Security measures for a server against DDoS attacks
Security measures for a server against DDoS attacks
I understand what a firewall does, but I haven’t set one up before, so I’m interested in figuring out how to connect the cables.
A firewall or anything else isn't going to do anything here if they have a single connection though. If that's saturated with traffic there is going to be nothing they can do and a firewall is just going to drop the traffic but it won't stop it from coming to the outside interface unless the ISP steps in and does something. Edit: To clarify, even if they have multiple connections from multiple ISPs if they are 100% saturated with traffic then a firewall won't do anything because the traffic is still hitting the outside interface(s). Yes a firewall is important but if your link capacity is oversaturated with traffic the firewall is going to drop the attacks but they still saturate the link(s) leaving you offline.
A firewall won't add extra capacity to your line so unless your ISP steps in and does something about it, which you should be asking them to do and I hope you already have, there isn't much you can do unfortunately. Edit: A firewall is important still though but if you're being overrun then it won't really help much right now.
Using some DDoS protection set up by the ISP (generally minimal impact) and likely passing through Cloudflare or another specialized provider. As your business expands, tools like BGP Flowspec, various peering deals, and advanced enterprise mitigation strategies can help counter these threats.
Lurick has the right point. If your line is full, the best way to keep serving is to have someone with a larger capacity. You can get Cloudflare DDoS protection without putting everything on their servers. The result would be all traffic first goes through them; if an attack occurs, Cloudflare absorbs the data and only forwards what you need. PS: Your photo in the edit is accurate.
If you're running a server for a small business, don't focus on ISP-level DDoS protection. Most attacks fall into two categories: Application and Flood. An application attack occurs when a malicious actor takes advantage of a flaw in an app or protocol to disrupt access to your service. For instance, exploiting a Skype vulnerability could slow the call system or redirect users to fake IPs. Flood attacks involve overwhelming your network with traffic, often using botnets like Marai, which leveraged many IoT devices to saturate bandwidth and shut down services. These are common scenarios where ISP defenses kick in.
For your setup, consider adding an IPS (Intrusion Prevention System) to monitor and block suspicious traffic. It can also blacklist malicious addresses temporarily. If you have the capacity, a virtualized IPS on a VM is ideal—typically requiring around 4GiB RAM and 4 cores initially, increasing to 8GiB for larger needs. For firewall solutions on a VM, options include OPNSense, IPFire with Snort, or Untangle.
If resources are limited, you can opt for cloud hosting services such as Oracle Cloud, Google Cloud, or Azure, which offer DDoS protection through managed services. Use VPN/SSH tunnels and networking tools like HAProxy or NGINX to route traffic securely.
I would essentially be correct in your setup. You have two network ports—one directly from the modem to the server and another from the server to the switch. Installing software like OPNsense on the server should work fine. You’ll likely need a network interface card (NIC) for each port, especially if you want proper routing and performance. With a 20-core CPU, you have ample processing power for this configuration.
You can also purchase these systems in a dedicated hardware package, which would likely make setup easier. Based on your bandwidth needs, there are options like untangle boxes, sonicwall systems, Fortinet, and similar products that offer these appliances. Would you like me to create a network diagram? Please share the subnets you have in mind. You should place public servers on a separate subnet from desktops and other devices, restricting only necessary traffic. I strongly recommend hiring someone experienced in network design and security—this situation might be beyond your current expertise. However, I suggest hosting it in the cloud using a service designed to mitigate DDoS attacks. This approach effectively eliminates DDoS risks, supports greater scalability, and increases bandwidth availability when required.