Securing cloudron against ddos attacks?
-
@girish would adding an OPNsense firewall to a Cloudron home server cause any issues (assuming all needed ports are opened like what was done in the router)?
-
@lukas Crowdsec could be an option: https://forum.cloudron.io/topic/6224/crowdsec-install-guide-for-cloudron-purposes/1?_=1682161029208
Though I don’t know what’s the status of it and its compatibility with Cloudron… -
@humptydumpty I run OPNsense in front of Cloudron. I'm not doing anything fancy with it, but it does live between the world and my self-hosted Cloudron instance.
I have no idea what would happen if the machine was DDoS'd. I'm pretty sure it would fall over. At this point, I'm just excited that I have cron'd backups locally and to offsite.
-
@necrevistonnezr said in Securing cloudron against ddos attacks?:
@lukas Crowdsec could be an option: https://forum.cloudron.io/topic/6224/crowdsec-install-guide-for-cloudron-purposes/1?_=1682161029208
Though I don’t know what’s the status of it and its compatibility with Cloudron…@girish maybe you guys can implement this into cloudron?
-
@jadudm said in Securing cloudron against ddos attacks?:
@humptydumpty I run OPNsense in front of Cloudron. I'm not doing anything fancy with it, but it does live between the world and my self-hosted Cloudron instance.
Do you have any specific rules on OPNsense for DDoS?
@lukas @humptydumpty Cloudron already has a very restrictive firewall. All ports are closed other than http and https (unless an app needs them). Email ports are opened dynamically and only if email server is enabled. There's also rate limits in place for things. With DDoS, it's a power battle though between the Cloudron CPU and the bots army. For tackling a real DDoS, one needs to receive requests over multiple physical/server regions. i.e the bot requests are first "processed" in the region where the bot resides. They do this with so called anycast IP addresses (single IP on multiple servers and assistance from DNS).
-
@girish that’s great to know but I’m adding opnsense for non Cloudron related reasons. My router sucks and I want to have more control over my network but didn’t want to go through the trouble only to have it choke my home server connection.
-
@girish No, I don't think I have any particular DDoS protection configured in OPNsense. However, this conversation makes me curious to investigate it.
I run the DNS through Cloudflare, which... may or may not provide me with some protection. (I'm not being cagey, so much as haven't really dug in to understand how/if Cloudflare protects my Cloudron domain/subdomains.)
I'm happy to experiment with OPNsense configuration, if it's a space of question. However, it serves more for internal protection than external (at the moment). I mostly use it to partition the Cloudron machine off from the rest of the house via VLAN as a "just-in-case" measure. It keeps Cloudron separate from dumb internet lightbulbs, which I consider a kind of mutual protection.
-
Like Hetzner, Contabo also offers DDoS protection:
https://contabo.com/en/ddos-protection/#what-are-the-limits-of-contabo-ddos-protectionFrom Claude AI:
Here are a few key points comparing layer 7 and layer 4 DDoS mitigation for protecting websites that stream audio/video:
Layer 7 (application layer) DDoS protection can detect and mitigate more sophisticated application-layer attacks that target weaknesses in the web application code, such as HTTP floods, low and slow attacks, and exploits that abuse APIs.
Layer 4 (transport layer) DDoS protection focuses on network and volumetric attacks like UDP and ICMP floods which aim to consume bandwidth and overload infrastructure.
For streaming websites, a hybrid approach providing both layer 4 and 7 mitigation is recommended. Layer 4 protects against bandwidth-exhaustion attacks while layer 7 covers exploits at the application layer.
Top providers known for DDoS protection services include Cloudflare, Akamai, Imperva, F5 Networks, and Radware. Specific solutions include:
Cloudflare Magic Transit and Spectrum
Akamai Prolexic Routed
Imperva Advanced DDoS Protection
F5 Silverline
Radware DefensePro
Features like behavioral analysis, per-client throttling, SSL decryption, and integration with CDNs and DNS services make these robust protections against network and app-layer DDoS attacks.In summary, combining layer 4 and 7 DDoS mitigation from a reputable provider gives streaming sites the best protection against volumetric bandwidth attacks and application exploits. Cloudflare, Akamai, and Imperva are leaders in the space
