is full there’s nothing much you can do from your side.