Results 1 to 35 of 35
  1. #1

    How to stop DDOS/DOS attacks?

    Hey WHT,

    I've been lurking on WHT for a while, and recently I joined up as a systems administrator on a Minecraft server (full administrator, as in I set up everything and keep it running smoothly, I fully manage it myself), and while I got everything working perfectly fine on our Limestone Networks dedi (C2Q 9400 2.66ghz, 8GB RAM, 500GB HDD, 100mbps port), I've been having some troubles with DDOS/DOS attacks recently.

    Yes, a 3 week old server having troubles with attacks. (The most recent ones I've been having are from a very disgruntled banned player).

    Now I can handle CentOS and the like fine for most tasks, but I've never learned much about what to do about DDOS/DOS attacks, especially with the scale of these attacks (75-100 mbps usually, which often maxes out our line). Limestone has great support, and they automatically stop most attacks within a few minutes, but I'm wondering if there's a way to detect/stop/log these attack instead of waiting for Limestone to get rid of them? We're also thinking of switching hosts due to cost issues, and I would especially need a method to stop attacks on hosts with stricter bandwidth and QOS policies.

    I caught the attacker's IPs once (they were using Amazon EC2), but Amazon denied that the IPs ever touched us.

    Basically, how and with what tools would I be able to stop/log DOS and DDOS attacks on CentOS 5.5, with that hardware/network.

    I would love any and all advice on this matter.

  2. #2
    Join Date
    Mar 2007
    Posts
    478
    Quote Originally Posted by battlekid View Post
    Hey WHT,

    I've been lurking on WHT for a while, and recently I joined up as a systems administrator on a Minecraft server (full administrator, as in I set up everything and keep it running smoothly, I fully manage it myself), and while I got everything working perfectly fine on our Limestone Networks dedi (C2Q 9400 2.66ghz, 8GB RAM, 500GB HDD, 100mbps port), I've been having some troubles with DDOS/DOS attacks recently.

    Yes, a 3 week old server having troubles with attacks. (The most recent ones I've been having are from a very disgruntled banned player).

    Now I can handle CentOS and the like fine for most tasks, but I've never learned much about what to do about DDOS/DOS attacks, especially with the scale of these attacks (75-100 mbps usually, which often maxes out our line). Limestone has great support, and they automatically stop most attacks within a few minutes, but I'm wondering if there's a way to detect/stop/log these attack instead of waiting for Limestone to get rid of them? We're also thinking of switching hosts due to cost issues, and I would especially need a method to stop attacks on hosts with stricter bandwidth and QOS policies.

    I caught the attacker's IPs once (they were using Amazon EC2), but Amazon denied that the IPs ever touched us.

    Basically, how and with what tools would I be able to stop/log DOS and DDOS attacks on CentOS 5.5, with that hardware/network.

    I would love any and all advice on this matter.

    You would need something that is sitting outside of the server to stop the attacks from reaching your server. Once they have reached your server it starts to affect the performance and bandwidth availability of the server. There are small time scripts to stop user's from getting a response from certain services running on your server but none of them keep the attack from reaching your physical server which is the key in stopping them.

    I would recommend looking for a host that specializes in DDOS mitigation that does not just null route IPs when attacks occur. Some can add the IPs to their ACLs so they do not reach your physical server which will help mitigate the DOS and DDOS attacks.

  3. #3
    Join Date
    Jan 2008
    Location
    Sweden
    Posts
    169
    Ask your provider to place a hardware firewall (this can even be a server configured as a firewall) between the switch and your server.
    SwedenDedicated Unmanaged & managed solutions.
    Dedicated Servers, VPS and colocation in Sweden - Stockholm.
    100Mbit Unmetered servers
    Follow us on twitter @swedendedicated

  4. #4
    Join Date
    May 2011
    Posts
    580
    DDoS Attacks have always been a major problem on all game servers.

    I would try this script: http://deflate.medialayer.com/

    Also, if you can prove that the attacks are coming from Amazon EC2 (Get Limestone to write a statement for proof, too, with the IP address in logs), and Amazon EC2 is denying the attack (Even after you send the log), then hire a lawyer and see what can be done. DDoS attacks are a major problem, and when a host does not comply with reports then there can be trouble.

  5. #5
    Upgrade to gigabit port. problem solved.

  6. #6
    Quote Originally Posted by misspink View Post
    Upgrade to gigabit port. problem solved.
    Yup. If the attacker can only manage to send about 100 megabit to your server, a gig port is the easiest way to deal with this. If you can find a host who doesn't meter incoming bandwidth, then this should be fine, unless the particular user can find a way to throw 10x as much bandwidth into the attack.
    Phoenix Dedicated Servers -- IOFLOOD.com
    Email: sales [at] ioflood.com
    Skype: iofloodsales
    Backup Storage VPS -- 1TBVPS.com

  7. #7
    Join Date
    May 2008
    Posts
    660
    Quote Originally Posted by funkywizard View Post
    Yup. If the attacker can only manage to send about 100 megabit to your server, a gig port is the easiest way to deal with this. If you can find a host who doesn't meter incoming bandwidth, then this should be fine, unless the particular user can find a way to throw 10x as much bandwidth into the attack.
    you would also find a host that doesnt nullroute your ip on 1gbps port based on network spikes like softlayer does

  8. #8
    Quote Originally Posted by Maikon View Post
    you would also find a host that doesnt nullroute your ip on 1gbps port based on network spikes like softlayer does
    That's true, but it's not really a fair comparison because softlayer will null you even if there isn't a spike, just quite a bit of use. I've had this issue a number of times, and so wouldn't use them for anything requiring much reliability. For what it's worth, I've only heard of softlayer doing this for 100tb clients, it seems they treat direct clients better.
    Phoenix Dedicated Servers -- IOFLOOD.com
    Email: sales [at] ioflood.com
    Skype: iofloodsales
    Backup Storage VPS -- 1TBVPS.com

  9. #9
    Quote Originally Posted by TheHeartSmasher View Post
    You would need something that is sitting outside of the server to stop the attacks from reaching your server. Once they have reached your server it starts to affect the performance and bandwidth availability of the server. There are small time scripts to stop user's from getting a response from certain services running on your server but none of them keep the attack from reaching your physical server which is the key in stopping them.

    I would recommend looking for a host that specializes in DDOS mitigation that does not just null route IPs when attacks occur. Some can add the IPs to their ACLs so they do not reach your physical server which will help mitigate the DOS and DDOS attacks.
    We use Limestone Networks, so they _do_ mitigate DDOS/DOS attacks for us instead of null routing our IPs, but they are a little too expensive for us to continue using, and it takes between 5min-3hours to mitigate the attacks on their side, and because we run a gaming community ANY downtime becomes a major problem, even in the Minecraft gameplay environment.

    Quote Originally Posted by xema View Post
    Ask your provider to place a hardware firewall (this can even be a server configured as a firewall) between the switch and your server.
    As I mentioned above, they get rid of attacks for us after shortish delays, but they do not sell hardware firewalls and the cost of renting a second server just for that is very prohibitive.

    Quote Originally Posted by Appdeveloper View Post
    DDoS Attacks have always been a major problem on all game servers.

    I would try this script: http://deflate.medialayer.com

    Also, if you can prove that the attacks are coming from Amazon EC2 (Get Limestone to write a statement for proof, too, with the IP address in logs), and Amazon EC2 is denying the attack (Even after you send the log), then hire a lawyer and see what can be done. DDoS attacks are a major problem, and when a host does not comply with reports then there can be trouble.
    Yeah, we've been having a LOT of problems..

    http://img813.imageshack.us/img813/3...10716at101.png

    When you try running a gaming community, it sucks when your users can't access the server due to network attacks...

    I'll take a look at the script, thanks!

    I contacted Limestone, they said that "They log all attacks and automatically send reports to the authorities". That wasn't enough for me, so I went and managed to capture a attacker's IP (3 IPs, registered to Amazon EC2), but when I sent a report in they claimed to have no record of such a attack... I ran whois lookups on all IPs I found connected the one time I was on the SSH when we were being hammered, and those 3 were the only ones that tripped any flags, plus they quickly disconnected and the attack stopped...

    We're a (very) small gaming community, we barely cover operating costs, so we simply have no money for lawyers.

    Quote Originally Posted by funkywizard View Post
    Yup. If the attacker can only manage to send about 100 megabit to your server, a gig port is the easiest way to deal with this. If you can find a host who doesn't meter incoming bandwidth, then this should be fine, unless the particular user can find a way to throw 10x as much bandwidth into the attack.
    A 1gbps port from Limestone is $45/month extra, a little too much when we can barely afford the bills as-is, and we're thinking of moving to Hetzner to save money and get more power (and possibly a 1gbps port, although we're not sure if we even want to switch providers, especially so when we found out that Hetzner has a policy to null route your server if a attack is detected).

    Limestone doesn't meter incoming BW, but again, the amount pushed in isn't the problem here, it's our line being saturated. I might be a little whiny, seeing as the attacks are usually stopped by Limestone with no interaction on our part in a relatively timely manner, but downtime for the type of services we are trying to offer can be catastrophic.

    ======

    The software firewall is up, but the attackers just target random ports and overwhelm the line with brute force... Would there be a firewall rule that I could set up to LOG any suspicious connections on any port at any time? I'm still playing around with setup, trying to get a compromise between a massive log file and detailed log info.
    Last edited by battlekid; 07-16-2011 at 11:51 PM. Reason: Spelling errors

  10. #10
    Join Date
    Nov 2009
    Location
    /etc/my.cnf
    Posts
    10,035
    Quote Originally Posted by battlekid View Post
    we're thinking of moving to Hetzner to save money and get more power (and possibly a 1gbps port, although we're not sure if we even want to switch providers, especially so when we found out that Hetzner has a policy to null route your server if a attack is detected).
    Correct, Soon as Hetzner notices your under attack they null route you within minutes...

    I suggest you contact BurstNET they might beable to help you

  11. #11
    Join Date
    Aug 2002
    Location
    Seattle
    Posts
    5,512
    Quote Originally Posted by funkywizard View Post
    Yup. If the attacker can only manage to send about 100 megabit to your server, a gig port is the easiest way to deal with this. If you can find a host who doesn't meter incoming bandwidth, then this should be fine, unless the particular user can find a way to throw 10x as much bandwidth into the attack.
    100 Mbps could still be enough to exhaust the resources of the server in other ways, causing the server to go down regardless of the port size.

  12. #12
    Join Date
    Feb 2010
    Posts
    1,030
    Quote Originally Posted by Appdeveloper View Post

    I would try this script: http://deflate.medialayer.com/

    Does it work?

  13. #13
    Join Date
    May 2008
    Posts
    660
    Quote Originally Posted by chhit View Post
    Does it work?
    It doesnt for me when i got ddoes.

  14. #14
    Quote Originally Posted by IRCCo Jeff View Post
    100 Mbps could still be enough to exhaust the resources of the server in other ways, causing the server to go down regardless of the port size.
    Yes, that's certainly the case, depending on the kind of attack. For a script kiddie / udp flood, I've seen 1gbps attacks before that just slowed down the server a bit. Clearly if the attacker knows what they're doing, that can be a different story altogether.
    Phoenix Dedicated Servers -- IOFLOOD.com
    Email: sales [at] ioflood.com
    Skype: iofloodsales
    Backup Storage VPS -- 1TBVPS.com

  15. #15
    Alright, just found out that we're being targeted by some idiot hacker group (quantumbooter.info), this is not going well...

    We basically told them to piss off and went and patched several major security holes they had been exploiting, so now they've decided to hammer us with a ~50mbps attack... Again.....

    I must say, although Limestone is very expensive, they are very good about attacks!

    Anyways, I guess the best idea right now is for us to just keep cleaning up security and rely on Limestone to mitigate the attacks as they appear.

  16. #16
    Join Date
    May 2011
    Posts
    580
    Quote Originally Posted by battlekid View Post
    Alright, just found out that we're being targeted by some idiot hacker group (quantumbooter.info), this is not going well...

    We basically told them to piss off and went and patched several major security holes they had been exploiting, so now they've decided to hammer us with a ~50mbps attack... Again.....

    I must say, although Limestone is very expensive, they are very good about attacks!

    Anyways, I guess the best idea right now is for us to just keep cleaning up security and rely on Limestone to mitigate the attacks as they appear.
    Hello,
    quantumbooter.info is a website for a "Booter". A Booter is an illegal hacking product which is sold on the internet. All a booter does is DDoS websites and people.

    In other words, Somebody has purchased Quantum Booter, and is using it to DDoS your server(s).

    Booters have became a big problem. A lot of kids (Around 12-13) purchase booters to DDoS people on Xbox Live and similar online gaming services, then brag about it.

    After some research, I have found out that Quantum Booter is sold (and bought) on a "hacking" website, HackForums.net. HackForums.net is also on the Limestone network (I have no idea how they let a hacking website which sells these illegal products on their network). For more info, pull up google and search "site:hackforums.net quantum booter".

    After an IP trace of quantumbooter.info, I found out that it is hosted by Hetzner. Hetzner does NOT allow ANY of this content on their network. I HIGHLY suggest you contact Hetzner's abuse department and get the website shutdown. After the website is shutdown, your server(s) should no longer be under any DDoS attacks by Quantum Booter. Also, you're helping cleanup the internet from little kids attacking servers and people using $10 tools, which is always a bonus.

    If you require any help, feel free to PM me.

  17. #17
    Quote Originally Posted by Appdeveloper View Post
    After the website is shutdown, your server(s) should no longer be under any DDoS attacks by Quantum Booter.
    Quantum booter will just move to some $2 unlimited alpha reseller 100% offshore netherlands hosting with cloudflare proxy.

  18. #18
    Join Date
    Jun 2011
    Location
    California
    Posts
    382
    Quote Originally Posted by funkywizard View Post
    That's true, but it's not really a fair comparison because softlayer will null you even if there isn't a spike, just quite a bit of use. I've had this issue a number of times, and so wouldn't use them for anything requiring much reliability. For what it's worth, I've only heard of softlayer doing this for 100tb clients, it seems they treat direct clients better.
    I can directly comment on this. I've had servers with 100tb and experienced these issues. After moving to servers under my own SoftLayer account, we've never experienced another null route or Cisco Guard injection again.
    |███| SSD Nodes, Inc.
    |███| A cloud provider that listens to you.
    |███| 100% Uptime SLA - 10Gbps NICs - 200K+ Write IOPS
    |███| https://www.ssdnodes.com

  19. #19
    Quote Originally Posted by Appdeveloper View Post
    Hello,
    quantumbooter.info is a website for a "Booter". A Booter is an illegal hacking product which is sold on the internet. All a booter does is DDoS websites and people.

    In other words, Somebody has purchased Quantum Booter, and is using it to DDoS your server(s).

    Booters have became a big problem. A lot of kids (Around 12-13) purchase booters to DDoS people on Xbox Live and similar online gaming services, then brag about it.

    After some research, I have found out that Quantum Booter is sold (and bought) on a "hacking" website, HackForums.net. HackForums.net is also on the Limestone network (I have no idea how they let a hacking website which sells these illegal products on their network). For more info, pull up google and search "site:hackforums.net quantum booter".

    After an IP trace of quantumbooter.info, I found out that it is hosted by Hetzner. Hetzner does NOT allow ANY of this content on their network. I HIGHLY suggest you contact Hetzner's abuse department and get the website shutdown. After the website is shutdown, your server(s) should no longer be under any DDoS attacks by Quantum Booter. Also, you're helping cleanup the internet from little kids attacking servers and people using $10 tools, which is always a bonus.

    If you require any help, feel free to PM me.
    I know what hackforums.net is, I read it occasionally in my quest for info (and good Minecraft hacks), and I saw that the guy has a presence on there... I am not sure what I'll do about it, hackforums is a very large site and not technically illegal in and of itself...

    As for the site itself, I also just looked it up, I will go submit a complaint to Hetzner and get their box shutdown.

    Quote Originally Posted by misspink View Post
    Quantum booter will just move to some $2 unlimited alpha reseller 100% offshore netherlands hosting with cloudflare proxy.
    Eh, at least I'll try to stop them. I have their proxy's IP, chat logs and some other info... At the very least, I'll do my best to make life VERY hard for them, as they've made the past 3 weeks complete hell for us (we just started this community/server ~1 month ago, and out of all people, this group decided to pick US...).

  20. #20
    Join Date
    May 2011
    Posts
    580
    Quote Originally Posted by battlekid View Post
    I know what hackforums.net is, I read it occasionally in my quest for info (and good Minecraft hacks), and I saw that the guy has a presence on there... I am not sure what I'll do about it, hackforums is a very large site and not technically illegal in and of itself...
    Personally, I roam Hackforums.net and report all illegal Web Hosts, booters, and websites. I've been very successful; shutting down nearly 10 booters, 4 web hosts, and MANY websites.

    It has a lot of useful info, but the community is slowly destroying it. I doubt it will be alive in 5 years from today.

    I highly recommend you report the site. One less malicious IP on the internet.

  21. #21
    Quote Originally Posted by SSD Nodes View Post
    I can directly comment on this. I've had servers with 100tb and experienced these issues. After moving to servers under my own SoftLayer account, we've never experienced another null route or Cisco Guard injection again.
    Right, this could just be how SL treats low budget reseller customers: null first and ask questions later. I would certainly hope if you're paying list price and buying direct from them, they would be more sensible about this. It's really a shame that they've got this two tiered system, as it allows how they treat their low budget clients to drag their name through the dirt, making people think twice about signing up for their higher cost offerings.
    Phoenix Dedicated Servers -- IOFLOOD.com
    Email: sales [at] ioflood.com
    Skype: iofloodsales
    Backup Storage VPS -- 1TBVPS.com

  22. #22
    Join Date
    Jun 2011
    Location
    California
    Posts
    382
    Quote Originally Posted by funkywizard View Post
    Right, this could just be how SL treats low budget reseller customers: null first and ask questions later. I would certainly hope if you're paying list price and buying direct from them, they would be more sensible about this. It's really a shame that they've got this two tiered system, as it allows how they treat their low budget clients to drag their name through the dirt, making people think twice about signing up for their higher cost offerings.
    I completely agree, and I suspect that 100tb customers cause a substantial amount of grief. Unfortunately, as you mentioned, 100tb hinges on SL's brand and the result of this multi-tiered system tarnishes both reputations.

    It's been a completely positive experience directly working with SL.
    |███| SSD Nodes, Inc.
    |███| A cloud provider that listens to you.
    |███| 100% Uptime SLA - 10Gbps NICs - 200K+ Write IOPS
    |███| https://www.ssdnodes.com

  23. #23
    Quote Originally Posted by SSD Nodes View Post
    I completely agree, and I suspect that 100tb customers cause a substantial amount of grief. Unfortunately, as you mentioned, 100tb hinges on SL's brand and the result of this multi-tiered system tarnishes both reputations.

    It's been a completely positive experience directly working with SL.
    Exactly. It makes 100tb look bad that they can't resolve simple issues, supposedly because SL is in charge, and it makes SL look like the bad guy when they do this kind of thing to customers who have been sold on the SL brand.

    The only reason I can see why SL would have done the 100tb deal in the first place, is because they wanted to pump up their revenues before selling out to GI Partners. Perversely, since hosts are often valued on a multiple of revenues, getting a few thousand extra customers at break even, or even at a loss, would have meant a much bigger payday when they sold out. The end result is a loss leader subsidized product that wouldn't exist if it were a standalone company.
    Phoenix Dedicated Servers -- IOFLOOD.com
    Email: sales [at] ioflood.com
    Skype: iofloodsales
    Backup Storage VPS -- 1TBVPS.com

  24. #24
    Join Date
    Jun 2007
    Location
    Argentina
    Posts
    34
    deflate ?

    thats not work with reals ddos attack...

    if the attack is against your apache .. use varnish.. with a good .vcl or litespeed if you want to pay for it. but.. you will need a good provider with ddos protections at network level if the problem persist
    www.IPSecureNetwork.com
    Hosting , IRCD Servers , Streaming Audio-video, Dedicated Servers
    The Best Way to Be protected Against DDoS Attacks

  25. #25
    Aren't you able to modify the source code for the minecraft server?

    If your 100mbit line isn't completely flooded and you're only experiencing lag in-game you could easily implement a timeout on your minecraft server before it accepts the connection from any client.

    This can be done using hooks as well.

    Usually when they ddos a gameserver they go for the login port. They continuisly connect & disconnect which could result in your server running out allocatable stuff (can't come up with the exact term, whenever someone connects to a server they get 1 of this "thing" from the stack)

    So if the server waits, lets say 5 seconds before allocating, users that actually want to play will be stuck on the login screen for 5 seconds and get allocated, whereas the attacks won't be, thus free'ing up your system.

    If you are getting flooded, then the above won't work ofcourse

  26. #26
    Quote Originally Posted by dschuermans View Post
    Aren't you able to modify the source code for the minecraft server?
    You've never worked with a game server customer have you? I consider myself lucky if they can install the software without assistance. I certainly wouldn't be expecting them to edit the source code, even if it were possible. These aren't programmers, they're gamers.
    Phoenix Dedicated Servers -- IOFLOOD.com
    Email: sales [at] ioflood.com
    Skype: iofloodsales
    Backup Storage VPS -- 1TBVPS.com

  27. #27
    Quote Originally Posted by dschuermans View Post
    Aren't you able to modify the source code for the minecraft server?

    If your 100mbit line isn't completely flooded and you're only experiencing lag in-game you could easily implement a timeout on your minecraft server before it accepts the connection from any client.

    This can be done using hooks as well.

    Usually when they ddos a gameserver they go for the login port. They continuisly connect & disconnect which could result in your server running out allocatable stuff (can't come up with the exact term, whenever someone connects to a server they get 1 of this "thing" from the stack)

    So if the server waits, lets say 5 seconds before allocating, users that actually want to play will be stuck on the login screen for 5 seconds and get allocated, whereas the attacks won't be, thus free'ing up your system.

    If you are getting flooded, then the above won't work ofcourse
    Nah, they have been hitting the web/ssh port, they only hit the MC port once.

    Attacks have been less often and less powerful recently, maybe they'll get bored.

    EDIT: They aren't doing sophisticated attacks, they just flood the line.

    Quote Originally Posted by funkywizard View Post
    You've never worked with a game server customer have you? I consider myself lucky if they can install the software without assistance. I certainly wouldn't be expecting them to edit the source code, even if it were possible. These aren't programmers, they're gamers.
    I agree, most people cannot do much.

    I don't know Java, but I can easily handle Linux administration, and I do see quite a few idiots who can't even do things like port forward when I'm on the Minecraft forums.

    Hey, if I couldn't handle Linux administration, we wouldn't be on a dedicated box (although I'm actually the only one of the three owners who knows how to use our box/Linux).

  28. #28
    Quote Originally Posted by battlekid View Post
    I agree, most people cannot do much.

    I don't know Java, but I can easily handle Linux administration, and I do see quite a few idiots who can't even do things like port forward when I'm on the Minecraft forums.

    Hey, if I couldn't handle Linux administration, we wouldn't be on a dedicated box (although I'm actually the only one of the three owners who knows how to use our box/Linux).
    Really not a dig against game server customers, more just, know your audience. Heck, I wouldn't even expect a sysadmin to be capable of, or even inclined to, reprogram java to deal with a DoS. Now, taking that one step further, I certainly wouldn't expect a game server client to be reprogramming anything; they're buying the server to play games, not develop software.
    Phoenix Dedicated Servers -- IOFLOOD.com
    Email: sales [at] ioflood.com
    Skype: iofloodsales
    Backup Storage VPS -- 1TBVPS.com

  29. #29
    Quote Originally Posted by funkywizard View Post
    Really not a dig against game server customers, more just, know your audience. Heck, I wouldn't even expect a sysadmin to be capable of, or even inclined to, reprogram java to deal with a DoS. Now, taking that one step further, I certainly wouldn't expect a game server client to be reprogramming anything; they're buying the server to play games, not develop software.
    Quite true.

    I run a server, not a GSP, but it's true that the vast majority of people renting from game server providers don't really know what they are doing, and that's where those game server providers get their primary business from.

    I agree with that trail of thought-- most people playing Minecraft (to be honest, ANY games) don't really have the knowledge or inclination to run/manage a full server, and would rather pay much more so that they can just press a button to turn it on, and press another to turn it off instead of dealing with Linux. Then, there are some who are willing to learn, and I am one of those, but even then, I doubt that I would be interested in learning a whole new programming language and reprogramming the server because I needed something changed. There's a place for everyone-- the Minecraft server is next to useless while vanilla, and the vast majority of people use a popular (unofficial) mod/plugin platform for it on servers. There are those who write the server mod/platform, and there are those who write plugins for it, and there are the others who use said platform and plugins to run servers. Most sysadmins/server owners simply don't have enough time to write mods and run servers at the same time, although there are quite a few who do.

    I must say though, the vast majority of people playing Minecraft who want to run a server manage to royally piss me off, mostly because they are self-entitled people who want to press a button and have a server magically startup (without any user setup), that's easy to run, doesn't require port forwarding or static IPs, and in short, means that they don't have to do any work to maintain it.

    Anyways, enough rambling.

  30. #30
    Quote Originally Posted by funkywizard View Post
    You've never worked with a game server customer have you? I consider myself lucky if they can install the software without assistance. I certainly wouldn't be expecting them to edit the source code, even if it were possible. These aren't programmers, they're gamers.
    I've been a game server customer myself for about 3 years.
    Hosted a Lineage 2 MMORPG server.

    Tasks included adding new game content and such, I was one of the developers for our community.

    Quote Originally Posted by battlekid View Post
    Nah, they have been hitting the web/ssh port, they only hit the MC port once.

    Attacks have been less often and less powerful recently, maybe they'll get bored.

    EDIT: They aren't doing sophisticated attacks, they just flood the line.
    Well, then my solution doesn't apply to you ;D

    Quote Originally Posted by funkywizard View Post
    Really not a dig against game server customers, more just, know your audience. Heck, I wouldn't even expect a sysadmin to be capable of, or even inclined to, reprogram java to deal with a DoS. Now, taking that one step further, I certainly wouldn't expect a game server client to be reprogramming anything; they're buying the server to play games, not develop software.
    It all depends on what kind of gameserver your customer is hosting too be honest
    Plug and play server suchs as FPS, or in this case Minecraft doesn't require much knowledge indeed.

    However, when there's a need to add additional content or when there's lots of money involved etc the kind of people that are, in your eyes simple "game server customers" turn out to be quite skilled programmers.

    When our servers suffered from DDoS attacks we simple tackled the problem head on. They were demanding that we paid them with either money or ingame advantages over the other players but we refused.
    In the end, we overcame his silly DDoS attempts by simply incorporating a time out on the socket requests for the login server.

    He was still able to flood our line (since we were still on a 100mbit line) but he soon gave up when he noticed our server didn't crash anymore.

    In return for his DDoS attempts, we tried tracking down & taking over his botnet to turn it over to the authorities but he vanished before we could complete our quest ;D

  31. #31
    Join Date
    Jun 2007
    Location
    Argentina
    Posts
    34
    Ok,
    a few thing to keep in mind.

    First .. you tell us the DDoS attacks saturate all the NIC Bandwidth right ?
    Ok .. you talk with your provider to see how big is the DDos ? because if the DDoS only have 100 Mbit or maybe 200 Mbit .. its to small to be a problem. or a big problem ... because that is not a "Real DDoS" or a DDoS to be worried. and maybe you can deal with that at your Box side.

    A real DDoS have more than 1 Gbps ... ( i saw attacks with more than 15gbps ) and that its Big ..

    its like a Big Bear living in a cigarretes box. imagine that ?

    well.

    - Second.

    The attacks are regulary decreasing because the infected machines give signs of virus and the virus is deleted )and the attacker try to recruit more machins.

    If you know the location of the botnet you must use the regulars ways.

    First report the IP to the IP owner. all the IPs have an Abuse email for this cases.

    next you can copy to the FBI cybercrime office that email reporting the ip. This Guys are very serious regarding this things..

    Trust me.

    if you have problems with more attacks and you can`t handle and your provider can`t do anything so.. you can find here in WHT a lot of providers with DDoS filtering protection.
    www.IPSecureNetwork.com
    Hosting , IRCD Servers , Streaming Audio-video, Dedicated Servers
    The Best Way to Be protected Against DDoS Attacks

  32. #32
    Quote Originally Posted by IPSecureNetwork View Post
    Ok,
    a few thing to keep in mind.

    First .. you tell us the DDoS attacks saturate all the NIC Bandwidth right ?
    Ok .. you talk with your provider to see how big is the DDos ? because if the DDoS only have 100 Mbit or maybe 200 Mbit .. its to small to be a problem. or a big problem ... because that is not a "Real DDoS" or a DDoS to be worried. and maybe you can deal with that at your Box side.

    A real DDoS have more than 1 Gbps ... ( i saw attacks with more than 15gbps ) and that its Big ..

    its like a Big Bear living in a cigarretes box. imagine that ?

    well.

    - Second.

    The attacks are regulary decreasing because the infected machines give signs of virus and the virus is deleted )and the attacker try to recruit more machins.

    If you know the location of the botnet you must use the regulars ways.

    First report the IP to the IP owner. all the IPs have an Abuse email for this cases.

    next you can copy to the FBI cybercrime office that email reporting the ip. This Guys are very serious regarding this things..

    Trust me.

    if you have problems with more attacks and you can`t handle and your provider can`t do anything so.. you can find here in WHT a lot of providers with DDoS filtering protection.
    Attacks have ranged from 50mbps to 100mbps (entire server saturated, as we are on a 100mbps line).

    I reported a few of the attacking IPs, but the company that owns them (Amazon S3) denied the attack ever happened.

    I also reported the server hosting their site to Hetzner, but I never heard back from them.

    Limestone mitigates the attacks, I am very happy with what they've done so far. They claim that they report all attacker's IPs, but I'm not too sure about that...

    Anyways, we can wait, sooner or later they'll give up. (And attacks have already became much less often).

  33. #33
    Join Date
    Jul 2011
    Posts
    222
    What size of the DDOS mean a "BIG" ddos ? >1G?

  34. #34
    Join Date
    Jun 2007
    Location
    Argentina
    Posts
    34
    Well ... Amazon was involve in a lot of troubles with DDoS attacks.. ( remember the attacks to the CIA ? and pentagon the last months ? and the issue with Sony PlaystationNetwork ? well lots of IPs was from Amazon...
    i think for a while Amazon will be seek when someone say the words DDoS.
    www.IPSecureNetwork.com
    Hosting , IRCD Servers , Streaming Audio-video, Dedicated Servers
    The Best Way to Be protected Against DDoS Attacks

  35. #35
    Join Date
    Jun 2007
    Location
    Argentina
    Posts
    34
    Quote Originally Posted by aeoio View Post
    What size of the DDOS mean a "BIG" ddos ? >1G?
    Well thats Depends .. Network .. Provider .. etc.

    For some Providers if you reach 1 Gbps of DDoS .. null route to the IP. they consider Big ddos problem that amount.

    Others give you in SLA more flexibility .. 5 Gbps 10 Gbps 15 Gbps.. thats depend of the Network Infraestructure.

    if you have your own switchs Firewalls.. routers.. etc. and your contract with your provider let you Handle this kind of problems .and you have the money to do that..

    remember the cost of the conectivity is expensive..


    so.. DDoS attacks with 1 Gbps of BW consumption .. would be Big for some people ... tiny for other...
    www.IPSecureNetwork.com
    Hosting , IRCD Servers , Streaming Audio-video, Dedicated Servers
    The Best Way to Be protected Against DDoS Attacks

Similar Threads

  1. DDoS and DoS attacks
    By rcpersons1 in forum Reseller Hosting
    Replies: 17
    Last Post: 08-03-2007, 12:28 AM
  2. Replies: 7
    Last Post: 01-17-2007, 12:49 PM
  3. DoS/DDoS Attacks - Need Info.
    By Babushka99 in forum Hosting Security and Technology
    Replies: 5
    Last Post: 06-18-2005, 12:22 PM
  4. DoS or DDos attacks prevention
    By varunbihani in forum Hosting Security and Technology
    Replies: 11
    Last Post: 06-09-2005, 09:43 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •