Official Soldat Forums
Official Content => News => Topic started by: FliesLikeABrick on April 30, 2011, 05:52:40 pm
-
Some of you may notice the forums and other services I host being slow. One of my physical servers is under attack (DoS from 75.102.27.162, whoever that is. If it's the real source it looks to be someone renting a server in Chicago).
They're targeting one of the NA Gather servers (the one I run on port 23002)
Dickless idiot, UDP flooding is so 1997.
-
1997? I don't know anything about internet servers, but if it's that old a method, shouldn't you it be easy to counter?
-
1997? I don't know anything about internet servers, but if it's that old a method, shouldn't you it be easy to counter?
you canĀ“t 100% protect any site of d-dosing.
Any Site can be d-dosed
-
Here's the way DOS/DDOS attacks work, and why they're still common for skiddies who don't really know how to do anything more sophisticated:
- They generally work by sending lots of small packets, fast (in this case they're just one byte each). This can make routers and other network devices upstream of the servers have problems handling routing/switching so many packets so fast. This means that it is out of my control since I am a customer on this network.
- When this traffic hits a game server and needs to be processed by the application (which in this case it is, since it's UDP traffic going to a port the game server runs on), it'll cause that program to crash or use tons of CPU. Which it did, which is why I put in a firewall rule to drop the traffic as soon as it hits the server so it can never reach the application. no problem here
- Slightly smarter skiddies will change the traffic around until they get bored, so this was more of a warning in case they decide to attack different servers and/or from different IP addresses, since there may be a delay before I can add a new address
- When there's enough traffic, it can still make the server pissy even if I'm telling the OS to drop it as soon as it gets there. Though in a case like that it's probably saturating an upstream piece of network equipment anyway so I'd need to get my host to block it (which I have no confidence in them to be able to do, but the traffic stopped before I asked anyway)
- If there was enough traffic to cause problems for my host, then they'd have to ask their upstream to filter it, which makes it even more of a PITA to filter, even if the traffic constantly changes profile.
All of that said, yes it's very unsophisticated and easy to filter - except in my case where I'm a customer on someone else's network and they may or may not be competent enough to filter this simple attack out.
These kinds of attacks which are this simple generally come from a kid with access to a dedicated server who thinks they might as well just send the traffic from there, a kid who has compromised someone else's server with a tool and either the tool can't do anything more complex or they don't know enough to do something "better", or if it was distributed (which this isn't), then it's more like the latter - they used someone else's bot code and it can't do anything better than "send lots of packets which are fairly easy to block"
When I worked for an ISP I saw these attacks all the time (and we only saw/cared about the ones big enough to take out multiple customers or a device on our network). It generally took only a minute or two to create a filter to block the attack traffic.
edit: which is what darDar said in a lot fewer words/with less detail/info
-
Well if his goal was degrading your services, pissing you off, wasting your time and to get official recognition from the admin, then I guess he was pretty successful, especially considering he used a tool and didn't have to spend much time setting it up.
-
sounds like a banned hacker got mad? So who lives in chicago? Usso? Atomic? x)
-
Well if his goal was degrading your services, pissing you off, wasting your time and to get official recognition from the admin, then I guess he was pretty successful, especially considering he used a tool and didn't have to spend much time setting it up.
he took a total of 10 minutes of my time, plus the time I took to write that longer post (which was just to enlighten the community about how DoS/DDoS work since there are probably some people here who are interested)
plus nothing actually went down except before I put the firewall rule in to keep the traffic from getting to the application (just so happened I was at the computer and saw it within seconds of it starting), soooooo I say he didn't get what he wanted.
-
Well if his goal was degrading your services, pissing you off, wasting your time and to get official recognition from the admin, then I guess he was pretty successful, especially considering he used a tool and didn't have to spend much time setting it up.
he took a total of 10 minutes of my time, plus the time I took to write that longer post (which was just to enlighten the community about how DoS/DDoS work since there are probably some people here who are interested)
plus nothing actually went down except before I put the firewall rule in to keep the traffic from getting to the application (just so happened I was at the computer and saw it within seconds of it starting), soooooo I say he didn't get what he wanted.
[sarcasm] Bad guys never do. [/sarcasm]
-
Should we all ddos his ip to show him we're not fucking around?
-
Should we all ddos his ip to show him we're not f**king around?
This isn't 4chan. :P
-
sounds like a banned hacker got mad? So who lives in chicago? Usso? Atomic? x)
usso lives in wa
atom is in florida
unless they moved ?
-
It's a server anyway. You could report it at the host and they might take the server down. I bet they're not allowed to DDoS with their server. ( http://www.colocrossing.com/ )
-
It's a server anyway. You could report it at the host and they might take the server down. I bet they're not allowed to DDoS with their server. ( http://www.colocrossing.com/ )
yeah I notified them and another related company after it started.
Keep in mind that since it is UDP traffic it could be spoofed from somewhere else. I can't know it came from them unless they can acknowledge a burst of traffic that corresponds to the attack I saw.
-
Should we all ddos his ip to show him we're not f**king around?
This isn't 4chan. :P
Lmao! No, like FilesLikeABrick said, it's not a very sophisticated attack. We should use a better one. I live in chicago so just trace the IP to an address and I'll take it from there *VD opens a can of woop ass*. xD
-
Should we all ddos his ip to show him we're not f**king around?
This isn't 4chan. :P
Lmao! No, like FilesLikeABrick said, it's not a very sophisticated attack. We should use a better one. I live in chicago so just trace the IP to an address and I'll take it from there *VD opens a can of woop ass*. xD
Crap in a bag and put it on his doorstep, atleast now I know more about DOS/DDOS
Btw, didn't he learn anything from Bin Ladens death? :p
-
They're at it again. slightly different techniques this time but basically just as easy to block. It might be distributed now but they don't have enough bots to take out any network hardware or my servers.... so sometimes things might get a little slow until I can block the traffic.
-
they be hatin
-
Wait, I thought you reported this to the owners of the server they were directing this from. What happened?
-
Wait, I thought you reported this to the owners of the server they were directing this from. What happened?
As is unfortunately all too common with abuse complaints, they didn't respond. and also, as I mentioned, there was no way to tell if that traffic had its source IP address spoofed - so they may have looked into it and found that the traffic didn't really originate from their network.
-
Eh, even though it only lasts 10-20 minute each time, it is somewhat annoying.
Can't you put up a firewall or something for those kinds of attacks?
-
go read the rest of the thread.
and no, they're not still happening. It happened for a bit when I posted last night, but hasn't happened since then.
-
How one can check if one was DoSed?
-
You'll know when it happens. Unless you make a pastime of pissing off people on the Internet, it's not something you need to worry about at home. It's much more common for people who host sites/content/servers for other people because then the host feels the wrath of whoever the customers have pissed off.
In this case I suspect one of the people I host Soldat or other servers has someone who doesn't like them.
I only noticed these attacks because one of my servers had a bit of packet loss (and I have more than just hosting which goes through that server), so I flipped to a terminal tab where I track the interface usage of my servers. if there's a strange volume of network traffic there, then I use tcpdump to figure out what it is and block accordingly.
-
I'm hosting few soldatservers, too, and my services were for sure attacked once. As I'm kinda newbie in terms of linux I'd like to know how to deal with it. I'd appreciate any help you can give me. :)
-
Pick your nose and wait till it's over.
-
I'm hosting few soldatservers, too, and my services were for sure attacked once. As I'm kinda newbie in terms of linux I'd like to know how to deal with it. I'd appreciate any help you can give me. :)
close the servers wait a while restart them :DD
-
this wouldn't happen if soldat were p2p :P