Just put it behind a wireguard server and don’t expose any ports?
If you absolutely must expose some stuff, get a cheap 3$/mo vps that connects via wireguard to your home and setup a reverse proxy? They almost all come with DDoS protection.
as a reverse proxy may work. The VPS will do the work of verifying requests and stopping bad requests from hitting the target resource. Though certainly if the DDoS is a matter of a massive botnet raiding your domain it may not work as well as something like cloudflare
Sure, but to someone running a website out of their house, 100,000 bots trying to hit the site at the same time to scrape it is going to have the same effect. So yes, you’re correct, Anubis has nothing to do with stopping a literal DDoS attack, but it does help smaller websites stay alive by avoiding responding to requests from scrapers or one-off malicious agents.
Get yourself a 3$/month VPS, they almost all come with DDoS protection, and reverse proxy from there. Either restrict the ports on your home network to only that IP, or better yet tunnel all the traffic via Wireguard.
Obviously if you’re hosting a large server this is another matter, but nevertheless almost all serious hosting services offer in house DDoS protection.
But the comment I was originally replying to specifically refered to homelabs.
What would be a good resource to, like, relearn modern networking stuff cuz some of these solutions are totally new ideas to me? I was CISCO and A+ certified way back in 2003; but the only thing I ever really used from those classes and training since then was making cables and setting up smaller, simple networks for home or small businesses. I get the sense a fuckton has changed and this exchange made me want to brush up.
I found just doing it the best for me. Start with proxmox hypervisor on some old pc. Start running a bunch of services. Some documentation mentions “heres how you set it up behind a reverse proxy”. “Hmm…whats that” is pretty much how i learned it.
Then compare with people in the homelab communities who are doing differently and find out why.
I spent multiple days getting SYN flooded to the point my router would crash and reboot over and over, and it stopped the moment I set up cloudflare and asked my ISP to change my IP. This was the instance which pushed me over the edge, but there had been smaller attacks lasting a few minutes each for years leading up to this.
What kind of router to you have? A good router should not crash from any amount WAN traffic.
But yes, if you host anything you will get scanned even harder than usual.
It’s only got a DMZ mode where I can configure it to forward all incoming traffic to my own router running behind it, but even in that mode it still has to NAT all the packets. IPv6 traffic seems to get forwarded along without much (if any) additional processing, but for hosting stuff publicly I would obviously need to expose IPv4 as well.
There are better ISPs around, but my parents (who are the ones paying for it) don’t want to switch providers because… reasons? At any rate it isn’t happening any time soon, but once I move out I’ll finally be able to switch to Init7 and be done with it all :)
if you can provide me a better way to keep my homelab from getting DDoSed every five minutes then by all means, please share it
Just put it behind a wireguard server and don’t expose any ports?
If you absolutely must expose some stuff, get a cheap 3$/mo vps that connects via wireguard to your home and setup a reverse proxy? They almost all come with DDoS protection.
How do I stop a DDOS attack of my website without having port 80 or 443 open, so you can access the website?
Don’t expose the website. That’s the point. Only connect remotely via wireguard.
If you must expose the website, I also provided options in my original post.
I think you misunderstood; if I run a publicly accessible website (like a Lemmy instance), those ports need to be opened.
A cheap VPS hosting
https://anubis.techaro.lol/docs/admin/installation/
as a reverse proxy may work. The VPS will do the work of verifying requests and stopping bad requests from hitting the target resource. Though certainly if the DDoS is a matter of a massive botnet raiding your domain it may not work as well as something like cloudflare
Anubis does not prevent a ddos attack and only shifts the saturation point to your VPS. Anubis is the answer for bots and ai scrappers, not DDoS.
Sure, but to someone running a website out of their house, 100,000 bots trying to hit the site at the same time to scrape it is going to have the same effect. So yes, you’re correct, Anubis has nothing to do with stopping a literal DDoS attack, but it does help smaller websites stay alive by avoiding responding to requests from scrapers or one-off malicious agents.
Yes, I’ve addressed this in my original message.
Get yourself a 3$/month VPS, they almost all come with DDoS protection, and reverse proxy from there. Either restrict the ports on your home network to only that IP, or better yet tunnel all the traffic via Wireguard.
Obviously if you’re hosting a large server this is another matter, but nevertheless almost all serious hosting services offer in house DDoS protection.
But the comment I was originally replying to specifically refered to homelabs.
What would be a good resource to, like, relearn modern networking stuff cuz some of these solutions are totally new ideas to me? I was CISCO and A+ certified way back in 2003; but the only thing I ever really used from those classes and training since then was making cables and setting up smaller, simple networks for home or small businesses. I get the sense a fuckton has changed and this exchange made me want to brush up.
A fuckton is an understatement.
I found just doing it the best for me. Start with proxmox hypervisor on some old pc. Start running a bunch of services. Some documentation mentions “heres how you set it up behind a reverse proxy”. “Hmm…whats that” is pretty much how i learned it.
Then compare with people in the homelab communities who are doing differently and find out why.
There is no point in hosting a website if it’s not accessible from the Web.
Conservatives will get really upset once they realize you are changing genders
Host your own cloud worthy anti DDOS solution with fail2ban /s
Honest question, why the /s?
There was a pretty bad CVE a while back I vaguely recall
The fact that a CVE was found doesn’t make it bad
In fact I’d say if it is handled well, fixed in an appropriate way & communicated correctly, having a fixed CVE should be seen as a good thing.
The alternative, lying to yourself and all your users that your code is perfectly sculpted and reviewed by each godly entity, is not the way.
https://anubis.techaro.lol/
You don’t need Cloudflare.
That doesn’t help against a SYN flood.
From what I understand elsewhere in the thread, I believe that’s just a matter of router configuration.
Awesome project, but that’s just one of many features CF offers. Most people I suspect rely on tunnels more than bot protection.
Crowdsec+pangolin maybe? I would actually like to hear people’s thoughts on this.
Is you homelab getting ddosed constantly?
I had had it for years and never ever got ddosed.
Are you sure it’s actually ddos and not just the typical bots scanning for vulnerabilities? Which are easy defended for by keeping updated.
It’s weird as a DDOS is not something that’s just happens, it’s a targeted attack. It’s a rare occurrence that someone decided to attack a homelab.
I spent multiple days getting SYN flooded to the point my router would crash and reboot over and over, and it stopped the moment I set up cloudflare and asked my ISP to change my IP. This was the instance which pushed me over the edge, but there had been smaller attacks lasting a few minutes each for years leading up to this.
What kind of router to you have? A good router should not crash from any amount WAN traffic. But yes, if you host anything you will get scanned even harder than usual.
A shitty ISP-supplied modem/router which I have to use :|
Maybe you can enable bridge mode on it? Then you could run something like opnsense behind it.
It’s only got a DMZ mode where I can configure it to forward all incoming traffic to my own router running behind it, but even in that mode it still has to NAT all the packets. IPv6 traffic seems to get forwarded along without much (if any) additional processing, but for hosting stuff publicly I would obviously need to expose IPv4 as well.
Where are you? I bet there’s at least a few local ISPs that would allow you to use a user-supplied router.
There are better ISPs around, but my parents (who are the ones paying for it) don’t want to switch providers because… reasons? At any rate it isn’t happening any time soon, but once I move out I’ll finally be able to switch to Init7 and be done with it all :)