Thread: DoS proof hosting
04-16-2004, 02:39 PM #1WHT Addict
- Join Date
- Mar 2003
- London, UK
DoS proof hosting
I've been playing around in my mind the last few days with the idea of DoS proof hosting. The idea began after I did a brief search for possible locations in the UK in which to host an IRC server connected to a major network; my main concern was the ability to withstand floods of potentially very large scale without any loss of service. My search wasn't very fruitful but the idea got me interested. Maybe somebody with more experience in this field could explain a few of the techniques and caveats?
The main concern would appear to be the sheer network connectivity; being multi-homed wouldn't seem to be a particularly big advantage, because distributed floods could come from very geographically different locations and hence take different routes into the network. How would a provider cope with this? Is the solution simply to have some line of control right up to gigabit backbones in order to stem the flood before it hits your network, and what level of coordination does this require? Is it costly for the end provider, the backbone provider or even both?
It seems quite frequent to hear of malicious users coming into control of several gigabits of potential flooding bandwidth. Since a 1Gbit link in the UK from, say, he.net would cost around 25000USD/month that would seem to very rapidly put the idea of buying bulk transit out the window.
Is there room in the market for an intermediate between the backbone and the user for providing this level of flood protection, or is it so prohibitively expensive that colocating with the backbone itself would work out cheaper? I'd be interested to hear of any companies doing this already (to a high standard, obviously; zero downtime during floods is what I'm looking for, not a minute or more) and what sort of systems they have in place to achieve it.
Well that's a few of my ideas onto paper (well, forum anyway ). Links to relevant information are all welcome, and in particular the hardware firewalls/routers that people use to automate the process of flood protection.
(I should point out that I can't afford any of this, nor do I have the business skills to set up a company to do this; but hey, maybe I'll find a job as a technician with one eventually. )
04-16-2004, 11:00 PM #2Web Hosting Master
- Join Date
- Feb 2002
generally, you would need big pipe in order to defeat from such attacks - you would want all the packets to reach your router/firewall. Hardware firewalls seem to be doing good job in this case, however they are pretty expensive (depending on what packet-rate you want to handle).
I've experimented with PC-built firewall (Dual AMD Athlon MP 2200+, 2GB of RAM) based on FreeBSD (Linux shows very high packet-loss when filtering few K of packets/sec) - it was able to handle things pretty well, so it could be considered as a good, low-cost alternative.
M.Powered by AMD & FreeBSD.
"Documentation is like sex:
when it is good, it is very, very good;
and when it is bad, it is better than nothing."