All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
help finding a dedicated server with anti ddos, or how to stop this attack
Hello, I wait for a help with the topic indeed.
I have the dedicated one with several vps in ovh, which I have with games online and am being attacked this one attack the VAC does not detect it, this way that happens to look dedicated protected for re-direct the traffic with haproxy to my vps
I have happened for the last month in almost already 7 suppliers and none has managed to help myself to stopping this wretched attack that overcomes not even 10-30 Mbps / s but it me saturates the connections and I have not found way of stopping it.
It's kind of synflood and GET requests.
The attack is an online game service (TCP) called MU (no web).
I tried providers "antiddos homemade", the VAC OVH, Those with filter Voxility, which works but can not connect anyone because it gives many false positives, and finally hire a service that had protection CNServers and also helped me.
In these you finalize already almost I do not possess money have 120 dollars for the dedicated server, some supplier that indeed helps that recommend to me?, he was thinking in sharktech but they are late very much in answering in sales and if this way it is the support it does not convince me, also I have thought of contracting a firewall CISCO ASA 5505 in OVH to seeing if it helps me. I wait for his recommendations, the location does not matter very much with such leak this troublesome attack.
I detail that already I have installed CSF Firewall, Form everything to the minimum and it detects the attack and blocks the requests but the table of connections is saturated and already I have optimized her by means of the kernel.
Comments
May I ask what game this is for?
its a mu private server, for example http://muonline.webzen.com
Did Voxility block the gameserver requests or just funk up the HTTP side?
Francisco
I used this filter with ginernet and activating mitigation voxility most of my users are unable to connect to the server . No use http traffic but the attack comes with such requests
Looks like a plain old syn attack. Shouldnt be hard. We have dealt with mu onlin before too.
Thank you for your response, I will use a trial of your services. If it me works you will have a new client. Regards
Unfortunately if you where the Trial request that just came through you have already had a trial only a month ago, Trials are offered only once.
Yes sorry, and seem to try to use the services but I think I did not connect to ConnectServer proxy settings using tcp, I could give assistance if contract? also let me know if backed ip you can assign it to multiple addresses and ports or just one specific.
Sorry, What?
If you require a management contract you may get a quote from https://www.x4b.net/ticket/new?title=Sales:+Setup+Quote
Standard managed setups take 1hr, we charge $35/hour during business hours 9-5 M-F AEST.
Contact @matteob im sure seflow can help you.
Not sure about your budgets. Why don't you check cloudflare?
Go here: https://www.cloudflare.com/under-attack-hotline/
Yes we had some mu servers underprotection and this is a common attack. Already in the filters :-)
Feel free to contact me i can give you trial to show how we mitigate it well.
If you not want move away the server we can give you a proxy with high level7 protection.
If you have enough bandwidth you can protect yourself from this attack.
First install synproxy protection:
http://www.seflow.net/2/index.php/en/blog/synproxy-module-protect-yourself-by-syn-flood
then tweak your sysctl.conf
http://www.seflow.net/2/index.php/en/blog/tweak-sysctl-parameters-to-prevent-ddos-and-syn-flood
last filter this specific attack with a specific pattern:
iptables -A INPUT --p tcp --syn -m string --hex-string "|6eaacc4e240ad8c008004500|" --algo bm -j DROP
Please before adding this last rule be sure that your standard syn packets not share same string
Last, but not last, we recently discovered new syn attack, most used on games
http://www.seflow.net/2/index.php/en/blog/big-syn-attack-is-new-syn-ddos-2-0
Regards
Hello, we can provide 500Gbps DDoS protection that covers layer 7: https://radwebhosting.com/500gbps-ddos-protected-dedicated-servers/
EDIT: Mistake on my part sorry, too used to typical LET providers!
Thanks for reminding us of what the OP posted. We do not resell OVH, nor do we have any affiliation with that company. We provide 500Gbps DDoS protection from our Dallas, TX data center.
I`m sure we are able to filter out this type of attack. We have extensive layer 4 filters in place (including very intelligent udp filtering). Also you're able to activate our layer 7 (HTTP GET / POST) mitigation cluster for your servers ip address through our customer control panel. This is completely done inline, you dont have to change your servers ip to use our layer7 mitigation (inline done at network level).
On Friday, we had a dns amplification attack lasting for 16 hours with around 40Gbit/s. Got that filtered out without any hassle
- Regarding layer7 attacks, we had successfully tested our mitigation cluster with attacks up to 140k Requests per second, didnt even stress our infrastructure or the server behind it 
Just contact me or our support in order to get a test server. If it works for you, it's also possible to deploy a dedicated server with the same mitigation specs.
Please dont use rules like this, it will likely make any problems worse. Not only does it drastically increase the cost of processing a packet, its the wrong way to go about matching something inside a SYN packet (which should have no data).
If you must use iptables, use BPF, u32 or any other module instead.
In all likelihood from the dump shown SYNPROXY is the easiest (off the shelf) mitigation, possibly also using some other approaches to limit the amount of time that SYNPROXY needs to be active.
Of course this assumes ample processing power, bandwidth, money for transfer etc
iptables will may help for some attacks, but it's not a ddos mitigation solution. Better filter out attacks at network level with equipment which is made to filter ddos, not a software firewall like iptables / netfilter running on totally performance impacting code.
Please check that is malformed syn.
I understand that have new customers is a must, but sometime providers need to be aims. This customer is already on ddos protected provider. He need only to mitigate a little syn and iptables is enough. For amplification attack is already protected (and he can close out udp trought ovh firewall).
Please before showing acknowledge read the op customer. He only need to protect MU server nothing else.
That should be filtered with state INVALID. Or if you must be specific, use bpf or u32.
The string match scales roughly O(n) where n is the number of bytes in the packet. You dont want that.
Syn over > 1mpps will kill any linux kernel due to the high amount of irq interrupts. As already said, using iptables to mitigate ddos is some type of unprofessionell and inefficient ddos mitigation. It will may work for some standard types, but it's not a solution to handle complex or large attacks properly.
I understand that you're an expert, but can you please read the op?
#
I have happened for the last month in almost already 7 suppliers and none has managed to help myself to stopping this wretched attack that overcomes not even 10-30 Mbps / s but it me saturates the connections and I have not found way of stopping it.
#
No, this will not match this type of syn.
By the way @merce not waste your money, for 30mbps attack you can handle well with my suggestion. If attack will increase you can consider powerfull solutions.
unprofessional spelling of unprofessional?
@Kabeldamagement Calm your farm OK? OP has stated 10-30Mbps, this is likely 100 - 300K PPS. 'just' within the range of IPTables for mitigation. Advisable? No. Doable? Possibly with enough technical know-how.
Of course its never recommend. But my point, if you read is that if you MUST use iptables, do not use the rule @matteob. Its particularly bad.
Sorry, just had my first coffee - unprofessionell is some german spelling of unprofessional
Thanks for clarifying it, and sorry for making the assumption that I did - mistake on my part!
So many hosts reselling OVH now (including me), that providers advertising 500Gbps protection are almost certainly OVH.
Are those synflood-packets with spoofed source-addresses? If every syn-packet is spoofed, it is nearly impossible to recognize valid traffic from malign. And if every packet has different source-ip, even connrate limiting does not help.
Actually, that's the single biggest problem: many ISPs do not perform outgoing traffic validation (source-ip) before permitting it upstream...
not correct, there are lot of solution to do this. Nowadays syn flood can be mitigated easiest then in the past.
Perhaps can I suggest that this be brought back on track for the OP, he is looking for a mitigation solution for a (seemingly) small SYN flood.
He has already expressed problems with OVH (it is however likely with that small of an attack that software filtering could clean up the leak).
The easiest solution might be SYNPROXY, but it will not help against large scale attacks - for 30Mbit/s at smallest possible packet size, it should be absolutely no problem with actual hardware.
Interesting at this point is, that ovh should have no problems with mitigating a layer 4 attack like synfloods. A large flow of SYNs could be also generated during layer7 floods, which affects your performance and looks like SYN Flood, but these are legitimate layer4 flows - layer7 would be illegitimate ;-)
Specialized anti-ddos gear does the job in hardware (mostly fpags) or simply using netmap / dpdk / pf_ring. I have also seen a vendor which uses tilera multicore cpu's (not ovh) which does the job a bit better than typical x86 hardware. Stopping ddos attacks in userspace without impacting the performance could be done by using netmap - cloudflare is running such type of construct and it seems to work really nice at linerate (currently testing it with netmap and 40G NICs)
The attack of fact I think that it comes from several vps on OVH because of it it is not detected by the VAC.
@matteob have tried to add rules with string hex also and in spite of the fact that it does DROP to several packets even it saturates the connection, in fact I have refused several countries by means of ranges ipv4 and it has not helped either. Also my sysctl.conf has all these rules that it published.
And the attacker when it stops and begins again orders a type of packet different from those of the photo, this photo is since a connection shines cleans the first syn packet
On having recorded with tcpdump I have seen that of 40000 packages approximately 39900 mentions that they have been " dropped by the kernel ", but equal it happens the same thing saturates me and I lose the connection. And the server that I have bought go minimum from them 100mbps in the network card
Of preference it wanted that it was blocked of once before the dedicated server reach, or that was not striking directly. Before saturating myself when iptables starts leaking requests it gives me a terrible lag.