Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Ark Servers OpenVPN and DDOs
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Ark Servers OpenVPN and DDOs

WETBATMANWETBATMAN Member
edited April 2019 in Help

hi, i have started hosting some Ark Survival Evolved servers in the summer of last year, i had some pc parts laying around in my house and decided to build a game server with them, eventually my servers gained some popularity which quickly backfired

i was getting ddosed pretty much every day (i had no protection at the time) my little router with a mere 40 mb up/down could not take it (obviously), i decided to call my isp to change my ip to a dynamic ip and rented a VPS box from OVH to which i connected via OpenVPN from my home pc

i followed this tutorial to set up port forwarding on the VPN (https://whattheserver.com/openvpn-server-with-port-forwarding/)

the connections and everything is fine to both game servers and my webservers, hosted from my home machine

however the issue is that when i get ddosed my servers and my website all go down, i can still remote into my VPS via ssh and it seems to have 0 issues during ddos, however my home pc is unreachable

i've tried tuning my MTU (which OVH recommends) but had no luck, i'm running my VPN on UDP


here are my OVH firewall rules, basically i allow all incoming tcp for the Ark Survival Evolved servers, and the other ports for steam authentication (for my website) and some for my other webservers (1111,1112 etc...)

is there anything i'm doing incorrectly ?, any possible way to make my home machine not go completely offline during ddos ?

Comments

  • stefemanstefeman Member
    edited April 2019

    Delete that Refuse IPv4 rule at the bottom. hes probly attacking server port anyway which is open. only messes up VPN traffic.

    How are you using the OVH VPS or is it OVH Dedicated server? As a reverse tunnel for your server at home, or does the gameserver run from it?

    Try taking tcpdump of the attack and post it here if your SSH does not go down during an attack.

    Also if its classic OVH VPS on 100Mbps port, UDP traffic gets blocked during attack in some cases. You need a dedicated server or reseller VPS with full IP Management if ur gonna run DDoS Protected VPN.

    Heres how my VPS/VPN server looks like.

    Running it from OVH Game VPS which I bought for 6 USD from @MikeA

    33535 is OpenVPN TCP
    33538 is WireGuard UDP

  • @stefeman said:
    Delete that Refuse IPv4 rule at the bottom. hes probly attacking server port anyway which is open. only messes up VPN traffic.

    How are you using the OVH VPS or is it OVH Dedicated server? As a reverse tunnel for your server at home, or does the gameserver run from it?

    Try taking tcpdump of the attack and post it here if your SSH does not go down during an attack.

    Also if its classic OVH VPS on 100Mbps port, UDP traffic gets blocked during attack in some cases. You need a dedicated server or reseller VPS with full IP Management if ur gonna run DDoS Protected VPN.

    all servers run from my home machine

    it's not a dedicated OVH machine just a CLOUD VPS, it's basically used to mask my real home ip

    aw that sucks really bad if they drop all UDP traffic, i haven't tried tcp for the vpn but from what i've read it's much slower

  • TCP VPS is nearly 2x slower, also your Cloud VPS only has 100Mbps port.

    Ive seen OVH Firewall leaking up to 700 Mbps traffic when under mitigation just last friday on our L4D2 servers, so nowdays you really need 1Gbps port even if theres an anti-ddos enabled.

  • @stefeman said:
    TCP VPS is nearly 2x slower, also your Cloud VPS only has 100Mbps port.

    Ive seen OVH Firewall leaking up to 700 Mbps traffic when under mitigation just last friday on our L4D2 servers, so nowdays you really need 1Gbps port even if theres an anti-ddos enabled.

    soo, any chance for me to get something like your setup ?, are those re-sellers still a thing ?

  • stefemanstefeman Member
    edited April 2019

    @WETBATMAN said:

    @stefeman said:
    TCP VPS is nearly 2x slower, also your Cloud VPS only has 100Mbps port.

    Ive seen OVH Firewall leaking up to 700 Mbps traffic when under mitigation just last friday on our L4D2 servers, so nowdays you really need 1Gbps port even if theres an anti-ddos enabled.

    soo, any chance for me to get something like your setup ?, are those re-sellers still a thing ?

    Well, first off you should try recording the attack with this command:

    tcpdump -s 0 -w dump.pcap

    then CTRL + C after a few (5-10) seconds.

    Then share the file with someone here you can trust with the source IP infos, dont post public link to the file or ur home server IP will be exposed.

    Then from there you can see if its for example a reflection attack from a single source port which can be blocked entirely on the firewall settings at network level before it reaches the server.

    As for your question about my setup:

    https://extravm.com/billing/cart.php?gid=29

    I got GAME VPS from there with 1GB RAM

    Full IP Management here, which is the same as on OVH site but text based:

    https://extravm.com/billing/ip_management.php

  • @stefeman said:

    @WETBATMAN said:

    @stefeman said:
    TCP VPS is nearly 2x slower, also your Cloud VPS only has 100Mbps port.

    Ive seen OVH Firewall leaking up to 700 Mbps traffic when under mitigation just last friday on our L4D2 servers, so nowdays you really need 1Gbps port even if theres an anti-ddos enabled.

    soo, any chance for me to get something like your setup ?, are those re-sellers still a thing ?

    Well, first off you should try recording the attack with this command:

    tcpdump -s 0 -w dump.pcap

    then CTRL + C after a few (5-10) seconds.

    Then share the file with someone here you can trust with the source IP infos, dont post public link to the file or ur home server IP will be exposed.

    Then from there you can see if its for example a reflection attack from a single source port which can be blocked entirely on the firewall settings at network level before it reaches the server.

    i have tried that before and got multiple ip's, then i checked my user log and it showed that some ip from china was trying to crack my root pass, since then i've disabled log in as root and moved my ssh port, but the fact still stands that it was a multi IP ddos

  • stefemanstefeman Member
    edited April 2019

    @WETBATMAN said:

    @stefeman said:

    @WETBATMAN said:

    @stefeman said:
    TCP VPS is nearly 2x slower, also your Cloud VPS only has 100Mbps port.

    Ive seen OVH Firewall leaking up to 700 Mbps traffic when under mitigation just last friday on our L4D2 servers, so nowdays you really need 1Gbps port even if theres an anti-ddos enabled.

    soo, any chance for me to get something like your setup ?, are those re-sellers still a thing ?

    Well, first off you should try recording the attack with this command:

    tcpdump -s 0 -w dump.pcap

    then CTRL + C after a few (5-10) seconds.

    Then share the file with someone here you can trust with the source IP infos, dont post public link to the file or ur home server IP will be exposed.

    Then from there you can see if its for example a reflection attack from a single source port which can be blocked entirely on the firewall settings at network level before it reaches the server.

    i have tried that before and got multiple ip's, then i checked my user log and it showed that some ip from china was trying to crack my root pass, since then i've disabled log in as root and moved my ssh port, but the fact still stands that it was a multi IP ddos

    Check from wireshark if theres a pattern in under DATA in hex value or if most of the packets come from same sourceport. Usually either one of those is true.

    For example this crap passed through OVH firewall.

    Blocking sport 1194 solved it.

  • @stefeman said:

    @WETBATMAN said:

    @stefeman said:

    @WETBATMAN said:

    @stefeman said:
    TCP VPS is nearly 2x slower, also your Cloud VPS only has 100Mbps port.

    Ive seen OVH Firewall leaking up to 700 Mbps traffic when under mitigation just last friday on our L4D2 servers, so nowdays you really need 1Gbps port even if theres an anti-ddos enabled.

    soo, any chance for me to get something like your setup ?, are those re-sellers still a thing ?

    Well, first off you should try recording the attack with this command:

    tcpdump -s 0 -w dump.pcap

    then CTRL + C after a few (5-10) seconds.

    Then share the file with someone here you can trust with the source IP infos, dont post public link to the file or ur home server IP will be exposed.

    Then from there you can see if its for example a reflection attack from a single source port which can be blocked entirely on the firewall settings at network level before it reaches the server.

    i have tried that before and got multiple ip's, then i checked my user log and it showed that some ip from china was trying to crack my root pass, since then i've disabled log in as root and moved my ssh port, but the fact still stands that it was a multi IP ddos

    Check from wireshark if theres a pattern in under DATA in hex value or if most of the packets come from same sourceport. Usually either one of those is true.

    i will try to do a tcpdump on the next attack, meanwhile anything else i could do ?

  • MikeAMikeA Member, Patron Provider
    edited April 2019

    Get a tcpdump when it happens and ticket OVH. While they might not be able to help sometimes, there are times that the VAC (mitigation) team will change things to block attacks, but in my cases it was with the game firewall and not the standard protection. You'd probably be better off with the game protection, no matter who you get it from. I suggest running your game server stuff on a different IP than the VPN unless you're doing through the same thing, but @stefeman is right, sometimes there's a lot of bad traffic passed through, but many times for me it's not spoofed UDP, so it's easy to report and take down.

  • jackbjackb Member, Host Rep
    edited April 2019

    @WETBATMAN said:
    i will try to do a tcpdump on the next attack, meanwhile anything else i could do ?

    Might be worth looking into going with @MikeA rather than OVH direct, it sounds like you'll need some manual intervention & knowledge in attack mitigation if you're with ovh direct. I believe his services also come with ovh game protection if memory serves correctly.

    Thanked by 1MikeA
  • SplitIceSplitIce Member, Host Rep

    TCP port 9, eew. Don't use legacy ports.

    Other than that if you must use OVH VAC for mitigation use seperate IPs for seperate services. That way if they don't do a good job at-least your other services should stay online (if they don't saturate your servers). IPs are cheap enough / free with most of their product lines.

  • @SplitIce said:
    TCP port 9, eew. Don't use legacy ports.

    Other than that if you must use OVH VAC for mitigation use seperate IPs for seperate services. That way if they don't do a good job at-least your other services should stay online (if they don't saturate your servers). IPs are cheap enough / free with most of their product lines.

    what exactly do you mean by that?, the only other thing that is accessible to the public that is hosted from my machine is my website, which is useless anyway if the servers are down

  • @MikeA said:
    Get a tcpdump when it happens and ticket OVH. While they might not be able to help sometimes, there are times that the VAC (mitigation) team will change things to block attacks, but in my cases it was with the game firewall and not the standard protection. You'd probably be better off with the game protection, no matter who you get it from. I suggest running your game server stuff on a different IP than the VPN unless you're doing through the same thing, but @stefeman is right, sometimes there's a lot of bad traffic passed through, but many times for me it's not spoofed UDP, so it's easy to report and take down.

    so what exactly do you mean by that?, seperate ip for connecting to the vps and seperate ip for players to connect to it ?, can that be done without making it so my main ip doesn’t change ?

    i’ve already reset my server ip many times and lost many player, reallly don’t want to do it again

  • @WETBATMAN said:

    @MikeA said:
    Get a tcpdump when it happens and ticket OVH. While they might not be able to help sometimes, there are times that the VAC (mitigation) team will change things to block attacks, but in my cases it was with the game firewall and not the standard protection. You'd probably be better off with the game protection, no matter who you get it from. I suggest running your game server stuff on a different IP than the VPN unless you're doing through the same thing, but @stefeman is right, sometimes there's a lot of bad traffic passed through, but many times for me it's not spoofed UDP, so it's easy to report and take down.

    so what exactly do you mean by that?, seperate ip for connecting to the vps and seperate ip for players to connect to it ?, can that be done without making it so my main ip doesn’t change ?

    i’ve already reset my server ip many times and lost many player, reallly don’t want to do it again

    PM me ur discord. I'll help you with this.

    Thanked by 1kjmann
Sign In or Register to comment.