Linux Servers – Preparing on the server level for ddos mitigation
Once you have obtained a ddos protected server from staminus.net you have a variety of options for handling the ddos you are receiving or may receive. One option is to go with SecurePort which does all filtering on the network level negating the need for much server level tweaking and configuration. With basic network level protection a wide variety of attacks are filtered on the network level but you may require server level tuning in order to absorb and process the attack traffic.
First you want to make sure you have a viable iptables like CSF or APF. For handling smaller level attacks I would recommend CSF as it can use connection tracking via the conntrack module to limit and deny aggressive ips, all while not having to use netstat like some other scripts. For handling attacks on the server I would recommend to use netstat sparingly, especially in automated scripts or crons as it can drive server load up and make things even slower.
After you have setup and configured your iptables firewall script the next thing to consider is the tcp stack which can be configured via sysctl.conf. There you will need to increase your default conntrack tables limit, buckets and tcp memory. There is some math to do on coming up with the exact number ofr amount of ram you want to allocate. But we will not get into that here and will simply do some recommended values which should not be exceeded on server level. First I want to point out you really should not attempt this with less then 4-8 gb ram depending on how much legit ram your system usually uses.
These values here will work on a system with 4-8 gb of ram effectively.
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_recv = 30
net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 60
net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait = 30
net.netfilter.nf_conntrack_max = 131070
net.nf_conntrack_max = 131070
net.ipv4.netfilter.ip_conntrack_max = 131070
net.ipv4.netfilter.ip_conntrack_buckets = 16384
net.ipv4.tcp_max_tw_buckets = 180000
net.ipv4.tcp_wmem=’4096 65536 8388608′
net.ipv4.tcp_mem=’8388608 8388608 8388608′
net.ipv4.tcp_rmem=’4096 87380 8388608′
Some of the values you will need to comment out depending on the type of conntrack tables being used. When you run sysctl -p then any unknown keys you can delete or comment out the values that give error.
This is just one of many steps that can be done to help combat ddos on the server level, more is to come!