It’s a very strange use but sometimes, it can save time and money.
Big picture about the attack
You’ve few dedicated servers (not OVH) and you’ve DDOS attacks.
Firstly, you call your provider and pay for anti-DDOS protection but it’s not accurate.
What can you do?
OVH to clean ingress
It’s very strange but OVH is the company with 2 anti-DDOS technologies that work very well: Arbor Networks & Tilera. This combo is the most powerful to kill DDOS.
What can we do?
It’s a strange but working solution :
- We move all DNS entry (toto.domain.tld) to OVH IP
- Iptables’ll route input traffic to your dedicated server (not OVH)
- client receives reply directly by the dedicated server (not OVH)
We need to activate IP Forwarding
sysctl -w net.ipv4.ip_forward=1 echo "net.ipv4_forward=1" > /etc/sysctl.d/forwarding.conf
Now, it’s time to do MASQUERADING for output traffic
iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE
It’s where we do magic
iptables -t nat -A PREROUTING -d IP_OVH -j DNAT --to-destination IP_NOT_OVH
We need that iptables rules to survive after a reboot
apt-get install iptables-persistent -y
It’s not a magic solution but can help in some way. In addition, don’t forget to harden your kernel and other configuration to survive.
You can be interested by : Migration to nftables : from ipset and bogons