Our ns1.grapheneos.org DNS server was targeted by a DoS attack yesterday. They didn't target the DNS service but rather... SSH. That's a new one.
Can see the traffic spike but it was hardly anything compared to the usual attacks. Still, SSH buckled.
nodeping.com/reports/status
Conversation
Replying to
If you need SSH to remain accessible under this kind of idiocy, putting it behind a wireguard tunnel or cryptographic port knocking (the former is really an overengineered but readily available stand-in for the latter, in this usage) might work well.
1
1
Replying to
We'll probably have to do something with stateless netfilter. I don't want to have conntrack enabled because it will actually help attackers with DoS.
PowerDNS UDP service and nginx hold up really well under DoS attacks. I'm sure PowerDNS TCP is very easy to overload though.
1
1
I think it's a sign they're going to start trying to regularly block SSH access with DoS attacks. It really annoys me.
OVH IPv4 DDoS mitigation helps a lot but doesn't offer much for something like this where it's barely any traffic and could just be done via IPv6 or within OVH.
1
Replying to
Seriously try the wireguard thing with sshd listening only on that interface. Wireguard takes care of the statefulness with really low overhead.
1
2
Replying to
Need to look into something like this since I don't think mitigation we deployed is going to keep them away for long.
github.com/GrapheneOS/inf
Trivially bypassed via IPv6 /64 without PerSourceNetBlockSize 32:64 and we use ssh to rsync from VPS without dedicated /64 to others.
