How to do in-house DDoS protection?

[theymos]

Bitcoin.org and bitcointalk.org have recently experienced DDoS attacks, which are very annoying. I've long been uncertain about how these attacks should best be prevented. I really don't want to use CloudFlare because their man-in-the-middle position plus their ability to act almost like a CA makes MITM attacks extremely easy for them, even if you use their new feature where you don't have to give them your HTTPS private key. I don't trust them. I also don't want to use other DoS mitigation companies unless there's absolutely no other choice because a lot of them look pretty unreliable, and I prefer to minimize trust wherever possible.

Ideally, I'd like to protect the forum by buying the necessary hardware and Internet connections myself, but I'm not too familiar with how the Internet works at a hardware level. Does anyone know what I would need to do to prevent large (>10 Gbps) DDoS attacks? All past attacks against the forum have been UDP or SYN floods which just overwhelm the Ethernet adapter. Would buying more, higher-capacity Ethernet adapters be enough, or would I also need hardware firewalls, upgraded upstream routers, more servers, etc.?

[nakazznicek]

Basically from what i know, if your bandwidth is bigger than DoS bandwidth, forum should be fine, depending on how big attack happens (100+ GBps happens now). But relying only on that is not enough in my opinion.

Also there are many companies providing DoS protection (Verisign, defense.net, Prolexic, Akamai) which should have enough capabilities/trust to be used as the last option.
I would recommend reading http://www.itbusinessedge.com/slideshows/show.aspx?c=96534&slide=7 to make some entry point on this problem and then you'll have to look for some solution that would fit the best here.
Unfortunately this is solely only my opinion, and i am not network expert, so i hope someone with more experience than me will also contribute.

[leannemckim46]

Is this why the forum was unavailable for ~30 minutes yesterday?

EDIT: Could you get around having to trust cloudflare by designating a PGP key for the "forum" and then having a random thread PGP signed by the forum? This would ensure that the specific post that was PGP signed was not edited by someone executing a MITM attack. (or you could do the same with every post but I think this might be excessive).

You could do the same with PM's. All PM's could be PGP signed with a forum key so you would know that the text in the PM was transmitted from the forum and not cloudflare.

[Singlebyte]

I think what you are looking for is a DDOS Appliance.  Basically you put these upstream at the ISP.  They usually have enough bandwidth (at least more than you  ) to thwart the attacks.  The appliances are very pricey.

Here is info on one DDOS hardware provider:
http://www.fortinet.com/products/fortiddos/


I think you will need to talk to a sales rep for your specific needs and budget.

[deuscoin]

I'll tell you what I know about this, but I'd investigate it further as I'm nore of a software developer than a hardware security guy. Get a nice fiber optic connection to your datacenter and create some kind of relay station in it. You should have your DNS point to various IPs that host the website. (I think) Make the system check which IP has the lowest load and send people to that IP. In order to mitigate a DNS DDoS, create lots of DNS entries with your domain registrar so that various DNS servers answer the call. That's the reason you have back up DNS name servers in the first place. The registrar tells ICANN what your name servers are and ICANN always can (haha) stay up.

As long as you do all of that, you should be able to mitigate a DDoS attack.

[247crypto]

See, what does this site against DDOS attacks: http://rusvesna.su/

Not "in-house" solution:
http://www.neustar.biz/services/ddos-protection

[mckim0012]

I know some big forums using blacklotus.net as their ddos protection.

[vm1990]

the way id do it is rent or buy a couple of high bandwidth servers cheap just need the bandwidth more than anything and place them so they handle all the requests to the website ddos is basic a bitch slapping contest with bandwidth you stick a couple of unmeterd VPS servers in the way then your spreading the load across more servers keep all the data on a master server running behind the VPS servers to keep it secure and find a good program to wean out the attack connections. but thats just me and i like a challenge.

most in house ddos protections spread the load across multiple servers like i said they then wean out most of the attacks
another way is to have clones of the server on other servers linking all the data back to the master server again spreading the load

both ways are similar and both prove to be very effective most of the time   

im not great at ddos but its what i know