It’s a very strange use but sometimes, it can save time and money.
The big picture about the attack
You’ve few dedicated servers (not OVH) and you’ve DDOS attacks.
Firstly, you call your provider and pay for anti-DDOS protection but it’s inaccurate.
What can you do?
OVH to clean ingress
It’s extraordinary, but OVH has 2 anti-DDOS technologies that work very well: Arbor Networks & Tilera.
This combo is the most powerful to kill DDOS.
What can we do?
It’s a strange but working solution :
- We move all DNS entries (toto.domain.tld) to OVH IP
- Iptables will route input traffic to your dedicated server (not OVH)
- the client receives a reply directly from the dedicated server (not OVH)
Action!
We need to activate IP Forwarding
Sysctl
sysctl -w net.ipv4.ip_forward=1
echo "net.ipv4_forward=1" > /etc/sysctl.d/forwarding.conf
Output
Now, it’s time to do MASQUERADING for output traffic
iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE
Input
It’s where we do magic
iptables -t nat -A PREROUTING -d IP_OVH -j DNAT --to-destination IP_NOT_OVH
Persistent
We need that iptables rules to survive after a reboot
apt-get install iptables-persistent -y
Conclusion
It’s not a magic solution but can help in some way. In addition, don’t forget to harden your kernel and other configurations to survive.
You can be interested by : Migration to nftables : from ipset and bogons