Our ns1.grapheneos.org DNS server was targeted by a DoS attack yesterday. They didn't target the DNS service but rather... SSH. That's a new one.
Can see the traffic spike but it was hardly anything compared to the usual attacks. Still, SSH buckled.
nodeping.com/reports/status
Conversation
Replying to
If you need SSH to remain accessible under this kind of idiocy, putting it behind a wireguard tunnel or cryptographic port knocking (the former is really an overengineered but readily available stand-in for the latter, in this usage) might work well.
1
1
Replying to
We'll probably have to do something with stateless netfilter. I don't want to have conntrack enabled because it will actually help attackers with DoS.
PowerDNS UDP service and nginx hold up really well under DoS attacks. I'm sure PowerDNS TCP is very easy to overload though.
I think it's a sign they're going to start trying to regularly block SSH access with DoS attacks. It really annoys me.
OVH IPv4 DDoS mitigation helps a lot but doesn't offer much for something like this where it's barely any traffic and could just be done via IPv6 or within OVH.
1
Replying to
Seriously try the wireguard thing with sshd listening only on that interface. Wireguard takes care of the statefulness with really low overhead.
1
2
Show replies