Preventing DDOS attacks - CDN + Cloudflare
#1
The idea is 
CLOUDFLARE --> CDN --> Actual Server

Even if my website is cloudflare resolved it'll only give the IP of the CDN.
I want to build a good CDN but I have no flippin idea.
Any ideas?
It would need to filter traffic and clean it.
I also need a page to show before the actual website loads. 
Like this.....
saying "DDOS Protection by....


Example: http://digitalfort.ch
Reply
#2
Quote:Even if my website is cloudflare resolved it'll only give the IP of the CDN.

That's not necessarily true, it depends on how its resolved. For example if its resolved because the mail server is on the same server as the website then by tracing the email's source you get the actual server. Actually, all of techniques to resolve an IP behind cloudflare I know of would still result in the actual server not another CDN.

With that said cloudflare is a CDN so what you're suggesting is a CDN behind a CDN which offers little if any benefit.

Either CDN1 does all the work and CDN2 simply acts as a proxy for non-cacheable content, or CDN2 caches the same content as CDN1 but since CDN2 never gets the requests since CDN1 handles them CDN2 still simply acts as a proxy for non-cacheable content.

Quote:I want to build a good CDN but I have no flippin idea.

A good CDN is all about global infrastructure so you can serve cachable content from a geographically nearby location to the user resulting in less latency.

When a request comes in to any particular CND server it will look and see if it has the content in its cache, if it does it simply serves it and never passes the request on to the actual server. If it doesn't the request is forwarded on to the actual server, and the response is forwarded back to the user.

Combining this with a geodns system so that a DNS lookup results in an IP for a server near by allows for content to be served from the closest CDN server resulting in less latency than if the request when to the actual server every time.

Basically, CNDs are big caching proxies. Since you are also in the middle of the request and response you can handle them however you want.

The fact you are asking tells me you don't have the network engineering experience or knowledge required to pull this off. Consider stepping back and getting some experience with networking at a global level, building a CDN is not like building some program the key is infrastructure.
Reply
#3
Quote:The fact you are asking tells me you don't have the network engineering experience or knowledge required to pull this off. Consider stepping back and getting some experience with networking at a global level, building a CDN is not like building some program the key is infrastructure.

Where would I start?
Reply
#4
(12-08-2015, 01:06 PM)Syntax Wrote: The idea is 
CLOUDFLARE --> CDN --> Actual Server

Even if my website is cloudflare resolved it'll only give the IP of the CDN.
I want to build a good CDN but I have no flippin idea.
Any ideas?
It would need to filter traffic and clean it.
I also need a page to show before the actual website loads. 
Like this.....
saying "DDOS Protection by....


Example: http://digitalfort.ch

For a CDN you would typically place nodes near the regions exchange servers.
Like LINX = London ect.
Go here https://en.wikipedia.org/wiki/List_of_In...nge_points to learn more.
Since you would be caching a lot of data. You would need some beefy servers with at least 1Gbps ports,
and unmetered bandwidth transfer because you're going to eat a lot of it up.
So that's going to start costing you a lot right their.
If you want something like a load balance / DDoS Mitigation system like what Greysec has from Mox Security.
Then you're going to need to understand what Anycast, Geocast, ect is in order to achieve this.
It's not too difficult but you need to know what you're doing or you can seriously fuck something up.
Also the preload static page can be achieved by some loading ajax code. 
Where it pulls a local page before loading any website.
I'm currently working on this: https://moxsecurity.com 

I hope I answered some of your questions.
If you need more in depth detail about this.
You can also reply with questions.

Take care,
Reply
#5
(12-08-2015, 08:12 PM)Network Wrote:
(12-08-2015, 01:06 PM)Syntax Wrote: The idea is 
CLOUDFLARE --> CDN --> Actual Server

Even if my website is cloudflare resolved it'll only give the IP of the CDN.
I want to build a good CDN but I have no flippin idea.
Any ideas?
It would need to filter traffic and clean it.
I also need a page to show before the actual website loads. 
Like this.....
saying "DDOS Protection by....


Example: http://digitalfort.ch

For a CDN you would typically place nodes near the regions exchange servers.
Like LINX = London ect.
Go here https://en.wikipedia.org/wiki/List_of_In...nge_points to learn more.
Since you would be caching a lot of data. You would need some beefy servers with at least 1Gbps ports,
and unmetered bandwidth transfer because you're going to eat a lot of it up.
So that's going to start costing you a lot right their.
If you want something like a load balance / DDoS Mitigation system like what Greysec has from Mox Security.
Then you're going to need to understand what Anycast, Geocast, ect is in order to achieve this.
It's not too difficult but you need to know what you're doing or you can seriously fuck something up.
Also the preload static page can be achieved by some loading ajax code. 
Where it pulls a local page before loading any website.
I'm currently working on this: https://moxsecurity.com 

I hope I answered some of your questions.
If you need more in depth detail about this.
You can also reply with questions.

Take care,

Hey thanks for your great response. I feel like now I think I know where to start. But what's a good resource to learn from if any?
I know this is a bit too much to ask, but if you are willing to teach me I'm willing to learn. 
I'm only a front end developer so...
Reply
#6
(12-10-2015, 02:16 AM)Syntax Wrote:
(12-08-2015, 08:12 PM)Network Wrote:
(12-08-2015, 01:06 PM)Syntax Wrote: The idea is 
CLOUDFLARE --> CDN --> Actual Server

Even if my website is cloudflare resolved it'll only give the IP of the CDN.
I want to build a good CDN but I have no flippin idea.
Any ideas?
It would need to filter traffic and clean it.
I also need a page to show before the actual website loads. 
Like this.....
saying "DDOS Protection by....


Example: http://digitalfort.ch

For a CDN you would typically place nodes near the regions exchange servers.
Like LINX = London ect.
Go here https://en.wikipedia.org/wiki/List_of_In...nge_points to learn more.
Since you would be caching a lot of data. You would need some beefy servers with at least 1Gbps ports,
and unmetered bandwidth transfer because you're going to eat a lot of it up.
So that's going to start costing you a lot right their.
If you want something like a load balance / DDoS Mitigation system like what Greysec has from Mox Security.
Then you're going to need to understand what Anycast, Geocast, ect is in order to achieve this.
It's not too difficult but you need to know what you're doing or you can seriously fuck something up.
Also the preload static page can be achieved by some loading ajax code. 
Where it pulls a local page before loading any website.
I'm currently working on this: https://moxsecurity.com 

I hope I answered some of your questions.
If you need more in depth detail about this.
You can also reply with questions.

Take care,

Hey thanks for your great response. I feel like now I think I know where to start. But what's a good resource to learn from if any?
I know this is a bit too much to ask, but if you are willing to teach me I'm willing to learn. 
I'm only a front end developer so...

I would start by learning simpler things, try running a dns server, an http server, and maybe throw in a load balancer. Between these you'll learn a lot about how DNS and how servers work in general. You can do all of this on your internal network with some virtual machines.
Reply
#7
I you want to build your own basic CDN I recommend reading this link. I've actually considered making my own cdn for GreySec from where I load static content like css/js and images. With servers in Europe, Asia, North America and Africa, south american bandwidth is a bit too expensive for my taste. Although I might skip this for now, as Net mentioned you might want to get some beefy servers, so it's going to be quite expensive.

I don't recommend only relying in cloudflare. And it's true that cloudflare can act as a CDN but that's not quite what hides your IP either. It's a reverse proxy which loads the content by fetching from your backend. Kind of like what we use at GreySec I suppose, Moxsecurity. But what you might not know is that cloudflare will drop your protection if the attack is too big, this is especially true with using free cloudflare, thus exposing you. There's many reasons I don't use cloudflare, a lot for privacy reasons. They collect a lot of information on their visitors, which might or might not be used by their WAF. I'm not okay with trusting a us-based thirdparty with info like that.

Besides something that dropzone mentioned, there's countless of ways to bypass cloudflare and to find the backend IP. Methods such as grabbing IP from email headers, bruteforcing subdomain dns (eg mail.site.com points to backend) and one very effective method that I recall talking to Network about once. I don't quite recall how it works but he's been able to find every cloudflare site I asked him for so far, called A-records sniffing.

Ddos mitigation through DNS are not great because DNS was not designed for this. Check out this thread and blog-post. Yiou're better off using inline-filtering at the datacenter ie. a ddos protected hosting provider or BGP. Unless you're rich as hell you might as well forget about BGP though, cloudflares BGP plan costs over 5000$/Mo.

GreySec is using inline filtering at the datacenter, so in other words all of our servers are ddos protected. Using round robin and anycast to distribute the traffic between the frontend nodes. Currently we have 7 nodes, so it's kind of decentralized. If someone takes down one server, they have to take down 6 more. It's all about forcing your advesary to spend more money, because bandwitdh and servers are expensive. This kind of makes it no longer worth the effort for our attackers, because the time and money is too high. We have survived all attacks so far with no real impact.

If you want to do this you can always set up your own reverse proxies, like nginx to stand in front of your backend. Incase of gaming servers you might want to look into GRE tunnels.
Reply
#8
(12-10-2015, 02:27 AM)Insider Wrote: I you want to build your own basic CDN I recommend reading this link. I've actually considered making my own cdn for GreySec from where I load static content like css/js and images. With servers in Europe, Asia, North America and Africa, south american bandwidth is a bit too expensive for my taste. Although I might skip this for now, as Net mentioned you might want to get some beefy servers, so it's going to be quite expensive.

I don't recommend only relying in cloudflare. And it's true that cloudflare can act as a CDN but that's not quite what hides your IP either. It's a reverse proxy which loads the content by fetching from your backend. Kind of like what we use at GreySec I suppose, Moxsecurity. But what you might not know is that cloudflare will drop your protection if the attack is too big, this is especially true with using free cloudflare, thus exposing you. There's many reasons I don't use cloudflare, a lot for privacy reasons. They collect a lot of information on their visitors, which might or might not be used by their WAF. I'm not okay with trusting a us-based thirdparty with info like that.

Besides something that dropzone mentioned, there's countless of ways to bypass cloudflare and to find the backend IP. Methods such as grabbing IP from email headers, bruteforcing subdomain dns (eg mail.site.com points to backend) and one very effective method that I recall talking to Network about once. I don't quite recall how it works but he's been able to find every cloudflare site I asked him for so far, called A-records sniffing.

Ddos mitigation through DNS are not great because DNS was not designed for this. Check out this thread and blog-post. Yiou're better off using inline-filtering at the datacenter ie. a ddos protected hosting provider or BGP. Unless you're rich as hell you might as well forget about BGP though, cloudflares BGP plan costs over 5000$/Mo.

GreySec is using inline filtering at the datacenter, so in other words all of our servers are ddos protected. Using round robin and anycast to distribute the traffic between the frontend nodes. Currently we have 7 nodes, so it's kind of decentralized. If someone takes down one server, they have to take down 6 more. It's all about forcing your advesary to spend more money, because bandwitdh and servers are expensive. This kind of makes it no longer worth the effort for our attackers, because the time and money is too high. We have survived all attacks so far with no real impact.

If you want to do this you can always set up your own reverse proxies, like nginx to stand in front of your backend. Incase of gaming servers you might want to look into GRE tunnels.

Thanks for this, I'll be considering all this. One of my friends mentioned Ampnodes? I also contacted several hosting companies including Digitalocean about their servers and me using their servers to filter high levels of traffic.
Reply
#9
(12-10-2015, 02:28 PM)Syntax Wrote: Thanks for this, I'll be considering all this. One of my friends mentioned Ampnodes? I also contacted several hosting companies including Digitalocean about their servers and me using their servers to filter high levels of traffic.

Never heard of Ampnodes, I'll have to look that one up. I know digital ocean has some basic level of protection but I wouldn't rely on it. They can easly nullroute (block your IP) in case of an attack or suspend your server if you get many abuse complaints. I'm not saying DO is bad but in my opinion there's more stable alternatives. I would recommend scaleway.com although they currently are not having a lot of servers due to many customers, too order you need an invite.

But since you're looking for ddos protection I wouldn't recommend any of those above. Consider using any OVH or Voxility based network, or both if you want that. So check out any of these: http://ovh.com (Requires ID/Passoport and Bankstatement/Electrical bill verification to prevent fraud. If you don't want this, look for a reseller) http://hosteasy.com (Uses voxility. This one is my favorite, they do verifications too but only randomly for some customers. So be prepared) http://blazingfast.io (Uses blazingfast combined with another third party. More privacy friendly in the sense that they don't really do need verification. But they can be a hazzle to deal with sometimes.)
Reply
#10
(12-10-2015, 02:59 PM)Insider Wrote:
(12-10-2015, 02:28 PM)Syntax Wrote: Thanks for this, I'll be considering all this. One of my friends mentioned Ampnodes? I also contacted several hosting companies including Digitalocean about their servers and me using their servers to filter high levels of traffic.

Never heard of Ampnodes, I'll have to look that one up. I know digital ocean has some basic level of protection but I wouldn't rely on it. They can easly nullroute (block your IP) in case of an attack or suspend your server if you get many abuse complaints. I'm not saying DO is bad but in my opinion there's more stable alternatives. I would recommend scaleway.com although they currently are not having a lot of servers due to many customers, too order you need an invite.

But since you're looking for ddos protection I wouldn't recommend any of those above. Consider using any OVH or Voxility based network, or both if you want that. So check out any of these: http://ovh.com (Requires ID/Passoport and Bankstatement/Electrical bill verification to prevent fraud. If you don't want this, look for a reseller) http://hosteasy.com (Uses voxility. This one is my favorite, they do verifications too but only randomly for some customers. So be prepared) http://blazingfast.io (Uses blazingfast combined with another third party. More privacy friendly in the sense that they don't really do need verification. But they can be a hazzle to deal with sometimes.)
I think I wasn't very clear with my post. My bad, I'm not looking for ddos protection, I'm looking to make ddos protection and sell it to clients.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Free Ddos Protection Bootcamp (Free training course - Online) Insider 2 15,772 12-06-2017, 02:20 AM
Last Post: lunorian
  Lessons from Surviving a 300Gbps Ddos attack Insider 4 8,901 04-11-2017, 03:51 PM
Last Post: Cypher
  Making Cloudflare Tor friendly Insider 1 6,554 12-04-2015, 08:47 PM
Last Post: Syntax
  ProtonMail Under massive DDoS attack. NO-OP 24 23,780 11-17-2015, 10:51 PM
Last Post: overfl0wN