New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
DDos Attack on OVH Game
Does Anyone Know How To Stop This Attack On My Server It Is The Only One That Gets Through. Is there anyway to block it with iptables here is the pcap download https://gofile.io/?c=1AiruD Thanks For The Advice.
Comments
It's some type of tcp flood from a single IP, just block it in iptables or the network firewall at OVH. Report the IP to Scaleway/Online.net with the pcap dump and explain that it's a malicious attack. The best way to combat things like this is to report it.
It still gets hit off even though i blocked the ip its being hit off from it just uses different ips i do a tcpdump every time i get is there any way to block this data they sent to the server?
Ovh rule capability is extremely limited. Regardless take a look at their API and see what is available, maybe you will be lucky.
if you are able to use windows OS you can combine it with beethink ddos guardian, it's quite good at preventing flood type of attacks and very flexible with settings.
Regards
Old DDoS method but still bypasses OVH game unfortunately.
If you open this with wireshark and copy hex stream of an attack packet, you get this same on each of them.
02000050b28400fffffffffe0800450005a0d1b500002e0602be339e777b93877444c771fae7796a71ac021283c5501827c10ad500005858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858For example something like this:
iptables -A PREROUTING -t raw -p tcp --dport 27015:27030 -m string --algo kmp --hex-string '|58585858585858|' -j DROP
iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|58585858585858|' -j DROP
or just drop the attacking IPs from network firewall like MikeA said and report the servers to online.net
In this case I would just drop the IPs with the OVH firewall since it's only 2 IPs which is really easy to block. You can drop them with iptables as well depending if the attack saturates your line or not (if you have 1 gbps it probably doesn't).
You could use the hex filter in Stefeman's post but it uses more cpu, it will block similar attacks from other IPs though.
Also there is no need for a 600 mb pcap file, 10 mb would've done it
Why would you do that? Linux is way more powerful besides it's free!
Beside that, filtering ddos attacks with iptables does not work for huge floods. Someone in front of you (OVH basically) has to do that with special techniques which processes the traffic in the userspace efficiently.
Your server will be unreachable once your servers kernel starts to struggle with a large amount of ddos traffic. Netfilter is not that slow, but also not a serious ddos protection due to the nature of how the linux kernel handles ip packets - and no Windows is not better, it's worse.
Easier and more effective filter for this would be on packet size. If this is the attack I think it is, source servers don't handle large packets very well, i.e. layer 7 attack.
Dropping anything over your configured MTU (likely 1500 will block this even if the attacker changes pattern.
The packet size is always 1454, or 554 on his attack, so dropping all packets with that size should be enough.
iptables -A PREROUTING -t raw -p tcp --dport 27015:27030 -m length --length 1454 -j DROPiptables -A PREROUTING -t raw -p tcp --dport 27015:27030 -m length --length 554 -j DROPThe contents you posted were ~3000 bytes?
Perhaps these are fragmented packets? That used to be a common vector too.
1454 is the MTU, that's why you see that size.
does using ddos deflate fix this above issue?
It might help, but ddos deflate is a software level firewall IIRC.
iptablescan only help so much.Its even worse than iptables. At least you can customize latter. Or you can use netfilter which is kernel level.
can provide some examples ?
Just look above for examples.
Not sure why you are using Windows when you can run more servers on Linux and updating is easier/automatic. I would recommend switching over. Also make sure the source game L7 filter is in place in the game firewall.
i dont think OP is using windows as he has not mentioned ...