Results 1 to 37 of 37
  1. #1
    Join Date
    Aug 2009
    Location
    Lahore
    Posts
    318

    Ddos attack on Game-Server Port

    Hello.

    I use Windows Server 2003 Enterprise Edition.

    I own a Game-Server hosting company. Yesterday, my 100MBPS port spiked at its full and it caused my Dedi Host to limit my port to 10MBPS. I tried everything I could to find the issue.

    Task Manager > Network showed 100% usage when Game-Servers were running. I closed 2 Servers and usage was normal. I ran those 2 servers on different ports and usage was normal but when I reverted the port back to the original one, Network usage 100% again.

    Some of my clients reported that there have been people hacking the servers and some private game server owners have been screwed up due to this. Now what type of a hack is this ? Or is this really an attack ? It could be a DDoS on game server port.

    How can I counter this ? How can I see who is attacking me ?

    Also, I am using ESET Smart Security 4 as an Anti-virus with firewall disabled.

    Enabling Firewall also blocks the game server from being accessible, either by Master or directly by IP. I've tried changing up Firewall's settings but either it allows the full port by which the attack is back too or blocks the full.

    My dedi host will put my port back as soon as they know that the issue has been fixed. Please help.

  2. #2
    Have you tried using wireshark to see what kind of attack it is and what exactly you are up against?

  3. #3
    Join Date
    Aug 2009
    Location
    Lahore
    Posts
    318
    Umm No.

    What is wireshark?

    Maybe someone is sending or attacking big packets on a port which come in effect when the port is in use by the Game-Server. Don't know what type of attack is it. A port attack blocker or checker would be good. Really need to see this off.

  4. #4
    Join Date
    Aug 2009
    Location
    Lahore
    Posts
    318
    Great software. I found the IP address from China and traced the mac-address back to a Cisco Router.

    Someone is sending ICMP requests continuously on those ports.

    Hats off for you bro. At-least I know what's happening now. How can I block it now ?

  5. #5
    Join Date
    Aug 2009
    Location
    Lahore
    Posts
    318

  6. #6
    Join Date
    Jun 2007
    Location
    Los Angeles, CA
    Posts
    318
    I would recommend to talk to your NOC/dedicated provider for ddos prevention consultation.
    Richard Perez | PureWeb
    Dedicated Servers - cPanel Web Hosting - cPanel Reseller Hosting
    6 Nationwide Locations. 100% Network SLA. Established in 2007. True 24/7/365 Support.
    Follow us on Twitter: @purewebtech. Network POPS in: LAX - CHI - DFW - NYC - SEA - ATL

  7. #7
    If its a single IP, or a small amount, it should be easy to block.

    http://www.webhostingtalk.com/showthread.php?t=613759

  8. #8
    Join Date
    Mar 2010
    Location
    United Arab Emirates
    Posts
    161
    is it resolved? You could use a firewall called ipfire which is opensource. it is customizable and has alot of features.

  9. #9
    Join Date
    Aug 2009
    Location
    Lahore
    Posts
    318
    No its not resolved.

    I'll try that ipfire now. But ipfire is for linux

  10. #10
    Join Date
    Mar 2010
    Location
    United Arab Emirates
    Posts
    161
    yes its for a linux system actually but you could set any spare PC for ipfire and it blocks all outgoing traffic from the system. you could try it . Used for 1 year never has problem with ddos or any high traffic flood UDP.

  11. #11
    Join Date
    Aug 2009
    Location
    Lahore
    Posts
    318
    But I want Windows software. I have a dedi and they don't provide spare PC's for free

  12. #12
    Join Date
    Mar 2010
    Location
    United Arab Emirates
    Posts
    161
    http://wipfw.sourceforge.net/

    This is for windows.

    http://wipfw.sourceforge.net/doc.html

    Might be worth of try.

  13. #13
    Join Date
    Apr 2007
    Posts
    3,513
    It's pointless trying to block/mitigate a DDOS attack on the server that's higher than your servers network port speed.

    Contact your NOC with the source IP address and they should be able to NULL route that traffic in a few seconds.
    - Buying up websites, side-projects and companies - PM Me! -

  14. #14
    Join Date
    Mar 2010
    Location
    United Arab Emirates
    Posts
    161

    Thumbs up yep

    Quote Originally Posted by iTom View Post
    It's pointless trying to block/mitigate a DDOS attack on the server that's higher than your servers network port speed.

    Contact your NOC with the source IP address and they should be able to NULL route that traffic in a few seconds.
    sounds like a good idea

  15. #15
    Join Date
    Aug 2009
    Location
    Lahore
    Posts
    318
    Yea I submitted them the IP.

    They are blocking it at Network level.

    The IP is from China and he's using UDP Flood on the ports.

  16. #16
    Join Date
    Mar 2010
    Location
    United Arab Emirates
    Posts
    161
    Quote Originally Posted by AsadMoeen View Post
    Yea I submitted them the IP.

    They are blocking it at Network level.

    The IP is from China and he's using UDP Flood on the ports.
    hope you get resolved soon. keep posted any updates on this.

  17. #17
    Join Date
    Aug 2009
    Location
    Lahore
    Posts
    318
    Thanks a lot.

    Firewall worked like a charm.

    Btw are you from Karachi ? I'm from Lahore

  18. #18
    Join Date
    Mar 2010
    Location
    United Arab Emirates
    Posts
    161
    yes brother i am from karachi, pakistan and i give services to my 500 users

    all of them happy no complains

    i need a vps provider for email server, openvpn and rtorrent download for our users .

    i am glad i have been of help. if you need further assistance please post an update or new thread. i shall help you anytime.

    Best regards
    alhadi

  19. #19
    Join Date
    Aug 2009
    Location
    Lahore
    Posts
    318
    Cool.

    I've got good experience with VPS. The network is the most crucial thing in this case since most VPS networks lag. If you want a good one,

    Go for infinitetech.eu ( NL ) check the services what they allow.
    or providerservice.com ( Germany ) check services they allow. This one's cheapest ever.

  20. #20
    Join Date
    Mar 2010
    Location
    United Arab Emirates
    Posts
    161
    ya sure most provider dont allow torrents. i'll look into the given providers and look what they allow and then go for it.

    i did not know the VPS network Lag if we do torrent. i learned today now.

    will be carefull of choosing good one.

    thanks alot

  21. #21
    Join Date
    Aug 2009
    Location
    Lahore
    Posts
    318
    Hello.

    He attacked both my Linux and Windows machine now with a different UK university IP. I countered it on both machines using wireshark and blocked it on Windows using the software you provided and linux with iptables.


    I'm not sure how many more IP's he got but I'm sure he will attack me again with different IP. He is saturating my port. How can I permanently block this attack ?


    Maybe some Anti-virus or permanent firewalls ? Maybe Setting max connections per IP somewhere if it will work ? I'm really not sure, please tell a way to block this ddos attack permanently.

  22. #22
    Sounds like a pretty dumb guy to just load you down on one protocol from one IP. Of course you'll null route his traffic and then what? Nuisance only, easily abated.

  23. #23
    Join Date
    Jan 2003
    Location
    Canada
    Posts
    4,845
    Quote Originally Posted by AsadMoeen View Post
    Hello.

    He attacked both my Linux and Windows machine now with a different UK university IP. I countered it on both machines using wireshark and blocked it on Windows using the software you provided and linux with iptables.


    I'm not sure how many more IP's he got but I'm sure he will attack me again with different IP. He is saturating my port. How can I permanently block this attack ?


    Maybe some Anti-virus or permanent firewalls ? Maybe Setting max connections per IP somewhere if it will work ? I'm really not sure, please tell a way to block this ddos attack permanently.
    Report the IP w/ logs from wireshark. Normally IP's are static and bound to a students account so if he really does go to that school, he's screwed.

    Francisco
    BuyVM - OpenVZ & KVM Based VPS Servers - Chat with us
    - All popular VPN methods supported
    - Affordable offloaded MySQL & DDoS protection
    - 5GB backup space, unmetered private LAN bandwidth & native IPv6 included. All with a strong serving of pony

  24. #24
    Email the school's IT administrator...probably an account that was hacked, but perhaps it's an "inside job"

  25. #25
    Join Date
    Aug 2009
    Location
    Lahore
    Posts
    318
    He uses 2 different IP's daily so I can't report them.

    Sometimes USA IP's sometimes UK and sometimes Chinese.

    He doesn't attack a single port, he attacks on all the Game-Servers ports.

    And although I'm using WIPFW, it won't work.

  26. #26
    Join Date
    Aug 2009
    Location
    Lahore
    Posts
    318
    Ok basically I was using a wrong config file due to which even the IP deny wasn't working so I've banned the IP but still I can't let the hacker even use 24% of my bandwidth until I check and Ban him so for that I have to use the same method I am using on Linux.

    I've tried searching Google but the commands haven't helped.

    On Linux using Iptables, I have limited max connections to each game-server port to be 6 so as I run 5 game-servers, the attacker can just make 30 connections at maximum until I ban him.

    At windows, I tried the command but it didn't work good as the attacker could still use the Network by a great deal using WIPFW. Maybe, I'm using the commands in a wrong way. Can anyone tell of a way to limit the incoming connections on each UDP port or at-least the game-servers ports to be 5 or 6 ?

    I used this cmd:

    ipfw add allow udp from any to me limit src-addr 4 ( to limit max connections to 4 but it didn't work ) please help.

  27. #27
    You can also send his IP to the internet provider he is pinging from, will prolly get his IP blocked.
    <<< Please see Forum Guidelines for signature setup. >>>

  28. #28
    Join Date
    Aug 2009
    Location
    Lahore
    Posts
    318
    Yea but why not be secure at the 1st place ?

    Linux cmd is working great. So please tell one for IPFW

  29. #29
    It is impossible to reduce DDoS with OS-changes, so stop trying that ****. IPtables might work for really really small DDoS attempts.
    <<< Please see Forum Guidelines for signature setup. >>>

  30. #30
    Join Date
    Aug 2009
    Location
    Lahore
    Posts
    318
    Since it's the game-servers ports under small ddos, they can be blocked by applying max connections per IP which I keep to 5.

  31. #31
    Join Date
    Aug 2010
    Posts
    304
    Ahhhh, the joy of running game servers.

    The connection limit is your best bet for this type of attack.

    If it gets worse, your going to need to try other alternatives. You can only do so much at the server level.

    What type of game servers do you have running?

  32. #32
    Join Date
    Aug 2009
    Location
    Lahore
    Posts
    318
    Simple Sof2 game-servers. Getting attack on UDP ports with some UDP flooder I think.

    On Linux, max connections per IP took care of it, on Windows I've just banned the IP's who dosed me. IPFW is the firewall I'm using. It got max connections thing too but somehow I can't get it working . Maybe wrong commands.

  33. #33
    Join Date
    Feb 2004
    Location
    Sacramento CA
    Posts
    3,342
    Has your host offered any help on this? If not I would look for a host that provides some type of DDoS mitigation.

  34. #34
    Join Date
    Aug 2009
    Location
    Lahore
    Posts
    318
    Hello.

    The host at maximum can block the IP's at network level if provided to them. They believe it's at the customer to take care of this and can be blocked at OS level.

    I rent both my Linux/Windows machine from some very good companies.

    At linux, using iptables on APF, we have a package ddos deflate, it automatically bans any IP if it makes 150 connections. Manually, we can set max connections per IP to block it. It makes sense logically because it has to work.

  35. #35
    Quote Originally Posted by AsadMoeen View Post
    Since it's the game-servers ports under small ddos, they can be blocked by applying max connections per IP which I keep to 5.
    I had 10gbit/s because of hosting a gameserver. Try to block that with iptables
    <<< Please see Forum Guidelines for signature setup. >>>

  36. #36
    Hello Asad i see you're hosting gameservers in pakistan. If you are please let me know your prices via pm as im tired of finding someone in pakistan.

  37. #37
    Join Date
    Aug 2009
    Location
    Lahore
    Posts
    318
    I basically host in USA, Europe and Australia.

    But since I live in pakistan, so I can get 1 up here too.

    PM me the server and slots you like, I'll send the price.

Similar Threads

  1. Is my server under DDOS attack?
    By Boinkys in forum Hosting Security and Technology
    Replies: 6
    Last Post: 05-26-2010, 03:43 PM
  2. how can i know if my server get ddos attack ?
    By ttgt in forum Hosting Security and Technology
    Replies: 11
    Last Post: 02-19-2010, 02:27 AM
  3. Heavy DDOS attack ! Distributed no solution else apache port
    By rOCk-MaStEr in forum Hosting Security and Technology
    Replies: 18
    Last Post: 12-01-2006, 12:03 PM
  4. DDOS attack: Established connections on port 80 - what to do ?
    By glace in forum Hosting Security and Technology
    Replies: 42
    Last Post: 04-18-2006, 10:31 AM
  5. DDos attack on server
    By dg151 in forum Hosting Security and Technology
    Replies: 6
    Last Post: 12-17-2004, 10:20 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •