How to Prevent DDoS Attacks on a Cloud Server Using Open Source Software
Typically, it involves using multiple external systems to flood the target system with requests with the intention of overwhelming the system with network traffic. These attacks work because an unprotected system may find it difficult to differentiate between genuine traffic and DDoS traffic.
If you are using a Virtual Private Server (VPS) or Cloud Server, then this article will help you understand which open source software you can use to prevent DDoS attacks.
DDos Deflate is a lightweight open source shell script that you can easily implement on your server and configure to mitigate most DDoS attacks.
Here are some of the features of DDoS Deflate:
It can automatically detect rules within iptables or an Advanced Policy Firewall (APF).
Ability to block IP addresses temporarily (the default setting is 30 mins).
Whitelist and blacklist features for blocking or allowing connections to the server.
Management features to notify administrator of actions taken.
Fail2ban works in a similar way to DDoS Deflate, as it also bans traffic based on malicious IP address profiling.
It’s a good performer and some of the main features are as follows:
Easy to configure with some automation features included.
Compatible with existing firewalls, e.g. iptables.
Customizable blacklisting and whitelisting features.
Ability to block automated brute force attacks.
Time-based IP blocking.
Fail2Ban is good option for any web server that has SSH and few other services.
Apache mod_evasive module
The mod_evasive module is suited to protecting Apache web servers against DDoS attacks. It also includes notification features via email and SYSLOG.
This module is a strong performer, which has the added benefit of adapting to real time situations by creating rules on the fly based on the following patterns being detected:
Requesting access to the same page too many times per second.
Making 50 concurrent connections to the same child process per second.
Making other requests from blacklisted IP addresses.
Some of the features which are available to prevent DDoS attacks are as follows:
The server administrator can limit access to certain pages based on the number of requests one particular IP can make (DOSPageCount option).
Access to an entire website can be limited based on how many connections one particular IP makes using the DOSSiteCount option.
The DOSHashTable feature can monitor who is accessing what in the web server based on their previous visits and can make a decision whether to allow or block the connection.
The administrator can be notified via email of what action Apache mod_evasive is taking.
Mod_evasive is relatively easy to use and because the open source modules are built into Apache, it’s free to use.
FastNetMon is another high performance DDoS mitigation tool which was based on a packet analyzer engine (PF_RING, sFLOW, Netflow, PCAP).
Below are some of the main features of FastNetMon:
Handles both incoming and outgoing traffic.
Support of trigger block script if IP load network threshold of packets per second or bytes per second exceeded.
It can untag VLANs so it can separate different networks.
Capable of deciphering networks used in high performance telecommunication.
It can decrypt encrypted protocols to investigate malicious packets.
It can reroute DDoS traffic to ‘black hole’.
Works well in mirrored networks.
Can work on server/soft (virtual) router.
High performance - can detect DoS/DDoS in 1-2 seconds.
High compatibility - works with Ubuntu, Free BSD, Mac OS and has been Tested up to 10GE with 5-6 Mpps on Intel i7 2600 with Intel Nic 82599.
HaProxy is an excellent open source load balancing tool that is also effective against DDoS attacks against a cloud server.
It has the following features:
It can block traffic based on the bandwidth.
Contains blacklist and whitelist tables of IPs which it builds into its configuration based on the rule set.
Ability to block IPs which might be performing DDoS attacks.
HaProxy can identify bots, which is why it’s effective against DDoS attacks.
Can prevent Syn Flood type attacks as well as capabilities like connection limitations etc.
Another low level DDoS monitoring and mitigation tool is DDOSMON. It can monitor traffic with possible attacks and it reacts by alerting and triggering user defined actions based on the type of attack.
It is capable of detecting the following attacks successfully:
It detects the attack, sends an email notification to the administrator and takes corrective actions.
As well as being a popular load balancing tool which sits on top of Apache, NGINX also has powerful built in DDoS attack mitigation capabilities.
Some of the DDoS features of NGINX are:
Rate limits, identification of concurrent IPs to limit access based on the client IP addresses.
Ability to block clients based on their geo-location using the ngx_http_geo_module. Using this feature, whole countries can be blocked if required.
Can be combined with HaProxy for additional protection against DDoS.