Using a VPS for ddos protection?
3d 14h ago by lemmy.dbzer0.com/u/kylian0087 in selfhosted
Hello guys, so I have been self hosting a bunch of stuff for some years now. But I want to increase the protection of the services I host.
I was thinking of using a VPS just for ddos protecting my services like game servers, web servers, email etc.
Any suggestion on how to set this up well? I was thinking of routing all traffic from the VPS back home with wireguard. My connection is gigabit so I don't think the performance impact will be too big, any suggestion on which proxy, VPS and other things to use?
Don't. Ddos will overwhelm any single server, do you really think a 1/10/25Gb interface can handle a small 50Gb/s attack?
What you can do is host a VPS with a company that has ddos protections, but I doubt that is standard, and ddos protection works best from a network operator level not a host one.
That's what I meant. Hosting the VPS at a company with ddos protection. So the VPS can take the hit instead of my home connection.
You could do it that way. You could use something like Cloudflare Tunnels/Zero Trust where you'd get DDoS protection for tunneled hostnames http/https. If you're looking for raw tcp/udp arbitrary ports protection, they have a paid Spectrum protection plan.
I don't know your specific situation, but after all these years of self hosting, I can't say as I've ever experienced a DDoS attack. Not saying they don't happen or that it isn't a concern. I've experienced someone hacking my server, but I was super green back then and undoubtedly didn't have the proper protections in order.
Most of your reputable, well established VPS vendors like Digital Ocean, Linode, Vultr, offer DDoS protections. Some like Hetzner offer multiple tiers of DDoS protection.
@kylian0087 @slazer2au “routing all traffic from the VPS back home”
You’re back to square one as soon as you DDOSed yourself.
Have you actually been DDOSed before? Are you somebody that attackers want to target? If you’ve never been the victim of an attack, and you’re neither large nor famous, it’s unlikely that you ever will. Your home internet connection can be DDOSed with or without services hosted on it, but it takes resources to attack something, so most attackers want a worthy target.
That said, there are reasons to want a VPS. They are likely to have a higher uptime than your home services, so running something like email can ensure it stays up even if your internet/power go out. Similarly, it can be useful to have critical files stored there in case of a fire (as part of your 3-2-1 backup plan). For a game server, it can be useful for multiplayer because it may have lower latency to the other players.
If you’re going to get a VPS, put your services on the VPS. If you’re going to rent a VPS to run a VPN, just save your money and use a VPN. If your internet connection isn’t constantly loaded, and you’ve never been attacked, and you’re not hosting a popular website, just save your money.
Thanks for the detailed explanation. As my understanding about ddos protection goes. It is mainly needing the capacity to redirect bad traffic and let normal trafic true. not outright block it. So having that capacity in front of a 1gb connection shouldn't be a issue?
Also I can't really put all my services on a VPS that cost would be way to high. A second option I have been thinking about is moving my servers in to a data center. But I like to be able to easily access them. My uptime is over 95% at home already due to having most things on a UPS (and a large home battery with more then enough solar) backups can still be improved which I do have planned. Multiple backups are already in place though.
Physically collocating servers in a DC will cost $$$ compared to self hosting. Quickly checking a service near me, space for a 1U server costs $99 per month. Currently my VPS is $5 per month. I'm sure there are massive performance gains to be had with collocation, but what are you hosting that you'd need to take advantage of them?
Depends on what kind of DDoS OP wants to defend against. Defending against an AI crawler DDoS is entirely possible with a tiny VPS. I've been doing that for the past ~1.5 years on a €4/month CX23 Hetzner VPS.
You cannot stop a DDOS, you can only mitigate one with more capacity. That's why there are only a few big players who can do it.
Canonical itself was unable to stop a DDOS attack and they're distributed. You won't stop a DDOS if that DDOS is meant for you.
Why would someone DDoS you?
Been hosting Public Websites and Gameservers since 2020 from my residential connection and never got ddosed in that time
monies
Is there some new kind of DDoS attack that steals Bitcoins instantaneously?
no but you can get paid to ddos someone
Lulz
If you see my old posts, you'll see that I had this exact concern.
I have since learnt that pulling a DDoS attack is actually quite resource intensive / expensive to the deployer as well, and unless you believe that you are being targeted because of something very valuable you host or that you have a technically inclined enemy who is specifically out to get you, you should be fine. Have a good think about your threat model.
With regard to bots, scrapers and the likes, yes, they are a real pain. That can be tackled with Anubis + BadBotBlocker + Fail2Ban + some custom rate limits.
I assume you are a lot more experienced than me based on the number of things you have listed to have self hosted. I feel a well configured reverse proxy with the tools I suggested will take care of 95% of all your not and scraper related worries.
Wouldn't anubis be effective against DDOS attacks?
No, Anubis creates a throttle to stop ai scrapers from taking down https web resources.
Sure but I would think Anubis would also somewhat stop DDOS attacks since clients need to pass Anubis to access the website and across a DDOS swarm that would use up significant resources.
DDOS attacks do not always happen on https, though. You can overwhelm a system with DNS, NTP, or even just malformed packets. Anubis would do nothing for this.
I'm using a setup similar to what you had in mind: I have a small €4/month VPS as my front, with scrapers taken care of by iocaine (it both blocks them, and firewalls the worst off automatically). That's over 90% of the HTTP(s) traffic never making it past the VPS, greatly reducing the traffic into my home network. My actual servers are behind a WireGuard tunnel.
It does not protect against a non-HTTP DDoS, but that wasn't part of my threat model to begin with. My VPS provider (Hetzner) has DDoS protection even for €4/month servers - that doesn't include the scraper DDoS, but includes other kinds - I have luckily not been a victim of any, so no idea whether it works reliably.
Against the scrapers, a VPS + bot defense + Wireguard works like a charm. Can recommend.
Take a look at towonel. It's relatively new, but very promising. I plan to migrate to it from cloudflare.
I have a setup similar to this, but not for ddos protection. If I were to get ddossed at a network level, my home connection wouldn't feel much of it, as my VPS quickly gets overloaded. I have been "ddossed" at an application level though, I hate AI web scrapers. Since the entire line from VPS to my home network is 1gbps, that alongside most of my server cpu resources got oversaturated with fake traffic.
(I say ddosed in quotes, because I'm not sure of the intentions of these AI webscrapers. Thousands of requests per second on a server that's usually seeing maybe 5 isn't "normal" traffic either.)
I have a setup more or less identical to what you describe. The VPS only hosts a reverse proxy that takes care of certificates and forwards incoming traffic through a wireguard tunnel. The actual host is behind a DMZ, and the VPS can only access hosts on the DMZ.