Complete DDoS Protected Kernel Configuration for OpenVZ 6

Discussion in 'Server Management' started by Jayson, May 25, 2017.

Thread Status:
Not open for further replies.
Welcome to MCTrades, the modern Minecraft marketplace. Why not stay a while to chat, trade, and earn by registering?
  1. Jayson

    Jayson Emerald
    EMERALD Thread Starter

    Minecraft Accounts: Parse JaysonF
    Posts:
    1,103
    Ratings:
    +160
    Basically, I created this kernel configuration based on a post by JavaPipe. I've modified their recommended configuration to work with OpenVZ 6, a virtualization platform. If you use it, please give credit to "Jayson Fong" and "JavaPipe", thanks.

    It's a kernel configuration in which filters packets on the system itself, this can be used on a mitigation server or on the server you're running things on itself and it'll filter out what it believes to be dangerous packets however has limited capabilities

    Here ye go:

    PHP:
    You Must Register to View Code
    Statistics from TCPDump:
    <1 Second
    4 packets captured
    414 packets received by filter
    380 packets dropped by kernel
    ~3 Seconds
    1307 packets captured
    2440 packets received by filter
    1103 packets dropped by kernel
    <1 Second During an Attack
    152 packets captured
    173755 packets received by filter
    173549 packets dropped by kernel

    "packets dropped by kernel" :)

    Statistics are before the packets reach the firewall.
     
    • Like Like x 2
    • Vouch Vouch x 1
  2. Local

    Local Trusted Member
    DIAMOND

    Posts:
    105
    Ratings:
    +28
    Really helpful ❤️
     
    • Love Love x 1
  3. dGRAMOP

    dGRAMOP Active Trader

    Posts:
    59
    Ratings:
    +7
    Make it clear that it doesn't stop/handle ddos. You need a scrubber server system for that
     
  4. Jayson

    Jayson Emerald
    EMERALD Thread Starter

    Minecraft Accounts: Parse JaysonF
    Posts:
    1,103
    Ratings:
    +160
    Allow me to rephrase it to a kernel configuration in which filters packets on the system itself, this can be used on a mitigation server or on the server you're running things on itself and it'll filter out what it believes to be dangerous packets however has limited capabilities. :)
     
  5. dGRAMOP

    dGRAMOP Active Trader

    Posts:
    59
    Ratings:
    +7
    There we go :) . I looked over it, and it seems to be pretty legit.

    I have some criticism, in no way am I trying to trash your thread.
    -How would it distinguish legitimate high load compared to a DDOS?
    From what I understand, this looks like a low-level version of rate limiting, except it's global.
    It's like rate limiting an API, except having a global rate limit for everyone's requests.

    Under a DDOS, how can it selectively respond to legit clients? If many packets are dropped, then woudn't the denial of service still deny service?
    That means that the config just protects the server under a DDoS - with is important, of course.
     
    • Like Like x 1