From your previous posts, I seem to recall godcraft being hosted on a pretty beefy dedicated system. If your datacenter/ISP can't mitigate a 90 Mbps attack ( really small in the DC world ) in a couple of hours, you need to find a new host ASAP. In the interim, I wouldn't be looking at any 3rd party (D)DOS mitigation unless you have control over the routers and BGP coming into your system's network. Having just the system, all you're really going to be able to do is iptables. This is REALLY sad though if your ISP can't fix this.
From your previous posts, I seem to recall godcraft being hosted on a pretty beefy dedicated system. If your datacenter/ISP can't mitigate a 90 Mbps attack ( really small in the DC world ) in a couple of hours, you need to find a new host ASAP. In the interim, I wouldn't be looking at any 3rd party (D)DOS mitigation unless you have control over the routers and BGP coming into your system's network. Having just the system, all you're really going to be able to do is iptables. This is REALLY sad though if your ISP can't fix this.
This holds some weight, our server got a DDOS attack yesterday, and while I was looking through the theoretical Countermeasures for these types of attacks on google, the hosters (thank goodness they are a big company with a bigger ISP partner) took care of it in an hour. I wonder if any of the other bigger servers have been attacked recently as well...
Kane, how do you detect something like this? I've never had experience here, but how would I know if my server is being attacked if it ever happened? Does it show up in the server logs, or do I have to watch my internet traffic somehow? (Ok, I'll admit to being a noob to this...)
Rollback Post to RevisionRollBack
Monkey Mines is a small 18+ Whitelisted Realms server that also allows families. We're currently looking for new players if they're not jerks.
Well I decided post here I'm running CentOS 5 and I have a good machine and thankfully because of this the Ddos is not knocking my connection right off but it is causing random packet loss.
He is targeting my UDP minecraft port at 90+ Mbps.
Spoof IP also unless Activision is really pissed off :wink.gif:
05:44:49.009213 IP 63.146.124.21.20810 > 96-9-145-75.hostnoc.net.25565: UDP, length 805
05:44:49.009350 IP 63.146.124.21.20810 > 96-9-145-75.hostnoc.net.25565: UDP, length 805
05:44:49.009356 IP 63.146.124.21.20810 > 96-9-145-75.hostnoc.net.25565: UDP, length 805
05:44:49.009474 IP 63.146.124.21.20810 > 96-9-145-75.hostnoc.net.25565: UDP, length 805
05:44:49.009479 IP 63.146.124.21.20810 > 96-9-145-75.hostnoc.net.25565: UDP, length 805
05:44:49.009616 IP 63.146.124.21.20810 > 96-9-145-75.hostnoc.net.25565: UDP, length 805
05:44:49.009622 IP 63.146.124.21.20810 > 96-9-145-75.hostnoc.net.25565: UDP, length 805
05:44:49.009760 IP 63.146.124.21.20810 > 96-9-145-75.hostnoc.net.25565: UDP, length 805
05:44:49.009767 IP 63.146.124.21.20810 > 96-9-145-75.hostnoc.net.25565: UDP, length 805
05:44:49.009905 IP 63.146.124.21.20810 > 96-9-145-75.hostnoc.net.25565: UDP, length 805
05:44:49.009911 IP 63.146.124.21.20810 > 96-9-145-75.hostnoc.net.25565: UDP, length 805
05:44:49.010085 IP 63.146.124.21.20810 > 96-9-145-75.hostnoc.net.25565: UDP, length 805
05:44:49.010088 IP 63.146.124.21.20810 > 96-9-145-75.hostnoc.net.25565: UDP, length 805
05:44:49.010089 IP 63.146.124.21.20810 > 96-9-145-75.hostnoc.net.25565: UDP, length 805
05:44:49.010289 IP 63.146.124.21.20810 > 96-9-145-75.hostnoc.net.25565: UDP, length 805
Feel free to PM me with some details about your network infrastructure. If you need ideas on what I would be looking for just PM me beforehand. Ill do a quick security audit for you and give you some options to deal with the attack.
Rollback Post to RevisionRollBack
CURRENTLY RUNNING:
Permissions
Essentials
GriefAlert
MCBans
BigBrother
LWC
MultiVerse
Pfft. I'll give you the actual security consultant answer for free. The traffic needs to be blocked upstream. A saturated downstream is a saturated downstream and no amount of messing about with simple iptables DROP rules is going to change that.
Hardening the host against those types of attacks is primarily a matter of telling it to stop responding to things it doesn't need to... something done with a default deny rule on any exterior-facing interfaces for starters. Why is this important? Because by default most network-connected hosts try to "play nice" and politely send back a message to let a host know that it's connection request on a closed port is being declined. Hardened hosts aren't "nice"--they're mean and uncaring. They don't trust any traffic they weren't expecting and never respond to it at all. It saves your bandwidth in that replies to queries that never should have been made don't go out, and it keeps your host from being used as a participant in a traffic reflection attack. This will not, however, do a bloody thing when the problem is that you're being sent more downstream traffic than your ISP can hand over to you. That's a problem to be solved with telephone calls and emails. I'm guessing (more hoping, actually) default deny policies were one of the first things his ISP suggested or that he already has one.
I'm not trying to be harsh, but I'm really not amused by quality of the answers, nay... guesses people have been throwing in here.
...and just to really put the boot down on the misinformation, the difference between DoS and DDoS is irrelevant to the problem, guys, and no you're not impressing anyone by trying to make a distinction. I don't know if I overlooked it before or it was only recently pasted in, but a distributed attack originating from different points in the network, tends to have some variance in TTLs because of well, routing. The TTLs in the fragment he posted? All 121. So, rather likely not a DDoS but a DoS but at least you can stop trying to imaging reasons to care.
...and just to really put the boot down on the misinformation, the difference between DoS and DDoS is irrelevant to the problem, guys, and no you're not impressing anyone by trying to make a distinction. I don't know if I overlooked it before or it was only recently pasted in, but a distributed attack originating from different points in the network, tends to have some variance in TTLs because of well, routing. The TTLs in the fragment he posted? All 121. So, rather likely not a DDoS but a DoS but at least you can stop trying to imaging reasons to care.
TTLs have no significance of whether or not its a DDoS or DoS. A TTL is just part of the IP header that routers use to decide if the packets has been in transit too long. You must be thinking of the HOP count because that would decide the likely hood of them all originating from the same place. In the new yet unrefined IPv6 TTLs are being renames to "Hop Limit". See the distinction?
You might want to go review your CompTia books again.
Rollback Post to RevisionRollBack
CURRENTLY RUNNING:
Permissions
Essentials
GriefAlert
MCBans
BigBrother
LWC
MultiVerse
TTLs have no significance of whether or not its a DDoS or DoS. A TTL is just part of the IP header that routers use to decide if the packets has been in transit too long. You must be thinking of the HOP count because that would decide the likely hood of them all originating from the same place. In the new yet unrefined IPv6 TTLs are being renames to "Hop Limit". See the distinction?
You might want to go review your CompTia books again.
Really? So a packet that starts at my computer doesn't decrease as it hits various routers on the path through the network? That's hard to believe :wink.gif:. It has quite a bit of significance in this case.
In regard to the upstream answer, yes, that is the correct solution, and if the hosting company doesn't fix that issue, get a new one. I believe Kane's hosting company is burst.net, which if I recall correctly, isn't so great in customer service and network security/stability.
TTLs have no significance of whether or not its a DDoS or DoS. A TTL is just part of the IP header that routers use to decide if the packets has been in transit too long. You must be thinking of the HOP count because that would decide the likely hood of them all originating from the same place. In the new yet unrefined IPv6 TTLs are being renames to "Hop Limit". See the distinction?
You might want to go review your CompTia books again.
Really? So a packet that starts at my computer doesn't decrease as it hits various routers on the path through the network? That's hard to believe :wink.gif:. It has quite a bit of significance in this case.
In regard to the upstream answer, yes, that is the correct solution, and if the hosting company doesn't fix that issue, get a new one. I believe Kane's hosting company is burst.net, which if I recall correctly, isn't so great in customer service and network security/stability.
It's not burst but uses the same DC and not a reseller.
But we moving to a new company and will hopefully be good again.
TTLs have no significance of whether or not its a DDoS or DoS. A TTL is just part of the IP header that routers use to decide if the packets has been in transit too long. You must be thinking of the HOP count because that would decide the likely hood of them all originating from the same place. In the new yet unrefined IPv6 TTLs are being renames to "Hop Limit". See the distinction?
You might want to go review your CompTia books again.
Really? So a packet that starts at my computer doesn't decrease as it hits various routers on the path through the network? That's hard to believe :wink.gif:. It has quite a bit of significance in this case.
In regard to the upstream answer, yes, that is the correct solution, and if the hosting company doesn't fix that issue, get a new one. I believe Kane's hosting company is burst.net, which if I recall correctly, isn't so great in customer service and network security/stability.
It's not burst but uses the same DC and not a reseller.
But we moving to a new company and will hopefully be good again.
TTLs have no significance with an IP that is being spoofed. Should have mentioned that before. Sorry. If you dont know why this is then search around because I dont feel like typing up an entire page on the process.
Rollback Post to RevisionRollBack
CURRENTLY RUNNING:
Permissions
Essentials
GriefAlert
MCBans
BigBrother
LWC
MultiVerse
This is ruining me no ones been able to help I'm now having players doing chargebacks even my own mods and I'm spending more money for a service that is suppose to be better but its getting worse.
This is ruining me no ones been able to help I'm now having players doing chargebacks even my own mods and I'm spending more money for a service that is suppose to be better but its getting worse.
Ugh. I hate this. Why cant people wait it out.
GL
Rollback Post to RevisionRollBack
CURRENTLY RUNNING:
Permissions
Essentials
GriefAlert
MCBans
BigBrother
LWC
MultiVerse
Mod edit: I would like to draw your attention to This. While it was posted in the Server section, we are still talking about A server (or the network of what would be a server) and so the rule still applies.
I sympathize with you man as a fellow server administrator on a much smaller server. I understand how hard it is to keep all the users happy and deal with an catastrophe like this especially when money is involved.
All I can suggest it think about moving to another provider/network. HostNoc/Burst are notoriously bad when it comes to their network and support.
I sympathize with you man as a fellow server administrator on a much smaller server. I understand how hard it is to keep all the users happy and deal with an catastrophe like this especially when money is involved.
All I can suggest it think about moving to another provider/network. HostNoc/Burst are notoriously bad when it comes to their network and support.
I hope you can get this worked out.
Thanks. I am trying a new company I'm hoping for the best but we will see I guess how it turns out.
This holds some weight, our server got a DDOS attack yesterday, and while I was looking through the theoretical Countermeasures for these types of attacks on google, the hosters (thank goodness they are a big company with a bigger ISP partner) took care of it in an hour. I wonder if any of the other bigger servers have been attacked recently as well...
-
View User Profile
-
View Posts
-
Send Message
Curse PremiumTry tossing this in your iptables script at the right location:
iptables -A INPUT -s 63.146.124.21 -j DROP
then
service iptables reload
There are also quite a few antidos companies out there, it's a premium but they do a pretty good job generally.
May or may not work *shrug*
-
View User Profile
-
View Posts
-
Send Message
Curse PremiumFeel free to PM me with some details about your network infrastructure. If you need ideas on what I would be looking for just PM me beforehand. Ill do a quick security audit for you and give you some options to deal with the attack.
CURRENTLY RUNNING:
Permissions
Essentials
GriefAlert
MCBans
BigBrother
LWC
MultiVerse
Hardening the host against those types of attacks is primarily a matter of telling it to stop responding to things it doesn't need to... something done with a default deny rule on any exterior-facing interfaces for starters. Why is this important? Because by default most network-connected hosts try to "play nice" and politely send back a message to let a host know that it's connection request on a closed port is being declined. Hardened hosts aren't "nice"--they're mean and uncaring. They don't trust any traffic they weren't expecting and never respond to it at all. It saves your bandwidth in that replies to queries that never should have been made don't go out, and it keeps your host from being used as a participant in a traffic reflection attack. This will not, however, do a bloody thing when the problem is that you're being sent more downstream traffic than your ISP can hand over to you. That's a problem to be solved with telephone calls and emails. I'm guessing (more hoping, actually) default deny policies were one of the first things his ISP suggested or that he already has one.
I'm not trying to be harsh, but I'm really not amused by quality of the answers, nay... guesses people have been throwing in here.
...and just to really put the boot down on the misinformation, the difference between DoS and DDoS is irrelevant to the problem, guys, and no you're not impressing anyone by trying to make a distinction. I don't know if I overlooked it before or it was only recently pasted in, but a distributed attack originating from different points in the network, tends to have some variance in TTLs because of well, routing. The TTLs in the fragment he posted? All 121. So, rather likely not a DDoS but a DoS but at least you can stop trying to imaging reasons to care.
-
View User Profile
-
View Posts
-
Send Message
Curse PremiumTTLs have no significance of whether or not its a DDoS or DoS. A TTL is just part of the IP header that routers use to decide if the packets has been in transit too long. You must be thinking of the HOP count because that would decide the likely hood of them all originating from the same place. In the new yet unrefined IPv6 TTLs are being renames to "Hop Limit". See the distinction?
You might want to go review your CompTia books again.
CURRENTLY RUNNING:
Permissions
Essentials
GriefAlert
MCBans
BigBrother
LWC
MultiVerse
Really? So a packet that starts at my computer doesn't decrease as it hits various routers on the path through the network? That's hard to believe :wink.gif:. It has quite a bit of significance in this case.
In regard to the upstream answer, yes, that is the correct solution, and if the hosting company doesn't fix that issue, get a new one. I believe Kane's hosting company is burst.net, which if I recall correctly, isn't so great in customer service and network security/stability.
-
View User Profile
-
View Posts
-
Send Message
Curse PremiumIt's not burst but uses the same DC and not a reseller.
But we moving to a new company and will hopefully be good again.
Check out my Let's Play Series:
-
View User Profile
-
View Posts
-
Send Message
Curse PremiumTTLs have no significance with an IP that is being spoofed. Should have mentioned that before. Sorry. If you dont know why this is then search around because I dont feel like typing up an entire page on the process.
CURRENTLY RUNNING:
Permissions
Essentials
GriefAlert
MCBans
BigBrother
LWC
MultiVerse
-
View User Profile
-
View Posts
-
Send Message
Curse PremiumCheck out my Let's Play Series:
-
View User Profile
-
View Posts
-
Send Message
Curse PremiumUgh. I hate this. Why cant people wait it out.
GL
CURRENTLY RUNNING:
Permissions
Essentials
GriefAlert
MCBans
BigBrother
LWC
MultiVerse
I'm siding with the guy(s) doing the attack.
Mod edit: I would like to draw your attention to This. While it was posted in the Server section, we are still talking about A server (or the network of what would be a server) and so the rule still applies.
All I can suggest it think about moving to another provider/network. HostNoc/Burst are notoriously bad when it comes to their network and support.
I hope you can get this worked out.
-
View User Profile
-
View Posts
-
Send Message
Curse PremiumThanks. I am trying a new company I'm hoping for the best but we will see I guess how it turns out.
Check out my Let's Play Series:
-
View User Profile
-
View Posts
-
Send Message
Curse PremiumCheck out my Let's Play Series: