Performance issues

[FliesLikeABrick]

Some of you may notice the forums and other services I host being slow.  One of my physical servers is under attack (DoS from 75.102.27.162, whoever that is.  If it's the real source it looks to be someone renting a server in Chicago).

They're targeting one of the NA Gather servers (the one I run on port 23002)


Dickless idiot, UDP flooding is so 1997.

[demoniac93]

1997? I don't know anything about internet servers, but if it's that old a method, shouldn't you it be easy to counter?

[darDar]

1997? I don't know anything about internet servers, but if it's that old a method, shouldn't you it be easy to counter?

you can´t 100% protect any site of d-dosing.
Any Site can be d-dosed

[FliesLikeABrick]

Here's the way DOS/DDOS attacks work, and why they're still common for skiddies who don't really know how to do anything more sophisticated:
- They generally work by sending lots of small packets, fast (in this case they're just one byte each).  This can make routers and other network devices upstream of the servers have problems handling routing/switching so many packets so fast.  This means that it is out of my control since I am a customer on this network.
- When this traffic hits a game server and needs to be processed by the application (which in this case it is, since it's UDP traffic going to a port the game server runs on), it'll cause that program to crash or use tons of CPU.  Which it did, which is why I put in a firewall rule to drop the traffic as soon as it hits the server so it can never reach the application.  no problem here
- Slightly smarter skiddies will change the traffic around until they get bored, so this was more of  a warning in case they decide to attack different servers and/or from different IP addresses, since there may be a delay before I can add a new address
- When there's enough traffic, it can still make the server pissy even if I'm telling the OS to drop it as soon as it gets there.  Though in a case like that it's probably saturating an upstream piece of network equipment anyway so I'd need to get my host to block it (which I have no confidence in them to be able to do, but the traffic stopped before I asked anyway)
- If there was enough traffic to cause problems for my host, then they'd have to ask their upstream to filter it, which makes it even more of a PITA to filter, even if the traffic constantly changes profile.

All of that said, yes it's very unsophisticated and easy to filter - except in my case where I'm a customer on someone else's network and they may or may not be competent enough to filter this simple attack out.

These kinds of attacks which are this simple generally come from a kid with access to a dedicated server who thinks they might as well just send the traffic from there, a kid who has compromised someone else's server with a tool and either the tool can't do anything more complex or they don't know enough to do something "better", or if it was distributed (which this isn't), then it's more like the latter - they used someone else's bot code and it can't do anything better than "send lots of packets which are fairly easy to block"

When I worked for an ISP I saw these attacks all the time (and we only saw/cared about the ones big enough to take out multiple customers or a device on our network).  It generally took only a minute or two to create a filter to block the attack traffic.

edit: which is what darDar said in a lot fewer words/with less detail/info

[12th_account]

Well if his goal was degrading your services, pissing you off, wasting your time and to get official recognition from the admin, then I guess he was pretty successful, especially considering he used a tool and didn't have to spend much time setting it up.

[CheeSeMan.]

sounds like a banned hacker got mad? So who lives in chicago? Usso? Atomic? x)

[FliesLikeABrick]

Well if his goal was degrading your services, pissing you off, wasting your time and to get official recognition from the admin, then I guess he was pretty successful, especially considering he used a tool and didn't have to spend much time setting it up.

he took a total of 10 minutes of my time, plus the time I took to write that longer post (which was just to enlighten the community about how DoS/DDoS work since there are probably some people here who are interested)

plus nothing actually went down except before I put the firewall rule in to keep the traffic from getting to the application (just so happened I was at the computer and saw it within seconds of it starting), soooooo I say he didn't get what he wanted.

[demoniac93]

Well if his goal was degrading your services, pissing you off, wasting your time and to get official recognition from the admin, then I guess he was pretty successful, especially considering he used a tool and didn't have to spend much time setting it up.

he took a total of 10 minutes of my time, plus the time I took to write that longer post (which was just to enlighten the community about how DoS/DDoS work since there are probably some people here who are interested)

plus nothing actually went down except before I put the firewall rule in to keep the traffic from getting to the application (just so happened I was at the computer and saw it within seconds of it starting), soooooo I say he didn't get what he wanted.

[sarcasm] Bad guys never do. [/sarcasm]

[jettlarue]

Should we all ddos his ip to show him we're not fucking around?

[jrgp]

Should we all ddos his ip to show him we're not f**king around?

This isn't 4chan.

[Fireman]

sounds like a banned hacker got mad? So who lives in chicago? Usso? Atomic? x)

usso lives in wa

atom is in florida

unless they moved ?

[PQ]

It's a server anyway. You could report it at the host and they might take the server down. I bet they're not allowed to DDoS with their server. ( http://www.colocrossing.com/ )

[FliesLikeABrick]

It's a server anyway. You could report it at the host and they might take the server down. I bet they're not allowed to DDoS with their server. ( http://www.colocrossing.com/ )

yeah I notified them and another related company after it started.

Keep in mind that since it is UDP traffic it could be spoofed from somewhere else.  I can't know it came from them unless they can acknowledge a burst of traffic that corresponds to the attack I saw.

[vehicledestroyer]

Should we all ddos his ip to show him we're not f**king around?

This isn't 4chan.

Lmao! No, like FilesLikeABrick said, it's not a very sophisticated attack. We should use a better one. I live in chicago so just trace the IP to an address and I'll take it from there *VD opens a can of woop ass*. xD

[homerofgods]

Should we all ddos his ip to show him we're not f**king around?

This isn't 4chan.

Lmao! No, like FilesLikeABrick said, it's not a very sophisticated attack. We should use a better one. I live in chicago so just trace the IP to an address and I'll take it from there *VD opens a can of woop ass*. xD

Crap in a bag and put it on his doorstep, atleast now I know more about DOS/DDOS
Btw, didn't he learn anything from Bin Ladens death? :p

[FliesLikeABrick]

They're at it again. slightly different techniques this time but basically just as easy to block.  It might be distributed now but they don't have enough bots to take out any network hardware or my servers.... so sometimes things might get a little slow until I can block the traffic.

[Meteorisch]

they be hatin

[demoniac93]

Wait, I thought you reported this to the owners of the server they were directing this from. What happened?

[FliesLikeABrick]

Wait, I thought you reported this to the owners of the server they were directing this from. What happened?

As is unfortunately all too common with abuse complaints, they didn't respond.  and also, as I mentioned, there was no way to tell if that traffic had its source IP address spoofed - so they may have looked into it and found that the traffic didn't really originate from their network.

[demoniac93]

Eh, even though it only lasts 10-20 minute each time, it is somewhat annoying.
Can't you put up a firewall or something for those kinds of attacks?