Quote:
Originally Posted by Phineas
[You must be logged in to view images. Log in or Register.]
Or just shove a Cisco ASA in front of the server, set a max embryonic conneciton limit of say 1000, and then configure an IPS module to also drop packets from obvious attackers.
Someone mentioned that the problem with this kind of solution is the bandwidth being eaten up at the router.
/shrug
We've killed many ddos attempts at our datacenter doing just what I outlined...
~phin
<edit>
it should be noted that I have no idea if limiting the half opened connections would also affect EQ clients. It certainly doesn't harm web traffic from my experience...
|
That's a solid solution too. The ASA's are really nice improvement upon the PIX, unfortunately they come with a hefty price tag. For SYN proxy functionality and just general usage I've found OpenBSD with
pf achieves the same thing for free minus all the contextual stuff. You'll actually find this embedded in most off the shelf firewall/proxy solutions due to its flexible license. I used this quite a bit in my consulting days.
Unfortunately not everyone can operate at Layer 8 (politics and $$). We use ASA's and ACE's at work as well and are quite happy with them, but for smaller shops or the budget constrained some good old pf is hard to beat, combine that with
carp/pfsync and you've got some nice redundancy
[You must be logged in to view images. Log in or Register.]