Question

Preventing DDoS attacks without Cloudflare?

Hello all!

I plan on also using cloudflare, but it’s not difficult to resolve the internal/host IP and then attack that directly. Any way to protect myself as most as possible in addition to the frontend cloud flare service?

Thanks!


Submit an answer


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Bobby Iliev
Site Moderator
Site Moderator badge
November 1, 2023
Pinned Answer

Hello there,

Quick update here. I’m excited to share that DigitalOcean has introduced a new feature in response to the valuable feedback we’ve received from users like you: DigitalOcean DDoS Protection:

https://www.digitalocean.com/products/ddos-protection

Here are some key points about this new offering:

  1. Cost: DigitalOcean DDoS Protection is available at no additional cost. That’s right, it’s a free service for all users!

  2. Coverage: The protection extends to a range of DigitalOcean resources including:

    • Droplets
    • Kubernetes
    • Managed Databases
    • Load Balancers
    • Reserved IPs
  3. Protection Layers: This service provides protection primarily at the Network (layer 3) and Transport (layer 4) layers of the OSI model. Please note that Application layer (layer 7) DDoS Protection is currently not supported.

  4. Latency Concerns: One of the standout features of this service is that mitigation takes place entirely within the DigitalOcean network. This means that data traffic doesn’t leave our network for mitigation, ensuring that your applications experience no additional latency.

  5. Overall Benefit: DigitalOcean DDoS Protection is an always-on service designed to defend your DigitalOcean cloud resources against a range of generalized, network-layer DDoS attacks. This ensures that your apps and websites run smoothly, without the threat of potential disruptions from such attacks.

Best,

Bobby

cloudflare only allows you to use custom ssl (like let’s encrypt) on the $200/month business plan, or make you pay monthly for dedicated cloudflare certificates when free ssl providers like let’s encrypt generate them for free.

another waf service that is free and gives let’s encrypt ssl is cloudbric (waf+ssl+cdn). from what i know it returns your original host IP, or if you change your A records, it’ll be masked by cloudbric’s IP.

ddos attacks aren’t always aiming to overwhelm and take your site offline but are often launched in combination with malware/trojan, so simply absorbing traffic is probably just going to give you a false sense of security. ddos is also conducted as multi-vector attacks, meaning that while load balancing deals well against layer 3 & 4 volumetric attacks, layer 7-focused attacks that are vastly harder to detect and consume low bandwidth likely go undetected by a service like cloudflare that’s more a cdn than a waf/security service.

@Icarus1

When it comes to DDoS, load balancing would be the best means to potentially mitigate or absorb the attack by means of distributing traffic over numerous servers (on your end, beyond CF). With a load balanced setup, the worst-case would be that the IP of the LB is exposed as internally, the LB should be routing traffic over private network IP’s that aren’t public, thus reducing exposure.

The public IP’s of the endpoints would then be access limited to only specific IP’s or IP ranges.

Much of what goes in to preventing a DDoS attack depends on you and how you have things setup as much as it does who you’re working with in an effort to prevent and mitigate the attack.

CloudFlare provides a much needed service, though it’s not a all-in-one solution. You can sign up for CloudFlare and run a poorly configured stack and downtime can still result in seconds after an attack begins. CloudFlare isn’t a magical mask by far, but it can be helpful.

That being said, I’m sure you’ve heard the saying give someone an inch and they’ll take a mile – it applies to DDoS. Give someone means to launch a successful attack on you at any given moment and they will. Whether it succeeds depends on how prepare you at for it. I’ve seem many providers and servers handle decent sized various-vector attacks with ease, while others suffer.

Attacks could come in various forms – NTP, UDP, DNS, TCP SYN+FIN+ACK, HTTP GET, etc. – it’s hard to prevent every single possible scenario, or predict which one someone is going to target. This falls back to where CloudFlare can help, but may not be able to prevent the entire effect.

As @hansen said, and it’s very true, You will always have some attack surface if you have something on the internet.

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Get our biweekly newsletter

Sign up for Infrastructure as a Newsletter.

Hollie's Hub for Good

Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.

Become a contributor

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Welcome to the developer cloud

DigitalOcean makes it simple to launch in the cloud and scale up as you grow — whether you're running one virtual machine or ten thousand.

Learn more
DigitalOcean Cloud Control Panel