Using a VPS for ddos protection?
from kylian0087@lemmy.dbzer0.com to selfhosted@lemmy.world on 14 Jun 08:00
https://lemmy.dbzer0.com/post/70559099
from kylian0087@lemmy.dbzer0.com to selfhosted@lemmy.world on 14 Jun 08:00
https://lemmy.dbzer0.com/post/70559099
Hello guys, so I have been self hosting a bunch of stuff for some years now. But I want to increase the protection of the services I host.
I was thinking of using a VPS just for ddos protecting my services like game servers, web servers, email etc.
Any suggestion on how to set this up well? I was thinking of routing all traffic from the VPS back home with wireguard. My connection is gigabit so I don’t think the performance impact will be too big, any suggestion on which proxy, VPS and other things to use?
#selfhosted
threaded - newest
Don’t. Ddos will overwhelm any single server, do you really think a 1/10/25Gb interface can handle a small 50Gb/s attack?
What you can do is host a VPS with a company that has ddos protections, but I doubt that is standard, and ddos protection works best from a network operator level not a host one.
That’s what I meant. Hosting the VPS at a company with ddos protection. So the VPS can take the hit instead of my home connection.
@kylian0087 @slazer2au “routing all traffic from the VPS back home”
You’re back to square one as soon as you DDOSed yourself.
Have you actually been DDOSed before? Are you somebody that attackers want to target? If you’ve never been the victim of an attack, and you’re neither large nor famous, it’s unlikely that you ever will. Your home internet connection can be DDOSed with or without services hosted on it, but it takes resources to attack something, so most attackers want a worthy target.
That said, there are reasons to want a VPS. They are likely to have a higher uptime than your home services, so running something like email can ensure it stays up even if your internet/power go out. Similarly, it can be useful to have critical files stored there in case of a fire (as part of your 3-2-1 backup plan). For a game server, it can be useful for multiplayer because it may have lower latency to the other players.
If you’re going to get a VPS, put your services on the VPS. If you’re going to rent a VPS to run a VPN, just save your money and use a VPN. If your internet connection isn’t constantly loaded, and you’ve never been attacked, and you’re not hosting a popular website, just save your money.
Thanks for the detailed explanation. As my understanding about ddos protection goes. It is mainly needing the capacity to redirect bad traffic and let normal trafic true. not outright block it. So having that capacity in front of a 1gb connection shouldn’t be a issue?
Also I can’t really put all my services on a VPS that cost would be way to high. A second option I have been thinking about is moving my servers in to a data center. But I like to be able to easily access them. My uptime is over 95% at home already due to having most things on a UPS (and a large home battery with more then enough solar) backups can still be improved which I do have planned. Multiple backups are already in place though.
You could do it that way. You could use something like Cloudflare Tunnels/Zero Trust where you’d get DDoS protection for tunneled hostnames http/https. If you’re looking for raw tcp/udp arbitrary ports protection, they have a paid Spectrum protection plan.
I don’t know your specific situation, but after all these years of self hosting, I can’t say as I’ve ever experienced a DDoS attack. Not saying they don’t happen or that it isn’t a concern. I’ve experienced someone hacking my server, but I was super green back then and undoubtedly didn’t have the proper protections in order.
Most of your reputable, well established VPS vendors like Digital Ocean, Linode, Vultr, offer DDoS protections. Some like Hetzner offer multiple tiers of DDoS protection.
Why would someone DDoS you?
monies
@IAMgROOT @auzy1 Why would someone spend their resources trying to get money from a stranger’s home internet connection. Is OP a secret millionaire whose daughter is getting married in Hawaii and they’re watching the live stream and willing to pay a $10k ransom to watch it?
Lulz
Been hosting Public Websites and Gameservers since 2020 from my residential connection and never got ddosed in that time
I have a setup similar to this, but not for ddos protection. If I were to get ddossed at a network level, my home connection wouldn’t feel much of it, as my VPS quickly gets overloaded. I have been “ddossed” at an application level though, I hate AI web scrapers. Since the entire line from VPS to my home network is 1gbps, that alongside most of my server cpu resources got oversaturated with fake traffic.
(I say ddosed in quotes, because I’m not sure of the intentions of these AI webscrapers. Thousands of requests per second on a server that’s usually seeing maybe 5 isn’t “normal” traffic either.)
If you see my old posts, you’ll see that I had this exact concern.
I have since learnt that pulling a DDoS attack is actually quite resource intensive / expensive to the deployer as well, and unless you believe that you are being targeted because of something very valuable you host or that you have a technically inclined enemy who is specifically out to get you, you should be fine. Have a good think about your threat model.
With regard to bots, scrapers and the likes, yes, they are a real pain. That can be tackled with Anubis + BadBotBlocker + Fail2Ban + some custom rate limits.
I assume you are a lot more experienced than me based on the number of things you have listed to have self hosted. I feel a well configured reverse proxy with the tools I suggested will take care of 95% of all your not and scraper related worries.
Wouldn’t anubis be effective against DDOS attacks?