Apache DDoS Protection in router (pFsense) [duplicate]

security firewall ddos freebsd pfsense

I'm soon going to change my infrastructure when I buy a new server. I'm going to replace my D-Link DIR-655 router with an pFsense router (and probably use the 655 as an AP) using my old server hardware (Intel Atom 330, 1GB ram, Intel Pro Server MT Dual Gigabit nic). My new server will be SandyBridge based and run Apache+Samba.

Now while I'm setting up this new infrastructure at home I want to experiment with DDoS protection, I know there are some modules and stuff for apache that let me do it but since I will have an BSD based router the best solution would seem to set something up already in the router thus putting less strain on network hardware behind the router.

So basically with that background information I would like to ask how would I set up such a configuration and would it be the best solution?

Is it smart to set up DDoS protection in pFsense or should such a thing be handled by the webserver? One would think that it's best to drop the packages as early as possible.

Even though I probably won't be subject to an DDoS attack it's better to be safe then sorry.

Edit: I understand that my servers probably wont be able to handle a serious DDoS attack but by maximising the protection so that my infrastructure can handle a little bit bigger attacks then without protection I would probably be able to stop some script-kiddies with smaller "bot-nets" from brining down the server. So what I want to do is to have as good protection as possible software wise.

Even if it's not software related the fact that I'm only using Intel Pro Server nics should raise my odds some since they consume less cpu power then the average Realtek nics you'd see in the compromised systems. I don't want someone to be able to bring down my system just because it's not properly configured. But as mentioned earlier I will most likely never be subject to such an attack and this is mainly because I want to experiment with my options.


Solution 1:

You don't really protect yourself from DDOS from your end. You identify traffic and coordinate with your ISP to block it before it gets in your link. If you have to block it in your side, you already lost the battle because your tubes are already clogged (the packets must reach your FW before being dropped).

The ones that manage to stand to DDOS that way are really big people like amazon that have ginourmous connections and an elastic cloud infrastructure to accommodate the requests (and they do so while coordinating with their various ISPs to block traffic as I said above).

Solution 2:

Neither pFsense or Apache is really the right tool for effective DDoS mitigation. I see by your comments that you do have a big pipe. That + rate limiting is a pretty effective strategy. I suggest looking at a commercial tool like Toplayer (http://www.toplayer.com). I wish there was something in the open source arena, but right now I don't think there is anything available.

Related

W3SVC service stopping error
sudo apt-get install mysql-server fails
ssh: can still use password after setting the key
Mismatch in NS and glue records in the parent zone, where every NS is still auth
CentOS expanding directory
Custom lsof output
Connecting a physical ethernet port to a VMware virtual switch?
Recovering from Two Failed Drives in a Six-Drive Raid-5 Array
Can I nest security groups (not mail-enabled) inside a Distribution List, to have members of the group receive mail to the list?
Nginx + Apache + Wordpress redirects to localhost/127.0.0.1
What is the DNS root zone and domain?
KVM guest time shift on host reboot