New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
DDoS protection over TCP
I've got a Kimsufi R-4G which hosts a game server over a specific TCP port, and I've had a quite large attack over the last 3 days.
I recieved a ticket saying that I had 82MB/s inbound and that my server is now in rescue mode, and I've had a struggle to get KS/OVH support to disable it because of the attacks being pretty constant. (They will place it in rescue mode upon detecting a DDoS attack, resulting in a cycle)
Now I've looked into JavaPipe and a couple of other services, but they're all a little over budget at the moment.
Does anyone know about a (relatively inexpensive) way/service which can protect me from this sort of attack?
Comments
Before some folks scream the obvious:
BuyVM won't touch a flood that consistent
CloudFlare doesn't work in this instance
Unfortunately this is why a lot of hosting providers won't deal with gamers or gamer related services.
TCP protocol... most likely not spoofed, just block IPs.
If you can provide some logs from KS/OVH in regards to the DDoS, I'll fire off some emails to contacts I may know with hosting companies that may unknowingly be hosting botnets
This or block any connection not sending Syn/Ack flags together. (in case it's a stupid syn flood attack).
If you have lots of cash... Blacklotus.net
Otherwise you could use staminus secure port server protection.
Now I'm fairly certain that these are actually a bunch of kids using some HF booters, I signed up to a couple of them and have friends who use them, and I'm attempting to run them against new my home connection for about 30 seconds and watching all inbound connection attempts (router logs all of them and can differentiate ports and detect DoS attacks), so I'm slowly compiling a list of booter IP's to block.
Still working on getting logs.
Definitely a SYN flood.
As I said in the OP;
I've looked into JavaPipe and a couple of other services, but they're all a little over budget at the moment.
Does anyone know about a (relatively inexpensive) way/service which can protect me from this sort of attack?
Since it's TCP, they may.
I was personally told 5 - 10Gbps, depending on SYN or UDP, is the limit.
Yea I don't even accept in UDP traffic, and if TCP the client has to get thru a synproxy first before the handshake can be passed back off the jailed webserver.
I've got time to spare. I know that these kids are not going to be any good at finding a decent tool and probably choose the first one they could find, and I've already matched 6 IP's with my incoming logs (all from 1 booter site, out of 5).
Well this is a game server, so I can't really use a proxy in this situation because of the added latency. Not sure what I can really do at this point to stop the attacks, especially considering the costs of a proxy/tunnel service.
Not sure how much added latency it would be if it's the same machine/etc. (mainly I'm speaking of freebsd jails, in which case the synproxy requirement on PF protects the webserver, but then again nginx isn't normally known to be a victim of synfloods, I also use antispoof in PF).
But I'm with someone else on here, if it's all TCP knowing the IPs should allow you to block them.
PS: basically the synproxy handles the 'handshake' before it'll let the connection go thru, as opposed to proxying the whole thing.
For syn floods try enabling syn cookies or http://floodmon.sourceforge.net/