What about Ddos Protection

[DUALRACK]

My question is pretty simple will there be some sort of ddos protection in the near future other than the actually firewall/snap shield

[SpecHosting]

I also would like to know this. Also, it would be nice to see cPanel paired with softaculous instead of just fantastico.

[DUALRACK]

glad to see there are others seeking this info as for softaculous is available through Xtra Extreme under plugins ask your sales rep.

[MaN oF sAdNeSs]

Well I guess that snap shield do the trick !

[SingleHop-Miguel]

Snapshield or any of our hardware firewalls can help with security but not rid DDoS attacks, however if you are using cPanel/WHM we do offer the Xtra pro addon that can also assist you with heightening the levels of your control panel and user security. It has over 57 security features including a software base firewall that can be installed. Check out my Xtra blog post for information on the addon feature for cPanel: Does Your cPanel Hear the SOS?? | Dedicated server & Managed Hosting Blog by SingleHop

[SingleHop-Brandon]

We strongly do NOT recommend customers who think that they may be DDoS (Distributed Denial of Service) attack targets utilize SnapShield services or dedicated hardware firewalls. Stateful firewalls are easily overwhelmed by even a medium-sized botnet to exhaust their ability to track existing connections and allow new ones. Several mailing list threads have discussed this issue in the past -- you can find them archived at markmail.org here and here. You are generally better off using non-stateful (OSI model layer 1-4) packet filters to only allow incoming packets to publicly available services, and perhaps drop certain packets based on layer 3 (IP) source specifics.

We do have several tools at our disposal to detect, analyze, and respond to network threats both against individual IPs, and the overall network infrastructure. Oftentimes if you find yourself targeted, the attackers use traffic that can be identified by our routing hardware, and blocked well upstream from your server. If you find yourself targeted, let our staff know, and our operations group can investigate to block as much attack traffic as possible.

The more difficult attacks to block are when a medium to large botnet is utilized to generate actual service requests (instead of just flooding invalid packets). In this case, it is difficult or impossible to determine valid requests from invalid ones. Oftentimes you can tune your OS TCP stack, and your application settings, to get the maximum performance out of your hardware to prevent such an attack from affecting valid users. Disabling stateful firewalls such as iptables configured by CSF and removing all the conntrack kernel modules prevents system memory being used to do extensive TCP state tracking. Decreasing the time closed connections hang around also can asist by tweaking net.ipv4.tcp_syn_retries, net.ipv4.tcp_synack_retries, and net.ipv4.tcp_fin_timeout with sysctl. If the attack is against Apache, tuning the MaxClients and ServerLimit settings allows Apache to spawn more processes to service more simultaneous requests, up to system resource limits (basically until your processor is 100% busy, or you start swapping from RAM to disk). From there, you can scale the machine with heavier-grade hardware, or even switch to balancing the load between multiple servers. We have many options for enterprise-grade load balancing that can farm out hundreds of thousands of web requests per second.

While we don't currently offer a DDoS-specific service to offer to our clients, we do take every attack seriously, and will always do everything within our power to ensure that all of our clients are able to utilize network resources. We are working with partners to determine if we can offer additional services in the future, so be sure to speak with your AE if you think it is something you would be interested in.

[SingleHop-Alex]

Well put Brandon. Just a couple of points I would like to underscore

Some floods are easy to deal with, others are very difficult to deal with.

SYN floods don't really consume resources. To prove a point, I have a Celeron 2.4ghz test box I slammed with a SYN flooding script. I configured my Apache limits very high (1500 MaxClients/Serverlimit) After this I flooded the machine from another one on my network, it generated a constant peak of 1024 SYN connections during the flood as monitored by:

watch "netstat -anp | grep SYN | wc -l"

During which time it would hover at over 1,000 connections. I had no trouble using a third machine to access my Apache test page and the CPU load remained at virtually zero with no additional RAM being used.

Why is this? The reason is becuase of how a SYN flood works. To make the story short and sweet, you use what is called a 3 way hand shake to get data using TCP. The client initially goes "Hey, what's up server are you there I want some data." The server in turn replies "I'm here, what do you want?" Then the client responds with the actual request. Because the client never actually responds the second time it leaves the system hanging and waiting for this handshake to complete it occupies the socket until it times out. If you don't have MaxClients/ServerLimit set high enough it will eat all these connections up. Because it doesn't actually make a request, it doesn't really consume any resources of Apache.

With this being said having super high MaxClients/ServerLimit is a bad idea. If the system has a conventional flood ran against it where it's traffic based or the system has heavy traffic it will likely fall flat on its face. There is a very good chance you will run out of RAM or overload the CPU depending on your content and type. Things like running static content can help this immensely however and should be considered especially when dealing with super high influxes of legitimate traffic. Mod_limitipconn could probably help when dealing with traffic based floods as well.

Another option I would like to see attempted is someone using a reverse proxy and then passing requests on to Apache. In theory you could set your ServerLimit on the reverse proxy super high then only fully completed requests would get passed to the actual functional web server which could have sane enforceable limits.

[DUALRACK]

We strongly do NOT recommend customers who think that they may be DDoS (Distributed Denial of Service) attack targets utilize SnapShield services or dedicated hardware firewalls. Stateful firewalls are easily overwhelmed by even a medium-sized botnet to exhaust their ability to track existing connections and allow new ones. Several mailing list threads have discussed this issue in the past -- you can find them archived at markmail.org here and here. You are generally better off using non-stateful (OSI model layer 1-4) packet filters to only allow incoming packets to publicly available services, and perhaps drop certain packets based on layer 3 (IP) source specifics.

We do have several tools at our disposal to detect, analyze, and respond to network threats both against individual IPs, and the overall network infrastructure. Oftentimes if you find yourself targeted, the attackers use traffic that can be identified by our routing hardware, and blocked well upstream from your server. If you find yourself targeted, let our staff know, and our operations group can investigate to block as much attack traffic as possible.

The more difficult attacks to block are when a medium to large botnet is utilized to generate actual service requests (instead of just flooding invalid packets). In this case, it is difficult or impossible to determine valid requests from invalid ones. Oftentimes you can tune your OS TCP stack, and your application settings, to get the maximum performance out of your hardware to prevent such an attack from affecting valid users. Disabling stateful firewalls such as iptables configured by CSF and removing all the conntrack kernel modules prevents system memory being used to do extensive TCP state tracking. Decreasing the time closed connections hang around also can asist by tweaking net.ipv4.tcp_syn_retries, net.ipv4.tcp_synack_retries, and net.ipv4.tcp_fin_timeout with sysctl. If the attack is against Apache, tuning the MaxClients and ServerLimit settings allows Apache to spawn more processes to service more simultaneous requests, up to system resource limits (basically until your processor is 100% busy, or you start swapping from RAM to disk). From there, you can scale the machine with heavier-grade hardware, or even switch to balancing the load between multiple servers. We have many options for enterprise-grade load balancing that can farm out hundreds of thousands of web requests per second.

While we don't currently offer a DDoS-specific service to offer to our clients, we do take every attack seriously, and will always do everything within our power to ensure that all of our clients are able to utilize network resources. We are working with partners to determine if we can offer additional services in the future, so be sure to speak with your AE if you think it is something you would be interested in.

Snapshield or any of our hardware firewalls can help with security but not rid DDoS attacks, however if you are using cPanel/WHM we do offer the Xtra pro addon that can also assist you with heightening the levels of your control panel and user security. It has over 57 security features including a software base firewall that can be installed. Check out my Xtra blog post for information on the addon feature for cPanel: Does Your cPanel Hear the SOS?? | Dedicated server & Managed Hosting Blog by SingleHop

Well put Brandon. Just a couple of points I would like to underscore

Some floods are easy to deal with, others are very difficult to deal with.

SYN floods don't really consume resources. To prove a point, I have a Celeron 2.4ghz test box I slammed with a SYN flooding script. I configured my Apache limits very high (1500 MaxClients/Serverlimit) After this I flooded the machine from another one on my network, it generated a constant peak of 1024 SYN connections during the flood as monitored by:

watch "netstat -anp | grep SYN | wc -l"

During which time it would hover at over 1,000 connections. I had no trouble using a third machine to access my Apache test page and the CPU load remained at virtually zero with no additional RAM being used.

Why is this? The reason is becuase of how a SYN flood works. To make the story short and sweet, you use what is called a 3 way hand shake to get data using TCP. The client initially goes "Hey, what's up server are you there I want some data." The server in turn replies "I'm here, what do you want?" Then the client responds with the actual request. Because the client never actually responds the second time it leaves the system hanging and waiting for this handshake to complete it occupies the socket until it times out. If you don't have MaxClients/ServerLimit set high enough it will eat all these connections up. Because it doesn't actually make a request, it doesn't really consume any resources of Apache.

With this being said having super high MaxClients/ServerLimit is a bad idea. If the system has a conventional flood ran against it where it's traffic based or the system has heavy traffic it will likely fall flat on its face. There is a very good chance you will run out of RAM or overload the CPU depending on your content and type. Things like running static content can help this immensely however and should be considered especially when dealing with super high influxes of legitimate traffic. Mod_limitipconn could probably help when dealing with traffic based floods as well.

Another option I would like to see attempted is someone using a reverse proxy and then passing requests on to Apache. In theory you could set your ServerLimit on the reverse proxy super high then only fully completed requests would get passed to the actual functional web server which could have sane enforceable limits.

Thank you all very very much now that really cleared things up a bit.

[visbits]

CSF is a must have, I've resolved hundreds of clients having issues by implementing a simple CSF configuration and teaching the client how to read what it tells them and to handle using it.