Please do not reply with "this is not possible", as it's waste of time. I am developing cloud appliance and I have a valid reason to protect this layer against DDoS, and there are few companies doing the same, so please dont tell me that I dont have the point, as many companies looking to buy this solution and I dont see the problem with implementing it using stock Linux
My Linux kernel is crashing with oops on 10.000 connections due to lack of resources like CPU and RAM. I was wondering how to limit it safely that it doesn't create tcp/ip connections in netfilter connection tracking table or elsewhere when somebody is trying to open 100.000 connections from various hosts?
The network card is 1GBps and with maxed buffers, it can take lot's of connections however I would like to have it to only 5.000 at the same time and the rest being dropped except when there are free connection slots. At the kernel level, so it doesn't pollute netfilter or anything, and it's dropped as soon as possible. There are these factors:
- Number of HAProxy connections is limited to only 5.000
- Linux is crashing with 10.000 open connections
- I want to withstand the 100.000 open connections every minute, so maybe netfilter can handle it, but no HAProxy.
- The existing connections continue to operate
This is to make machine withstand DDoS attack without making oops, and as soon as attack goes off, the service recovers automatically the way that it continues to serve as normal at low rate.
This is about the physical layer of the server instance, not the switch. Assuming that switch is passing to me this much traffic I can handle, upstream provider does not always have possibility to adjust or to protect at all from this.
I don't agree that there isn't anything you can do. There are lots of things you can do and depending on the size of the attack and the size of the hardware you've got you stand a pretty good chance on defending yourself.
For SYN floods google a bit. You probably want a spanking new Linux kernel as there have been quite a few improvements lately. Go for 3.6 and enable syn cookies. There are a couple of other tunables you can tweak. Make sure to read up on it first as randomly tuning stuff is never a good idea and will cause problems.
If is is a HTTP flood, which is common these days you might want to consider Varnish. You might be able to identify the attacking requests by some pattern and kill them off in vcl_recv. You can deploy the shield module in order to kill of these connection as serving up an error page is a wasted effort. Be warned: This is not a quick fix and will require substantial effort on your end.
Good luck.
There is no real way you can mitigate a DDOS from the host that is getting attacked.
By the time the traffic has reached your host it has already passed through your local network stack and consumed local resources. No amount of hackery or gyrations can change this.
You need to work with your upstream provider to prevent the traffic from reaching your machine in the first place. If they don't provide that service you can likely purchase it from them or you can find a provider that does.
What kind of ddos attack are you suffering from? If it's a syn flood, you could enable syn cookies.
I'll second the requirement for management of DDoS upstream, but as an intermediate measure you might want to employ some kind of policing or shaping of connections at your own router or switch a hop or so before the servers in question. The best way to bounce back from the crash is not to crash in the first place. The router/firewall/switch isn't actually terminating the packets and is (hopefully) designed to run at a much higher rate.