New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
You can also try Centarra
I know that the source engine is very exploitable when it comes down to amplified spoofed attacks but if you close down the exploitable holes (specific firewall rules + some plugins) then "Source" should be protectable right? Can't CNServers just take the hit if they have a big network port capacity? I think that this is what OVH is doing right now and it works out for all source engine based servers so far, I've tested it and the OVH protection holds off all kinds of nasty packets without influencing the gameserver's network performance.
What about Staminus, weren't you going to test that also? I'm curious to know about their protection from someone with first hand experience as many claim it to be good.
I meant i've tested it on someone else's OVH server with permission. I still give Staminus a shot.
We have servers with CNservers and got more than 80Gb ddos attack on our irc clients, and the ips was not nulled. I am really happy with CNservers services and the only one for us which we had our services online all the time. We had staminus, sharktech, and gtcomm. But the ips was nulled if there is an attack more than 10Gbps
We have OVH servers too, they are good aswell.
Amplified attack is easy to filter. The problem is with non-amplified well crafted spoofed attacks. Due to the stateless nature of UDP, it's extremely difficult for generic firewall or ddos mitigation devices to Filter the bad traffic and still let good traffic through. Just several Mbps of spoofed udp attack can take down the game server because the firewall will not be able to tell it's good or bad because it just looks as same as other legit traffic. This is totally different than protecting a TCP service, just so you know that. A lot of people think protecting TCP service is the same as protecting UDP service, that's not true. If you got a OVH server I would be happy to show you why I said pretty much no generic mitigation provider can effectively filter well crafted spoofed UDP attacks.
We have tons of servers at OVH hosting UDP based games & have never had UDP traffic drop during an attack.
If that's true then that simply means attackers were not doing any spoofed UDP attacks.
I would be happy to show you OVH doesn't filter spoofed UDP either if you want.
Our servers have been victim of big attacks in the past(5 to 50 Gbps), so I don't think our servers have never been hit by spoofed UDP attacks.
Most big attacks are Amplified attacks. There isn't a lot of spoofed UDP attacks around targeting game servers, and most booters don't have this ability (which is stupid, some of them can do ssyn but not sudp? ) or maybe most UDP game servers are small servers that doesn't generate enough profit to being a target.
Again, I would be happy to demonstrate if anyone doesn't believe me. hit me up on skype
i really not understand why UDP should be harder to filter then tcp. We receive daily tcp and UDP attack and the mitigation rules are similar. Some are easy and some harder, but is the type of attack not the protocol. Most of UDP/TCP spoofed can be mitigated using ttl and source port rules. Sometime GEO filter (when legit traffic is localized) help a lot.
That's why I said well crafted spoofed UDP attack. Not sure what kind of magic you can do to filter it automatically when ttl source port and everything is spoofed legit like.
this is easy, for example we use PF_RING to collect stats, count packets, and if most source ip had same ttl we mark that as spoofed and filter/rate limit the ttl. Keep in mind that we use traffic diverson, so only the target ip pass trought filters. so is simple for us collect stats.
this is how we configured filters: http://kb.seflow.it/assets/SeGuard_in_action.png
As you can see is easy collect detailed stats as only target ip pass trought filters
What about spoofed to random source ip and ttl? are you going to ban all the ttl? what about legit traffic?
Some attack cannot be fully mitigated, but can be limited a lot with a mix of dynamic filter. There are lot pattern to check, like source port, ttl, packet lengh. Some ips are also filtered using noction APIs that know the real route of every ip range, if it come from a different carrier, thats are automatically discarded.
If nothing work... geoIP, most gamers have customer from certain countries and we can limit it.
Often, on spoofed, there is no only one rules that filter attack, but a mix that will do it.
As you said some attacks cannot be fully mitigated, that's exactly my point all the way from the beginning.
Sure there are a lot of things can be played and help, but a perfectly crafted spoofed UDP attack will not be filtered without great effort. If the attacker is smart enough, he surely can figure out and able to sneak in some packets that can't be filtered and bring the game server down.
When you run a large network, protecting thousands of IPs and different UDP game servers at the same time, getting hundred attacks each day, would you be able to spend the time and effort and resources to put in all the filters and hoping to mitigating a spoofed UDP attack for a client only pays minimum? Probably not.
oh no our software will do it automaticaly. We had rules pattern in database and software will scan packet based on it When we have alert that some type of attack pass the filter, we aalyze it and add to the db.
But you're right nobody in the world can guarantee full 100% mitigation on all attacks. And plus, in the past we had some nodes in U.S. and we was your customer. Your DDoS protection worked always well
Thank you for your past business. It's good to see you have a lot of exciting things in your network.
@matteob - Are you using Wanguard from Andrisoft? If so how are you finding it?
Can I add you, I would like to see how CNservers stacks up with OVH
Only for detecting it. Andrisoft is good to detect attack because we use port mirroring configuration in routers that forward traffic to sensor with pf_ring driver. This configuration detect ddos within 5 seconds.
As filter wanguard is not good because it uses normal i386 drivers with iptables and cannot handle real ddos. To filter DDoS x86 hardware is useless and Asic hardware is needed to handle high pps.
@Matteob - interesting, we have been playing with their product here in London and interesting to see how their WANGuard/WANFilter works. The WANFilter with X520's seems ok but we haven't put it under any strain yet. Maybe later in the month we'll get to play with it properly.
If you want detect ddos is a great product, but for filter i suggest you to search something else. X520 support is limited because you can filter in hardware only source ip, useless on most ddos attack.
Also if you use netflow to collect traffic you will had 3-5 minutes detection delay, you need to configure port mirroring in router to forward traffic to sensors (1 for each uplink for accurate statistic). Every sensor need to be a physical machine.
+1 for OVH, there is lot of positive reviews about their DDoS protections.
Actually, OVH is extremely vulnerable to TCP attacks as well.
Soooo. in the end I went with https://hosthatch.com/kvm-ssd-vps (package#5 + ddos protected IP.) hosthatch offers 20Gbps ddos protection using Staminus. For now my gameserver should be able to stay online and hold off the attacks, this probably will change though after my server ip ranks up in the gameserver list, but that is a worry for later.
So far i'm really satisfied with the VPS performance aswel, this is actually my first time using a SSD based VPS and it is ridiculous fast. I'll test the protection itself on a later point and will post the results here.
Thank you guys for making all those good suggestions!
In my experience, it performs really well against TCP as well.
OVH's arbor by default does leak certain spoofed TCP attacks to a certain point. If they are willing to do some adjustment per incident basis then it would most likely able to filter these TCP attacks. Regarding UDP spoofed attacks, I've already showed @nexmark how OVH failed to filter it, leaked the spoofed UDP attack to server(before arbor kick-in) and rate limit UDP traffic to less than 1Mbps (after arbor kick-in). If anyone still thinks a provider can filter spoofed UDP attacks effectively, I would be happy to demonstrate otherwise. Just hit me up on PM.
Vouch for this statement, Witness this with him.
#Update
Staminus is successfully holding off Enhanced SSYN & Amplified UDP so far, but source engine focused attacks (exploitive ones, no bandwidth draining) are still affecting my gameserver. I've requested them to adjust their stuff to drop those attacks. I will report back with the result.