Cheap DDoS Protection for your home network
If you went to this blog post, you are probably interested in running some servers on your own home network.
It is very fun to run your own servers to offer services, have your own website, or just to learn. Maybe you want to run your own game server, like a minecraft server.
But there is always a risk. Adverse events occur, such as someone wanting to take down your website to mess with you, or attack your game server because you threw them out. When you run a server on your own network, you need to open ports on your network, which are small holes in your network that allow network traffic between your server and other people. Without this hole, people outside your own home network will not be able to access your website or connect to your game server.
You must also provide your IP address, which is your “address” on the Internet. This can change as often as once a day, or be permanent, and be yours for several years. If you only use the internet to surf websites, watch netflix and play video games, it has little to say if your IP address changes often, but when running a server it is best to have a static IP address that does not change. This is because if your IP address changes, people on the internet will no longer know how to connect to your server.
There are many solutions to solve the problem of temporary IP addresses, such as contacting your ISP or using a service like freedns.afraid.org. This blog post will not go into detail on how to get around temporary IP addresses, but how to protect your home network when running your own servers.
To protect your IP address on the Internet, you can use services such as CloudFlare, which hides your IP address and protects you from attacks, but it is most suitable for protecting websites, and not other services, such as game servers. The great thing about CloudFlare is that it’s a free service that gives you access to systems only giant companies can afford.
This blog post will be about setting up your own DDoS protection using a VPS (Virtual Private Server) from a company that has DDoS protection, such as DigitalOcean and OVH. There are many companies that offer cheap VPSs, and DigitalOcean will be used in this blog post. You can get $100 for free for 60 days from DigitalOcean here: https://try.digitalocean.com/performance/.
The DDoS protection that is set up in this blog post is about sending all traffic between your home network and users through the VPS, and using the DDoS protection that comes with the VPS. This will be done with two tools: Linux Screen and socat: Linux / UNIX TCP Port Forwarder.
More information about these programs can be found here:
Linux Screen (linuxize.com)
socat: Linux / UNIX TCP Port Forwarder (cyberciti.biz)
Start by creating a new Virtual Machine. This machine must be running Linux Ubuntu Server. In this blog post, Ubuntu Server 18.04 (LTS) will be used, but the process will be the same on Ubuntu Server 20.04 (LTS). For me who only has a small web server on my home network keeps the cheapest VPS available. This costs as little as $5 /month, but the price may vary from vendor to vendor. This VPS has 1GB of memory and 1 CPU thread, which is more than enough for my website, but this can be increased in the future if the website becomes more popular in the future. There is also a 1000GB limit for transferring traffic, but for most this is more than enough per month.
At DigitalOcean you can choose the location of the VPN. Since my website is based in Europe, a server nearby will be selected, but this can be chosen freely. Furthermore, one must create an SSH key pair or a password for the VPS. An SSH key pair is much more secure than a password, but to make it easy, a password will be created.
After a short time, the VPS will be created and is ready for use.
When the VPS is ready, you can connect to the VPS using the “Console” button in the top right corner, or with a software like PuTTY. I recommend Solar-PuTTY, a free application from SolarWinds.
When connecting to the VPS, you must log in before you can access the command line. The username of the server is “root”, and the password is what was created when the VPS was created.
Once you have connected to the VPS, you have to run a number of commands. The first commando is “sudo apt update && sudo apt upgrade“, and is used to update the server and install the updates. The VPS should be up to date, but it is always a good idea to update the server anyway.
After updating the server, Linux Screen can be installed. This is done by running the command “sudo apt install screen“. Linux Screen is a software that allows a service to run in a command window without exiting after disconnecting from the VPS.
The latest software to install is socat: Linux / UNIX TCP Port Forwarder. This is done by running the command “sudo apt install socat“. Socat is the application that will let us redirect traffic from users to your server through the VPS.
You can update the system and install all the required applications at once by running the following command (Not required if you have updated and installed the programs separately): “sudo apt update && sudo apt upgrade -y && sudo apt install screen -y && sudo apt install socat“
When the installation is complete, you can start creating a new “screen” session. This is done with the command “screen -S session_name“. I call my session “proxy”.
When you run the command, you enter a new, empty window. It seems that the command did not work, but it did.
Here you can run the next command, which is “socat TCP-LISTEN: 80, fork TCP: YOUR_IP: 80“. This will create a tunnel that allows all traffic coming to the VPS on port 80 to be forwarded to the destination, which is your home network. In this blog post, the destination is another VPS at DigitalOcean, with IP address “188.8.131.52”.
You can forward traffic for any port, which is very nice if you run a game server such as a Minecraft server, which runs on port 25565. Just change port 80 to the port you want to continue traffic for.
If you want to forward traffic for multiple ports, you can either create multiple VPS, which will provide better protection for your network, or create multiple sessions in the current VPS. This is done by using the keyboard combination “Ctrl + a X” to exit the current window, and use the command “screen -S session_name” where “session_name” is something other than the previous session.
Once a session has been created, it is active immediately. When we visit the IP address of the VPN in a web browser, we will see the web page running on another server, with the IP address “184.108.40.206”. You can now point a domain to the VPS’s IP address. All traffic to the VPS on port 80 will be diverted to the destination, without the user knowing about it. This means that an attacker will only see the VPS and its IP address, and not your home network server or IP address.
Written by Aksel Telle on the 13th of July 2021.