DDoS Protection With IPtables (opens in new tab)

I think you overestimate what iptables can do and for what they are used today. Most of the DDoS filtering is done using XDP, BPF, not iptables. Articles you linked contradict your thesis. In first article they write there about iptables but they use XDP most of the time because it's a better/more efficient solution. In second article they are using iptables for routing, not preventing DDoS.

Cloudflare also used to use Apache mod_security.

"Cloudflare WAF supports the OWASP ModSecurity Core Rule Set by default" https://www.cloudflare.com/waf/

Bigger tubes is 99.9% of CloudFlare, that's why you can't build a competing business.

> Iptables definetly can help with real ddos attacks.

Maybe we have different definitions of real DDoS attacks. What you mean is probably DoS attack, not DDoS (distributed).

If you have 1 gigabit pipe I can DoS (from one machine) you with 10 gigabit machine with ease and iptables will not help you at all.

OVH servers include a pretty efficient DDoS protection. It was the only option for hosting my online game servers that didn't cost tens of thousands.

Akamai has Prolexic...it is what kept GitHub up.

Not free (actually, quite expensive imo), but one of my clients used Qrator. Don't know if it is any better or worse than CF.

If you run your own BGP routers you can use Voxility, Incapsula or a number of similar services.

Any of the CDN providers (eg Akamai) offer this. Cloud providers as well

There are many others for example Imperva, Akamai and Verisign.

It is not useful for small time attackers - small time attackers/children/etc just use booters which at least usually output double digit gbps, often spoofed, costs a cent or pay in runescape gold or other bullshit like that. Your upstream will need to mitigate this. No small scale attacker will be launching their own attacks (from their own machines), unless they were seriously incompetent but also think they're some form of power user, which doesn't really happen...

It is not useful for straight HTML - volumetric DDoS will take it out (not l7), it's not even going to make it to your machine. It does not mitigate well against any real major l7 flood either, just by virtue of "your pipe is smaller". A formal l7 attack would at least do basic recon to find a high resource consumption page (like search.php?q=%20 or something)

I guess this would come in maybe slightly useful with someone running ab or jmeter from a single machine toward you? But I don't know a single instance of that happening in the last decade..

"Small time attackers" are doing __distributed__ denial of service? I guess if they do not have enough bandwidth but has enough req/s, you can protect yourself something like the article suggests. In my dictionary DDOS is when they are jamming the pipes.

only for DoS, not DDoS. i.e. if you omit the distributed from Denial of Service, then iptables will work. Not so when the attack exhausts either your bandwidth or your stack's filtering capabilities. it's easy to rent GBits of distributed attack bandwidth.

Most modern Unixes have syn cookies. You do not necessarily need anything else.

While you can't block volumetric attacks on the server, this is something a hosting provider can help you with. Some have automatic volumetric DDoS detection and protection, like OVH, and some might be able to ask upstreams, internet exchanges to completely block all UDP traffic for certain subnets or even setup completely custom firewall rules, effectively preventing volumetric attacks from filling links within their global networks and of course from reaching your server. But you are still left with non-volumetric attacks that you need to use a firewall for, maybe even with some scripting to gather statistics and whitelist known good IPs and IP subnets in case of an attack. Maybe with mitigations on, for example, frontend web servers to avoid overloading much slower backends, databases, etc.

Also, even if the attack is small enough to block using iptables, you still have to have someone on call 24x7, and then spend time to figure out which ports/ips need blocked. If you use OVH or similar provider that has built-in DDoS protection, the mitigation will all happen automatically.

That's of course true, but bandwidth is usually not the problem with eg. SYN attacks.

Iptables is there to ensure you can handle as many packets as possible per second, not bandwidth.

iptables to defend against an attack will not accomplish much in 2019. It's pretty much futile to even try.

Same for ipv4.