Building a server and trying to mitigate DDOS

You know what’s sus? Paying for something that’s never yours. Kind of like renting an apartment.

Then you have that which is owned by Epik.
https://terrahost.com/colocation. Very good prices. 70$ per 1U. :thinking:. That’s way more than 400$ cloud hosting for something similar.

Reduce your footprint. I did that by limiting the IP ranges that can access my services to the ones belonging to the ISPs I know I’ll be connecting from. It’s pretty easy to look for the IP ranges, drop every connection that wants to get in from any other IP and you’re good to go. Or whitelist only US IPs. There’s also fail2ban you could use to mitigate DDOS attacks against you, but it’s cumbersome to set up because you need to correctly parse the logs for failed login attempts or use any other log entry from your applications to ban someone’s IP. Not to mention port knocking and SSH tunneling that could be used. Maybe even add an honeypot to weed out all the script kiddies and bots, and ban their whole IP range.

You can be safe on the internet. Expecting the worse is a good assumption to keep you on your toes, but it’s rarely the case that home machines that generate a low volume of traffic will ever be targeted. Especially if you’re not hosting a full website.

P.S. I just remembered that you can put your machine offline in case of a DDOS attack. I don’t know where I saw that or if I have any script around to do that, but it’s possible to just take down the interface the machine uses to get on the internet and be good. Or add into the firewall rules that drops connections that just don’t complete the handshake.

1 Like

Do you though?
Your threat profile for a home server isn’t a state-actor using a zero-day, it is your server leaking personal files or becoming a spam host.

DMZ-wise: Most modern SOHO-Routers have options to turn ports into DMZ-ports with configuration options on what ports to forward traffic to where. Alternatively, PF-/Open-Sense setup.


Yeah, there is something not being said by OP here…

And we’re trying to help you by shedding light on the bigger picture…

Nobody here is against you and your project.
The problem is that you want to achieve something that has long been defined and cannot be bent.

What I am trying to tell you is that defending against ddos in home conditions is almost impossible if we do not use sensible architecture and solutions.

There is no free magic software that will suddenly solve a large ddos attack at home. These are clog attacks, designed to overload both the target server and its internet connection.
For this, there are commercial anti-ddos solutions that try to filter out hostile traffic and forward only normal traffic to the destination address, i.e. they scale down packets to a level where the destination host is still able to handle it.

Think of it as a club door with security in front of it. Protection prevents excessive packets from entering and filters out undesirable characters. As a result, there is an acceptable number of appropriate units inside the club.
Your home door to the club is unprotected and the entrance will be blocked by a mass of undesirable packets, in effect overloading the possibilities of entry, even the positive ones, are not able to get inside.

No matter how powerful you have a server/s at home and what bandwidth you have to connect to the Internet. You can always generate ddos on a scale that will overload your resources.
For this reason, commercial antiddos services are based on gigantic resources that are able to deal with a very large scale of ddos, both in terms of network bandwidth and computing power to analyze packets and separate them.

It won’t matter if your server is at home or colocated. It’s still the same technical situation.

There are providers of various vps/bare metal services on the market who offer additional ddos protection but it costs a little more.
Another thing is that hardly any company will be willing to take bullets in the chest for you. The moment you become a problem customer, they just kick you out.

Have you had ddos attacks before? Has any company refused to host you yet? If this is just your prediction, I recommend you to just start your business and only react in case of a problem.

There are companies that turn a blind eye to various things but they are not the cheapest and no one will give you a guarantee that you will not be kicked out.

I don’t know how extremely controversial/provocative stuff you want to host but among other things cloudflare’s filtering services are used by many torrent sites and no one refuses them service and you don’t want cloudflare.

If you want, I can suggest you a company registered in Hong Kong, behind which there are people from China/Russia and the servers are in Russia/USA/EU, among others, and payments are in crypto, but don’t expect them to take bullets in the chest for you.

So US bad, EU bad, Russia bad, China?
Something doesn’t add up here… This is starting to sound more like something illegal.

Then I don’t want anything to do with it!!!

So a pure theoretical expedition for an empty bottle of water.

Buy some cheap web hosting and start hosting your stuff and watch what happens. In my opinion, you start from the wrong side, buying a server, worrying about ddos and terminating contracts with the service provider … Start with the smallest and expand as needed.

Your style of speech and way of thinking reminds me of Aremis.

1 Like

So the goal of the attack will be achieved… make the host offline. :slight_smile: Yes I know what you mean here. :slight_smile:

Another aspect of the problem, however, is a clogged connection. The fact that the server does not respond to packets or even is not physically connected does not change the fact that packets still come and go brrrrrrrrr.
The uplink will still be clogged and the ISP will see the attack. From the point of view of the attacker, the target is achieved. It doesn’t matter what exactly will make the host unavailable as long as you are offline.
The concept of defense is to survive as online, everything else should be treated as a successful ddos and kill of the target.

Therefore, blocking ddos on the target machine with a firewall is an abstraction. It doesn’t matter that we drop this traffic. Our connection will still be clogged even if the server itself survives the load. Because even the usual drop also generates a marginal load and with high ddos it starts to be noticeable.
The effect is the same offline or extremely high packet loss and a killer ping.

The only sensible solution to the problem is known… Filter out so much hostile network traffic elsewhere on the network. ISPs that have business customers can usually react quickly and block such traffic already on their edge routers and use techniques like BGP blackhole, ask for filters from their upstream, sometimes they have their own solutions to filter traffic for customers so that the customer is not buried in an avalanche of packets .

DDoS isn’t just stupid packets sent blindly in a given direction. More sophisticated attacks try to pretend to be normal network traffic typical of the service we offer. The point is to be as distinguishable as possible from normal network traffic.
We host a web server, the attack can be defined as normal https tasks and here comes the software that tries to analyze according to different patterns which packets are hostile and which are not but this $.

Ddos is such a mythical enemy but in the role of ddos can be normal network traffic. We have a web server on very weak hardware that is able to handle up to 100 requests per second. Suddenly, someone popular posted a url to our site on the web and suddenly our traffic reaches 900 requests per second, which causes our small server to get a ddos that chokes it. Even though no one wanted to hurt us and the sudden increase in traffic had friendly intentions. :slight_smile:

The OP has to answer a lot of questions for himself because in terms of ddos the topic is a little more fluent than it seems.

1 Like

I know that, but usually DDOS attacks are not just aimed at taking down an host but to also cover potential ways attackers are trying to get into the system in question. So disconnecting the host makes sure you’re not giving them the chance they’re looking for and hopefully makes them think they accomplished their goal. It’s like docking the ship during a storm. It’s inconvenient, but sometimes is needed.

I totally agree. The question had me firing in all directions at the problem, but my first response was to filter out the traffic in different ways and reduce the footprint online.

Yeah, I’ve seen examples of requests for web pages web services sometimes expose and are used by DDOS attackers to cover up their attack. But as the DDOS techniques have evolved so have the ways to identify DDOS attacks and block them immediately.

It’s not like it’s never happened hahaha

1 Like

:+1:

Ok, I can agree with this model of operation, although personally I would not use it, but in a certain threat model I see options for it.
I mainly focus on the model that OP presents here, i.e. ddos attack and the goal of making the host offline. I omit the fact of hacking in correlation to ddos in this model, although in the first post I wrote that a more significant threat than ddos for OP is hacking and keeping the server safe. :slight_smile:

1 Like

I wasn’t blocked or banned by any host. If you do a modicum of searching you can figure out that most hosts and registrars will just drop you because you’re going against the social grain. Even payment processing will just decline anything you do. You just get cancelled. It’s very obvious that it happens. Why am I being vague? Because if I write in the context I usually do about this then everyone here would get salty and I’d get banned.

If you haven’t experienced what you’re so afraid of.
Let me speculate that you and your “something” are so small and insignificant that no one will probably notice you to do anything about you.
You put yourself in the role of being number one news of the day and that the whole world would want to get you.

You create imaginary problems for yourself where there are none. Go pay for some hosting/vps/bare metal server and start creating your “something”.

If you actually have something that toxic and popular, you might as well lose your domain and internet connection at home. If you’re going to be the target of these bad guys that much.

You keep seeing enemies everywhere and every company will kick you… Even though you haven’t even tried to start yet. You won’t achieve anything with that attitude. You might as well assume with such paranoia that even the FBI will be against you and they’re about to fabricate evidence and arrest you.

Go and see how things really are… don’t start by buying a server because that’s not the optimal approach.
It’s starting to look like fear of leaving the house because there’s a potential risk of death…

The cases you are talking about are big actions, you as a subject are not even in the same universe. It’s kind of hard for me to imagine that in a moment everyone wants to cancel you. I suspect these people don’t even know you exist.

If your stuff is so controversial and secret then you shouldn’t share it publicly.

Companies will cancel you, groups of people will cancel you, here on the forum people will get salty and you will get banned…
And if even just talking about it will result in your Ban, it says a lot about this “something” of yours.

1 Like

I get that there are anti DDOS solutions offered gor commercial applications. My thoughts on that are great and if a giant wave of DDOS comes in then I have to pay for that however that adds up and most commercial DDOS protection wouldn’t cover me. Dailystormer has Cloudflare DDOS it seems and so does Gab. I just hate Cloudflare and I’m not doing business with them. It’s like Subway being the only solution and that’s not stated it kind of is currently. If there is a commercial solution then I’d like a non Cloudflare one. If you go to bunny .net then they say in whatever that no blah blah blah content because they won’t give your money back and cancel your service immediately. Also Kiwifarms has their own DDOS protection and I’m not sharing the domain but if you find it you’ll see that it’s custom and it probably doesn’t cost them 1k$ a month.

Also my question with commercial DDOS protection. I assume it’s just a payment and then done but if you get a lot of traffic do they charge you more?

It is a hypothetical situation that will happen. My end goal for the entire thing is to raise a whole bunch of money for a very specific purpose and most outside groups won’t like it so yeah I’d definitely get DDOSed by something. The thing is I’d want the site to be known and I’d be promoting it constantly to people I meet. I’ve never been DDOSed but I imagine I will and I’d like to set it up beforehand to deal with this instead of being like well I’m dumb and got DDOSed and now the site is down for a week and what do. I’ve never been DDOSed. I just don’t know anyone that would want to be DDOSed.

The iffy company thing is the reason I’d rather put together people and build a system to mitigate this later when the server is set up and I can be like see it exists. Then people will see that I did what I told them and then more people will want to contribute to it with their time and skills.

The thing that pops up when you go to a website and it says Cloudflare and has the box to tick and then you wait and off you go to the website is different than you registered a domain with us and we told you to f off, is what happened to Dailystormer. So just because 100k salty people aren’t emailing a company or trying to make you look bad in whatever media or blog pr whatever doesn’t mean they can’t. One salty person who didn’t get laid that day who’s against your thing nd they have all the time in the world to spend doing that being salty and organizing other salty individuals with nothing to do then that’s what you have, 100k salty individuals and then you have to go buy a .biz or .in because everyone cancelled you. I don’t know what the thing that pops up when you go a website is but I assume it’s DDOS protection. You tick the box and you go in. I really don’t think 50k connections can tick the box and enter.

China. I don’t think China would care really. They’re aware of this person gives us money. They do job. Angry “people” email. Email goes into trash and deleted.

I like how your brain goes straight to illegal. I literally want an alt right website with a podcast. I’m not for the current thing and my end goal isn’t something nefarious or illegal. I just want the freedom of speech that most countries should have and protect no matter what it is. If I’m alt right then I’m obviously against all of those illegal things happening around the world. Makes sense wouldn’t it. I’m all for being transparent with people that give money or people that visit the website. I wouldn’t hide anything especially if it’s a registered nonprofit that’s tax exempt.

It’s 300$ for a server with 2 E5 2699 or whatever. 18 cores each. That’s not bad when for Firefish I only need 24 to run like 50k users concurrently. I’m not paying for cheap hosting and just seeing what will happen. If the end game is to put it in a data center then I’m buying a server. It’s not like I’m spending 25k on an Ampere with 3TB or DDR5. It’s a 300$ server that should be fine for a year or more.

To me DDOS is people with bad intentions. Not people coming to a website for the purpose of going to that website to consume content because they enjoy going to that particular destination on the internet. People for the most part enjoy going to Amazon. A lot probably don’t and they probably DDOS it all day and nothing happens.

Hacking is something else but DDOS and hacking are all in the same boat. It’s not like I’m going to have some http site like a clown but I do intend to take debit card payments so yeah that also exists since there are a couple payment processors that work with the alt right.

That’s what a hypothetical is. You seem to fail to grasp that concept even though I’ve stated it numerous times throughout this thread. You act like I’m king emperor of North Korea when I stated no such thing.

What if I was in space and I wanted to do x.

But you’re not in space.

Dude… you’re losing me :wink:

I hear you… that you have big plans but a lot of talk about greatness and the future and little action here and now.
Before you pay for something, read the terms and conditions / contract, because you agree to this. If you have given your consent, then the company has the right to what is contained in the tos.

Who took your domain? Such cases are sporadic and usually very loud.

Freedom of speech… On the Internet? Where can I find a document that guarantees me freedom of speech on the Internet?

Apparently, despite being legal, your “something” is not in the minds of many companies and they do not want anything to do with it. You want to force them against their will?
Apparently, they prefer business-friendly PR to a shouting crowd. Like I said, no one is going to take a bullet in the chest for you just because you think it should be and you’re not doing anything illegal.

There are companies that turn a blind eye to a lot of things just like domain registrars. Choose the right one and your problem is solved. But even these companies have a red line somewhere they won’t cross.
But a home server is not the solution to your concerns/issues imho. Sooner someone will dox you and deprive you of access to the Internet.

1 Like

Ok… Buy yourself this server and run it at home on your home internet connection. Problem solved, end of discussion. :wink:

The ddos issue has already been thoroughly discussed. Nothing more magical can be suggested to you. :wink:

I understand that the cost of maintaining the server in the form of an electricity bill is not a problem?
You also have space for a server and it didn’t cause problems with temperature and noise?
What if there is a power outage? do you have UPS?
What if your home internet connection fails? do you have a second spare?
Do you have/plan to have a domain if it’s going to be a website? I understand that you are sure that no one will take it from you for your content?
Aren’t you afraid that doing it from home someone will dox you?
Will your ISP have a problem with you doing controversial home hosting?

These are normal issues that are important, not just ddos. :wink:

Hosting from home is nothing new or bad in itself, the problem starts when you have controversial stuff. :wink:

1 Like
  1. You live in China and they are out to get you
  2. You are being paranoid and need help
  3. You need to stop using social media (= touch grass)
  4. You are intending to host something illegal

Which is it?

I don’t live in the UK so no electricity isn’t a problem. I’m also going to a State where electricity is like 10¢ per kwh. The server living space is fine.

Anyone can dox me I don’t really care. I seriously don’t care. I’m doing this for a reason and I’m using my actual name because I’m not hiding behind some pseudonym.

I don’t think the ISP will know and neither will the registrar. First off free speech isn’t illegal and I’m not calling for people to do illegal things. I’m not even for protesting as it doesn’t do anything. I think I’ll be fine as long as the ISP doesn’t know because I’ll have to read a lot of AUPs and TOS on their websites and find up and down speeds are the same. Hopefully I have some neighbors that will let me test their WiFi after having a probing conversation.

See I like how it starts when I have controversial stuff when I can tell teens how to do this and that and make estrogen in a bathtub and covid this and that but as soon as you have any pride in your race and you’re not a minority it’s a problem. I find that extremely odd. I get this isn’t a political forum and I’ll just stop myself right there before I get going.

You’re liberal I suppose? I’m not answering any of those. I have 2 children and I’ll have to deal with talking to a principal at different schools when I get back and that’s far more important than that.

I’m from the US and white. My children are white. I’m white and I constantly touch grass.

Wouldn’t you think those telling others to seek help would need to seek help themselves because I’m not the one that’s brainwashed with all the conditioning you have. I’m not nodding along with the agenda and then telling everyone else who thinks for themselves to touch grass or seek help. Free speech right? See the problem? This dude, might be a dog because the internet, but these are the people that would hand over 200$ because a guy on the internet wrote something anti your belief system. That’s my problem.