How to config CSF firewall to stop DDOS attacks?

Dopani

Well-known member
Registered
Joined
Mar 11, 2014
Messages
239
Points
18
I heard from a friend that if I have a good CSF firewall settings on csf config file then I can stop or limit DDOS attacks, is it exact?
If so, how can I config CSF firewall for better performance?
 

RDO Servers

Well-known member
Registered
Joined
Apr 3, 2015
Messages
1,027
Points
83
Here is a tutorial on setting up CSF for DDoS protection.
http://anandarajpandey.com/2014/04/21/how-to-prevent-ddos-attack-by-csf-firewall/

However, keep in mind that most DDoS attacks come in at a rate of 10-100Gbps+

You can have CSF setup perfectly, or even the best enterprise firewall appliance, but if the DDoS is pushing packets faster then your server uplink can handle (usually 100Mbps or 1Gbps) then your still going offline!
 

arindamb

Well-known member
Joined
Jul 11, 2013
Messages
128
Points
18
I heard from a friend that if I have a good CSF firewall settings on csf config file then I can stop or limit DDOS attacks, is it exact?
If so, how can I config CSF firewall for better performance?
Config CSF firewall as following steps, you can limit DOS attacks to any ports on your server:

Step 1. Open the CSF configuration file /etc/csf/csf.conf
Step 2. Find CT_LIMIT and change this to CT_LIMIT=50, here 50 is the max number of connections from an IP to your server.
If the server has 50 established connection from a IP, it will be blocked and considered as a DDOS attack.
Step 3. Find CT_PORTS and change this to CT_LIMIT=80 (for Apache) or 25 (mail server) or you can use all ports in a line by this format, i.e... CT_PORTS="80,25,110"

This option is used to specify which post you want to prevent DOS attack.

Hope it helps!
 

ElixantTechnology

Well-known member
Registered
Joined
Nov 26, 2014
Messages
281
Points
43
The harsh truth is that CSF can only protect you so much in terms of a DDoS attack, if the attacker wanted to ensure that you are taken down they would either generate an attack of such mass that CSF protection would be ineffective, or they would attack someone else on the network, or even the switch which IP can be found in a traceroute. The best method of DDoS protection is to select a hosting provider that offers professional mitigation procedures at the network level. I'm not saying CSF will not help, but if you feel that you are vulnerable to attacks or know that you will be receiving such attacks as you are doing something to ensure so, I recommend a DDoS Protected provider.
 

hostslim

Member
Registered
Hosting Provider
Joined
Mar 13, 2015
Messages
53
Points
0
You can't protect against more sophisticated attacks with CSF. For that you need dedicated protection (Hardware). But you could try enabling syn_flood protection in CSF.
 

projectpop

Member
Registered
Joined
Jan 12, 2016
Messages
30
Points
0
Software does not really help in stopping DDOS attacks, you need to find a provider that provides hardware DDOS protection.
 

bacloud

Member
Registered
Joined
Jan 24, 2016
Messages
34
Points
8
bacloud
Exactly! Or use tunneling from, shields from DDOS protection providers.
 

Mujkanovic

Well-known member
Collaborate
Registered
Joined
Apr 24, 2016
Messages
430
Points
18
Mujkanovic
Using hardward to stop DDOS can be expensive? if not, then how much for services like that?
 

RDO Servers

Well-known member
Registered
Joined
Apr 3, 2015
Messages
1,027
Points
83
RDO Servers
DDoS protection is expensive. Period.

Hardware DDoS appliances cost $xx,xxx - $xxx,xxx. Then you still have to have enough bandwidth and throughput to handle the traffic (good and bad traffic).

Remote services are much cheaper in the short term, but there still not cheap if you want to have a actual BGP or GRE tunnel.

Start with Cloudflare as this is the cheapest option. If you need larger scale, talk to your hosting provider to see what options they may have available.
 

jordyjl

Active member
Registered
Joined
Jan 11, 2016
Messages
75
Points
8
You can use cloudflare for protecting DDoS attacks. Not sure if its handle all attacks but some they do, and i use at my server layer 7 protection witch handle it.
 

hmb-robert

Member
Registered
Joined
Jan 5, 2016
Messages
30
Points
0
Now a days many hosting companies provide DDOS prevention services as addon services with hosting plans or VPS and Dedicated servers. You can check with your hosting provider and signup for service to prevent your server from DDOS attacks.
 

ExonHost

New member
Registered
Joined
Feb 5, 2016
Messages
13
Points
0
You can't protect your server from DDOS using CSF. CSF doesn't working for DDOS protection.
 

VirtuBox

Well-known member
Registered
Joined
May 3, 2016
Messages
1,622
Points
83
I have problem with DDoS few months ago, so I have used at first the firewall of my provider, to transfer bad traffic with their network, but my server wasn't up during this time.
So I have buy a hardware firewall ASA 5505 for $19 a month. But if i'm protected for DDoS i will have to upgrade it if I want more bandwidth or have more visitors because with this first firewall I have 100mbps and 10 000 connections max. It can block more traffic but you have a network slower than before using a firewall. (I say slower, there is no difference on page loading time, but i have 100mpbs instead of 1Gbps)
But to get more bandwidth a Cisco ASA 5520 cost at least $500/Mo...
For free you can use cloudflare but your website will be down in case of ddos. And a pro account cost $20 to get access to the Firewall.
 

MailEdge

Member
Registered
Joined
Jun 21, 2016
Messages
22
Points
0
Agree with all points here / DDOS is a tuff battle / least expensive is work with http://www.CloudFlare.com or there is another https://www.incapsula.com both have free plans but to get DDOS protection both will require a paid plan.... InCapsula is different in the way that they do not host your DNS Zone Record / but both have solid world wide infrastructure / we use both.

Black Lotus used to be a very popular DDoS solution provider / appears they were bought by Level 3 last year - interesting : http://blog.blacklotus.net/

Dave
 
Older Threads
Replies
9
Views
4,145
Replies
0
Views
2,901
Newer Threads
Replies
10
Views
6,788
Replies
9
Views
3,671
Replies
0
Views
2,564
Replies
4
Views
3,423
Recommended Threads

Sponsors

Tag Cloud

You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.

Top