Search the Community
Showing results for tags 'mta sa tcp ddos protection'.
With the rise of specialised anti-DDoS solutions, it is possible to make your MTA server almost immune to DDoS attacks, should you know how to isolate your other services & ports properly so that the specialised DDoS protection can absorb everything. For example, the market-leading soyoustart and OVH GAME anti-DDoS provides 100% protection with MTA natively supported through their protection layer (if you enable it for your specific MTA server UDP ports in their Hosting Control panel).. so that you can't be DDoSed if the following circumstances are met: * There is no attack method that your hoster, e.g OVH still needs to patch (they surface every now and then, it's a cat and mouse game) * You managed to isolate other services and ports, this requires a serious extent of skill and understanding of networking (like being a sysop or having studied for it) As part of 1 of the isolation steps, securing your HTTP resource download interface can be important. This guide is for that particular thing. If you use the internal HTTP server in MTA server, you aren't protected at all (except for maybe your hoster's general traffic firewall).. if an attacker can't deal serious damage through sending DDoS to your UDP ports, they will usually carry out TCP attacks next. More details on isolating other services & ports may follow in the future in Reserved posts to this topic. Let's get to the point: Basic tutorial for setting up Cloudflare for HTTP server in MTA 1. Add your domain to CloudFlare, using it as your DNS provider. It will tell you what nameservers to assign to your domain 2. Under the DNS tab create an A record for either your subdomain or the domain itself that should point to your Nginx. In here add the IP address to the Nginx server. (NOTE: You should use the standard HTTP port in your Nginx config and use that subdomain as your server_name). Make sure to tick the proxy status to on so that the request is proxied 3. In your mtaserver.conf set httpdownloadurl to whichever (sub)domain you assigned for the downloads You can then further modify your CloudFlare settings to have https, a firewall setup etc. But that's a lot more specific than what you may go with initially. Under "caching", then "configuration" you can setup how the caching itself should work Extra info (to help you understand the logic of this infrastructure): - For using CloudFlare in this way, you need just a domain, no webhost (other than the nginx External HTTP server itself). You need to be able to point the nameservers to Cloudflare. You will have to modify the DNS records at Cloudflare, and point it to your nginx External HTTP server. Since you can't just upload that data to Cloudflare and have them handle it that way The subdomain is essentially just used for Cloudflare to proxy request through, when it has that data cached it will serve it itself If not it will go further to your Nginx server to fetch it, then caches it - It is recommended to use a separate machine (VPS/dedicated server) to host your External HTTP, which Cloudflare is connected to on its time. Why? Because it helps you to isolate from DDoS attacks.. for reasons like these: * keeping your real host IP hidden is crucial to benefit from the added protection of Cloudflare. If you use a host on the same machine as your MTA Server is, it's easy to leak the IP, rendering your CloudFlare useless should they attack it directly rather than where it gets served from (Cloudflare hosts). * if an attack hits your HTTP server after all, load won't get forwarded to your main MTA server machine and immediately freeze its CPU with 100% usage/disconnect all players