I basically have a colo setup with some off site storage and a couple of game servers. The interface connected to my provider’s handoff is bridged with a couple of other interfaces, so the servers directly get an IP, and I have that bridge listed as my WAN connection and the rest of the interfaces are on the default bridge with local networking (for lights off management) which is accessed through Wireguard. Not sure if this is the best route but this is baseline what I have setup. Due to DDOS attacks against my game servers, I found a provider that offers ddos protected BGP sessions where they would advertise my IP addresses. My question is, before I go into a rabbit hole to figure out how to do this, is if I do have a BGP session setup, would I be able to assign my servers the public IPs from BGP directly, avoiding NAT stuff? How would that even be configured? Thanks
In prolexic we got a 2 byte AS number and established a bgp peer with them if there’s an attack they are going to notify you and ask for confirmation since this is a manage service they are going to annouce your prefix to them and they are going to mitigate DDoS in their scrubbing center and pass you the clean traffic via GRE tunnel going back to your network
Much easier route would be used a reverse proxy service from Cloudflare or any DDoS mitigation provider you choose and collaborate with them, this is easier but add additional latency on your apps best discuss this with your team on the best approach and also budget is also a factor
Hmm I see. GRE tunnels were also something I was looking at. I mainly just want to know if I can hand out IPs to the target machines directly from a BGP session. I guess same question still stands if doing GRE too.
This is just pure routing then let your L7 load balancer handle the routing to your apps problem solved you don’t have to worry the IP or NAT issues if that what’s worries you, just my 0.2$
I am looking at providers that specifically offer BGP ddos protection against L4 attacks. I wanted to see if it’s possible to get an IP from that BGP configured directly on the target machine.