How to config CSF firewall to stop DDOS attacks?

[Dopani]

I heard from a friend that if I have a good CSF firewall settings on csf config file then I can stop or limit DDOS attacks, is it exact?
If so, how can I config CSF firewall for better performance?

 

[RDO Servers]

Here is a tutorial on setting up CSF for DDoS protection.
[URLnofo]http://anandarajpandey.com/2014/04/21/how-to-prevent-ddos-attack-by-csf-firewall/[/URLnofo]

However, keep in mind that most DDoS attacks come in at a rate of 10-100Gbps+

You can have CSF setup perfectly, or even the best enterprise firewall appliance, but if the DDoS is pushing packets faster then your server uplink can handle (usually 100Mbps or 1Gbps) then your still going offline!

 

[arindamb]

I heard from a friend that if I have a good CSF firewall settings on csf config file then I can stop or limit DDOS attacks, is it exact?
If so, how can I config CSF firewall for better performance?

Config CSF firewall as following steps, you can limit DOS attacks to any ports on your server:

Step 1. Open the CSF configuration file /etc/csf/csf.conf
Step 2. Find CT_LIMIT and change this to CT_LIMIT=50, here 50 is the max number of connections from an IP to your server.
If the server has 50 established connection from a IP, it will be blocked and considered as a DDOS attack.
Step 3. Find CT_PORTS and change this to CT_LIMIT=80 (for Apache) or 25 (mail server) or you can use all ports in a line by this format, i.e... CT_PORTS="80,25,110"

This option is used to specify which post you want to prevent DOS attack.

Hope it helps!

 

[ElixantTechnology]

The harsh truth is that CSF can only protect you so much in terms of a DDoS attack, if the attacker wanted to ensure that you are taken down they would either generate an attack of such mass that CSF protection would be ineffective, or they would attack someone else on the network, or even the switch which IP can be found in a traceroute. The best method of DDoS protection is to select a hosting provider that offers professional mitigation procedures at the network level. I'm not saying CSF will not help, but if you feel that you are vulnerable to attacks or know that you will be receiving such attacks as you are doing something to ensure so, I recommend a DDoS Protected provider.

 

[hostslim]

You can't protect against more sophisticated attacks with CSF. For that you need dedicated protection (Hardware). But you could try enabling syn_flood protection in CSF.

 

[projectpop]

Software does not really help in stopping DDOS attacks, you need to find a provider that provides hardware DDOS protection.

 

[bacloud]

bacloud

Exactly! Or use tunneling from, shields from DDOS protection providers.

 

[jordyjl]

You can use cloudflare for protecting DDoS attacks. Not sure if its handle all attacks but some they do, and i use at my server layer 7 protection witch handle it.

 

[hmb-robert]

Now a days many hosting companies provide DDOS prevention services as addon services with hosting plans or VPS and Dedicated servers. You can check with your hosting provider and signup for service to prevent your server from DDOS attacks.

 

[ExonHost]

You can't protect your server from DDOS using CSF. CSF doesn't working for DDOS protection.