How to build the project infrastructure from DDoS attacks?

16

Hello. I ask your help in the organization of the project, how to properly arrange all.

There promoks server.

On it 2 virtualke. 1 at the sites under the 2nd game tcp project.

I was recommended to do so. 1 Dev sites where l7 protect against attacks. The second game project from the l2-l4.

I have a question. First Dev is not protected from l2-l4 attacks and, respectively, for such an attack all the lies, including the second server if the common channel is clogged?

Or reorganize all the way. Dev put one or even remove promoks leaving one server and it all place - to protect against all attacks of levels. Would not it be easier?

Thank you for your help.

Avatar 816
#1

Hello!

Properly to do so:

The site makes registration form to participate in the game.

Close access to the game server and you put the VPN.

For PSK zaregalsya player is given access to the VPN. Which rotiruesh once a week, with a warning.

Everything is done by the TCP, UDP and ask the provider to cut off at the level of the uplinks.

The scheme of work and tested, especially if you have the ability to modify the client engine and integration to the VPN, then it will be all transparent to the player - it introduces the registration data and the client makes the channel and starts a session there.

Не стоит плодить сущности без необходимости
D0 55
#2

You have all the infrastructure works only on ports 80 and 443. It makes no sense to complicate life, it's possible to keep on the same server. Connect a regular proxy for websites (80/443 ports) and it will have to include the protection of L3-7 all providers: cloud-shield.ru , fortes.pro , qrator.net - for any budget.

Pay special attention to what would have nowhere to light up your actual IP-address and that will be enough.

TC, you have created a lot of topics on this subject. Try something finally connected, it is not so difficult and scary :)

#3
andreyka:
Hello!
Properly to do so:
The site makes registration form to participate in the game.
Close access to the game server and you put the VPN.
For PSK zaregalsya player is given access to the VPN. Which rotiruesh once a week, with a warning.
Everything is done by the TCP, UDP and ask the provider to cut off at the level of the uplinks.

The scheme of work and tested, especially if you have the ability to modify the client engine and integration to the VPN, then it will be all transparent to the player - it introduces the registration data and the client makes the channel and starts a session there.

Thank understandable, but for me, probably complicated. The bottom line is that the players do not have direct access to the server ip, respectively, and the attackers, too?

udp closed, does not work: D

---------- Posted 17.06.2020 at 22:51 ----------

d1mq0:
You have all the infrastructure works only on ports 80 and 443. It makes no sense to complicate life, it's possible to keep on the same server. Connect a regular proxy for websites (80/443 ports) and it will have to include the protection of L3-7 all providers: cloud-shield.ru , fortes.pro , qrator.net - for any budget.
Pay special attention to what would have nowhere to light up your actual IP-address and that will be enough.

TC, you have created a lot of topics on this subject. Try something finally connected, it is not so difficult and scary :)

Thank you for your reply. I sites at 80 and 443 port. In addition there is a gaming traffic to tcp port xxxx. udp closed.

As I said, l7-only sites, it does not protect the application. I just run the application on a different tcp ports. Gets addition l7 still need to be connected))

But overall sogalsen you need all in one server to translate as to connect everything to the 2nd server, simply hemorrhagic. And there is no sense in 2 servers koggda they are hosted on a single server promoks))

D0 55
#4

Apparently I misunderstood.

In this case, it will be convenient to have 2 IP-addresses on the server.

On one cool site / forum on port 80/443. All other ports are closed. Connect proxy L3-7 site.

On the other cool game ports are not used to close and secure prokinut L3-4 tunnel.

Avatar 816
#5

Thank understandable, but for me, probably complicated. The bottom line is that the players do not have direct access to the server ip, respectively, and the attackers, too?

udp closed, does not work: D

Always there is a simple and quick solution to the non-working features.

A UDP how it closed? Hopefully not via iptables:? Kozak:

#6
d1mq0:
Apparently I misunderstood.
In this case, it will be convenient to have 2 IP-addresses on the server.
On one cool site / forum on port 80/443. All other ports are closed. Connect proxy L3-7 site.
On the other cool game ports are not used to close and secure prokinut L3-4 tunnel.

Yes, and I want to do. In this case, the server will be protected from all types of attacks. On a site with only one IP goes http? S traffic, the rest is discarded cleaning services.

On the game un tunnel protected l2-l4.

---------- Posted 19.06.2020 at 01:19 ----------

andreyka:
Thank understandable, but for me, probably complicated. The bottom line is that the players do not have direct access to the server ip, respectively, and the attackers, too?

udp closed, does not work: D


Always there is a simple and quick solution to the non-working features.

A UDP how it closed? Hopefully not via iptables:? Kozak:

On the side of the host cut off all traffic) but did not help still arriving. But we decided to sort the problem.

Avatar 816
#7
Lelouch Lamperouge:

On the side of the host cut off all traffic) but did not help still arriving. But we decided to sort the problem.

And it does not help - it is necessary to cut the uplink.

N 419
#8
andreyka:
And it does not help - it is necessary to cut the uplink.

and how to motivate large hoster hulking uplinks in a monopolized economy to dance for one forumtsev?

it is the history of the fraternal countries? or just another fantasy for Habra?

It does not happen. Uplink happily throws in the IP community blackhole. All the rest - it's fantasy.

Customize iptables. Adapts to market themselves.

Кнопка вызова админа ()
#9
netwind:

Customize iptables. Adapts to market themselves.

When more than 20tb per channel comes iptabl no longer assistant)

Avatar 186
#10
andreyka:
And it does not help - it is necessary to cut the uplink.

it is from the opera "something must be working robots and everything was free"

firstly that you're talking about (flowspec) in the Russian Federation 3-4 gives the operator.

Secondly it can be cut ooooochen limited type of attack. Myths about the coolness of this feature bloated little understanding of the people and seasoned CIS All shnoy propensity for freebies.

Third the service is so greatly increases the value of all the traffic that it is cheaper to use the services of specialized services to protect against DDoS.

https://team-host.ru/ (https://team-host.ru/) Выделенные сервера в аренду с DDoS защитой и без неё.

To post a new comment, please log in or register