Building a server and trying to mitigate DDOS

I’m trying to build a server I’ll self host at home and I have some idea of what I’m looking for and that’s a HP Proliant DL360 Gen9 with 2x E5-2623v3 and replacing the CPUs with E5-2699v3 because cpu-upgrade . com told me that’s what I should be able to get away with. That can be had for kind of under 300$. Not bad but I kind of wanted at least 24 cores per socket and the E5-2699v3 is only 18 which is spicy but I just want more. I’m sure everyone knows how it goes. How far can you stretch the dollar. I’d like to push it because I’m starting a non profit and I’d like to spend once and not spend twice to correct a rushed decision.

I’d also like to somehow mitigate DDOS attacks and I don’t want to use Cloudflare and I’ve been suggested Tailscale first and HAProxy second. The thing about Tailscale is that everyone needs a client I guess and some older person isn’t going to figure that out and they’ll just never get to the website. HAProxy I don’t know much about.

I was also suggested to use Proxmox. I have very noobish skills. I set up Jellyfin and Kavita on a base Ubuntu Server setup with a Cloudflare tunnel and it worked kind of. I figured it out but Cloudflare kept updating the tunnel and it seems that the Ubuntu Server wasn’t updating that whatever from Cloudflare for the tunnel and I had to do that manually. I have no idea. It’s all wizardry.

If anyone has any ideas how to extend the build out a little bit like a different processor then that would be very cool. I also have no idea about the DDOS prevention thing. Any suggestions are welcome.

I would consider going cloud hosted instead. It takes some of the responsibility/liability off you when you’re hosting it else where. At home, you’d have to have a DMZ for your web server, keep it patched, make sure it is configured right, have a reverse proxy with load balancers (if you’re worried about ddos). A lot of webhost do that for you. Maybe give the $100 free Linode credit a spin before committing to home hardware.

Depending on where you are, figure in electricity costs on top of that. If your internet goes out, you wouldn’t have a failover like a cloud provider would either.

Now if you’re wanting to tinker with some homebrew stuff, I would build a NAS and run off that. Or do Synology and just install the apps from their store. I love Synologies and wish I had one.

I get you wanting to run stuff off a home server, as I have one that I tinker with. I use it for labs. Outside of that, I don’t have a use for it. I spin it up when I need it. I do have Umbrel on an Ubuntu instance on proxmox but I don’t really have anything running on it other than a Bitcoin full node and mempool. That VM just randomly died though.

2 Likes

Do you actually need to? I bet you don’t

1 Like

I also suggest the cloud. Its exceptionally easy to DOS a service on a residential connection. You’ll have better security, uptime, and flexibility in the cloud than you ever will at home.

Tailscale is a great tool. I’m a huge advocate for it but your use-case is NOT what it is good for. Tailscale is a convenient way to create a management-plane over TCP/443. Tailscale is not designed to provide public access to the web. You are 100% correct that nobody (especially old folks) would ever find your site. You would need to “share” that access.

Cloudflare free-tier Tunnels at home are cool for us home-labbers but in production that is probably not a valid solution for you. There is a bunch of limitations to the free-tier Tunnels application such as session bandwidth limitations.

Proxmox is essentially Debian with a web-gui and preinstalled/configured packages for running VMs. I strongly recommend learning to leverage Proxmox.

HAProxy is just one way to perform load-balancing. Tons of solutions out there; especially if you host up in the cloud.

1 Like

Actually, I’ve found it to put more responsibility on you. I have ran quite a few VPS’s, and their IP blocks get WAY, way, WAYYYYY more hits than your home IP. Attackers know they can hit something real on a VPS, but the odds are a random home connection is useless to them, so they don’t spend time and money attacking.

Both need to be equally secure, and you pay for both and are liable for both.

2 Likes

It may just be him wanting to host a static html page on a shared host. May not need to have logins/database/etc. If it’s non-profit, just set it up with some nice design, pretty pics, email, phone number. If anything else is needed, go from there.

I’m not saying you’re wrong but what I want to do would cost like 300$ a month and I don’t have that to spend each month. Hosting it at home and dealing with what comes that route and then going to colocation is what I’m aiming for. A web host would boot us off anyway because of being DDOSed.

I plan on having a lot and Rolex is a nonprofit. A nonprofit can still make money. It’s just for x cause and now it’s nonprofit. I plan to run

Proxmox
HAProxy / Scaletail / Nebula
WordPress with Woocommerce
Flarum or Discourse
Isso
Kavita

There will be an educational part later or I’ll have to consider that but I’m not and never will use Moodle. I’m autistic and Moodle is too far.

If you knew then yeah I would. It would be hosted at my home. Where I live. A DDOS attack is not great. Not all websites are about rabbits and cat pictures. What I want to do is incredibly legal in the US. I just want to provide people with actual free speech and I can name 50 instances of people who were canceled or whatever you want to call it because they spoke their mind. As in whenever I have to ask for help on the internet like this I have to censor myself and I don’t find that right at all.

We all know that the majority of people on earth right now aren’t for free speech and even providing facts is considered oh I guess we can’t host you. Bummer find another registrar. It’s happened many times and I shouldn’t even have to explain it. We live in very clown world times and I’m not a fan of it.

The cloud is very limited and isn’t ok with free speech and those that want to do what they want to do within the law. I had to search for a payment processor because I’m very sure stripe and PayPal will take the money and not issue it for 3 months out or not at all. I’m not hosting on the cloud and It’d only host with colocation as long as the company maintains that they won’t stop me from doing what I’m doing and I don’t see that happening except for a couple circumstances. Cloud hosting with any generic cloud host will get an email and be like well and he’s done.

That’s it. People complain and then you can’t have stuff. If the answer is cloud host I’m not going to host with some generic host that will tell me to f off which is why I stated in the OP that I’d self host at home. Without Cloudflare. I need something to stop clowns DDOSing me. At home.

I’m not hosting with some host and paying them to cancel me and take my money when I can just buy a way better server and do it at home.

I don’t want the McDonald’s hosting solution and I get that it’s more difficult now and I don’t care. This is how it needs to be.

A home server if you know what you’re doing is not necessarily a bad thing.
But let’s face it, if you’re here asking questions, there’s probably a lack of experience somewhere. The eggshell has a crack, and in life, that’s enough.

Is ddos your biggest concern? I’d say secondary… Are you able to keep your machine and the applications running on it safe? A well-secured server is a constant chase after a bunny. And auto-penetrations will haunt you every now and then.

What is your home internet connection? I assume you have a public/static IP, a large upload and no data transfer limit.

You won’t do anything with ddos at home, your ISP won’t help you much in such a situation, even if they start doing something, it won’t be a quick reaction because you are a marginal customer.

No miracle solution here will help you, you need to filter out hostile traffic in front of the server. So network traffic has to go through something in between. You say you don’t want cloudflare and other anti ddos solutions? You will have a problem yourself if the scale is large.
You still have to pay for another machine/service to pass this traffic through before it reaches your home server.
There is no magic here, dealing with ddos means having a lot of network resources, computing power and good software… it costs money!
The pop that will be doing our traffic filtering must be more efficient than the scale of the attack otherwise it will be killed itself.
In other words, something must be able to handle hostile network traffic as well as your own ok traffic.

Your ability to receive traffic is determined by your Internet connection bandwidth, type of software, server hardware. how many packets this configuration will be able to handle before problems start, you have to calculate it yourself. However, the filtering point must be more efficient than this.
What solution you use between your server and the filtering point is less important… vpn, revproxy and etc.

If you immediately focus on ddos, there is probably a reason for it… and the reason may be provocative hosted content that will attract the attention and dissatisfaction (ddos) of someone.

imho

:slight_smile:

2 Likes

What I don’t know people in my community can fill in those spots.

If you have a DDOS company that isn’t woke then let me know because it all seems to be a bunch of companies willing to drop you as fast as anyone can get 10k people to email them that you’re breaking no law. Could you rent a lot of 5$ cloud hosted servers from random cloud hosting companies and just route it through that? Or do you really need a large woke company to protect you because from what I understand they won’t protect you if you don’t follow their agenda.

Couldn’t I just set up a box with pfsense since it seems to work for DDOS. Could have boxes before the main server and they’ll have to get through all those? Other than that I have no idea and other people in community would know more. That’s the thing that I’m like hmm. You state that I’d jave to spend a lot of money but it doesn’t seem like that. If the say 3 computers in front of the main server would act as preventing DDOS attacks especially if I had multiple lines coming in for 1 gbps then I don’t see the issue. I think this can be figured out for a lot less than you think.

I don’t see amy reason to pay for cloud hosting other than little 5$ ones to bounce around and come back.

Here’s my analogy. I think it works but it might not. You seem to be under the impression that you have to do it this way or it won’t work. You could think outside the box and come up with a solution because I don’t have thousands of dollars to blow on stuff I won’t own. You don’t own things you rent and to you that seems like a decent well thought out idea. To me that’s similar to telling someone they need a 5k$ computer to play PUBG when a 200$ used phone from craiglist will do just enough. I’m not collecting every smart enough person to fire off DDOS in the first year. Maybe some people but nowhere near what you think. Who knows but I don’t think I’d need to spend 1k$ on 3 servers just to protect 1. If anything maybe 1 and that’s a big if and probably some server in the ether that is tunneling in to my home set up. Other than that I don’t know but I don’t expect that to cost a lotta money. 300$ for another server and however much for some cloud hosting thing. All of which I could raise by having the site exist so it’s jot a large deal. I can reimburse myself for the money I spent.

Also it’s only provocative hosted content if you think it is. Already stated that it’s not anything illegal in the US so that should narrow it down shouldn’t it. If I hosted a website about mmmmmm meat is so good then I might get DDOSed by vegetarians and vegans but that’s not what I’m hosting. Doesn’t really matter what it is. The only thing thay like does matter is a lot of people and tech companies are incredibly woke and if they’re incredibly woke then that would mean I’m the opposite which is not woke at all. Think about that. I’m not woke. What would I want to do that might get people all dumb enough to spend time to do whatever necessary to DDOS someone.

I try not to get involved in this type of thing and stay away from it.

Any private business can do what it sees fit. If they don’t want to have you as a client because “something” that’s their right too.
If you have already experienced ddos or you are sure that it will happen, it is even more pointless for a home host.
I understand your thought process with your own equipment and in a private home but you are forgetting one thing about the ISP.

A regular customer who pays them $100 for internet can be kicked out just as quickly as other companies will and probably the ISP will find a legitimate reason to justify it.

Since you are so persecuted in the US/West, go in the opposite direction.

If you don’t want cloud hosting then rent a bare metal server somewhere. You mention collocation… I doubt you can afford it.

From a purely technical point of view, you won’t increase your anti-ddos performance in a home environment without filtering your traffic through an external point. And the companies that will provide the services you use can also kick you out.

It’s not about how many machines you set up and what software you use.

It’s about the bottleneck and the ability to distinguish the network traffic that is ddos from traffic that is not, which is not always so easy.

There’s always a limit somewhere. How much water can you swallow at once? And what happens when you reach the maximum capacity of your throat?
Someone pours a certain amount of water down your throat, but that amount is much more than your throat can handle. A large amount of water does not reach its destination through your throat. Of the amount of water that still fits in your throat, 10% is pure water and 90% is sewage. What spills out is 50/50.
Just because you put three identical throats in front of your throat will not increase your ability to resist water spillage.

It is also impossible to do it sensibly on the basis of 50 cheap hosts. Because it creates the need for load balancing on the front. What can theoretically be achieved by balancing at the dns level. But it’s still $ and an increasingly complex archtector.

Nobody is saying you have to buy three servers, it’s more your narrative.
Do you want to host at home… buy yourself a server/pc and pass network traffic to it through an external host that will do your filtering.
It won’t cost 5K.

2 Likes

Oh you were blaclisted by hosters? What the hell are you hosting stormfront clone?

If you are subjected to DDOS, hosting that kind of service at home line is not good idea. It might also lead to awkward question from you service provider and termination of service. Using consumer connection for that kind of purposes is usually verboten and ddos will make it plain for them to see.

Cloud is the answer here, but from reading between the lines, you trying to host some kind highly political or divisive content.

Just find hosting that is willing to put up with it, it will cost you though.

2 Likes

Exactly… :wink:

Let the op buy a vps in russia and pay crypto since in the USA it is such a problem what he hosts.

1 Like

I just checked with colocation in Nashville. 1U and 1gbps is 100-200$ per month for the space and 500-1k for 1gbps and obviously speed goes down so yeah it’s totally doable should I be making something per month selling subscriptions or clothes or magazines or whatever but that’s still not bad for bring your own server.

Russia has the same issues.

An awkward question is the least of my concern and so is canceling my service. I can buy a server for 150$ and upgrade the processors for like 70$ each. For a dual socket server with 18 or 22 core xeons how much would that cost per month. That’s 18- 22 cores per socket. I don’t think that will be cheap because it won’t. That’s 36-44 cores. Let me know if you find it for 50$ a month I might go for that. What you are getting at would cost a lot. Sure there are services that have arm or something but still I have no server and I have nothing on it. I’m not even in the US yet. I’m going to host it at home though. I really don’t care and I don’t see a problem with Dailystormer. I don’t. If you have an issue than you have something against free speech and that’s a personal problem.

What I’m trying to get at is how can I mitigate this because I’m trying to understand what I can do while doing what I want.

This is from a quick Google search.

Launching a DDoS attack can be relatively inexpensive for the attacker. As per the Dark Web Price Index 2022, a 24-hour DDoS attack with 20-50k requests per second can cost the attacker as little as $200 USD.

I guess it costs them money or they do it themselves. I have no idea how difficult it is to fire a lazer but I would think it’s a Google away.

I think self hosting will be fine. I’d put a pfsense in front of the server in case and then build it up from there. After a month of being available I should have people who understand this better than me and we can sit down and figure how to do this that will cost the least and do the most. I’d like stuff to be safe but right now I don’t care. I could literally host with Epik and I’d be fine and they wouldn’t cancel me because they’re at least better than most but it’s all about we’ll see. I’m not there yet. I don’t have the money to go all out which is why I chose a very cheap option and who knows it might be an invite only thing. Once it gets going then I’ll know more because no one give a crap yet. I can’t do much with oh you need to do the thing with the dns and go over there and flip switches and buttons. I can install Proxmox and probably set stuff up and even then I’ll need to hit someone up from the community to assist because I’d be all skilled out at that point.

super sus