New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
If saturate your uplink there is no much you can do, you need to search a provider that block the attack before reaching you.
But if this is the case you not reached 30Mbps, but more... You can check in /var/log/messages if there are some error message (like conntrack table full or similar).
If not you can be sure about uplink usage installi vnstat and then keep it monitored with
vnstat -l -i ethX
How's that? How can you recognize valid and invalid traffic, if all you have is syn-packet? It's something else if syn/ack reply returns as undeliverable, but that's not always the case...
I shared lot, but i can't share all our secrets. You can ask at coca-cola some ingredients but not how to prepare it :-)
wait, why aren't you not just blocking the entire OVH ASN then?
with CSF this is easy to do
you don't have to let hosting static addresses into your server, they are not likely human visitors
make sure ipset is enabled on your server and in csf
(
LF_IPSET="1"inside ofcsf.conf)make a list of ip ranges from ovh asn and put them into
/etc/csf/ovh.deny\not exhaustive but a start: http://bgp.he.net/AS16276#_prefixes
then inside of csf.deny put this near the top
Include /etc/csf/ovh.denyyou will likely have to "punch holes" in the firewall to allow specific ovh IPs through that you want if any - this is done inside of
csf.allowps. make sure your VAC setting is on "permanent mitigation" mode
Because the IPs are spoofed.
It is a supposition, since the server of the competition lodges there also like I.
The vac in permanent mitigation does not serve me for 2 reasons:
1) On having be activated it does not stop to connect to almost any user.
2) Initially of the attack I put this way of mitigation and the packages continued entering.
Also I have a doubt with what you say to me, if the attack is a synflood with spoofed ip random. Would to block OVH's ASN help myself?
I remember that my configuration goes thus: I need the dedicated one with filter DDoS for the front and to forward the clean traffic to several VPS with the game online that I have in OVH
Oh I get what you are saying now.
The real IP is inside OVH intranet, perhaps the VPS racks, so it never passes through VAC
But they are spoofing foreign IP addresses.
Crazy how OVH doesn't even inspect tcp/ip packets on the intranet to see if they have forged source addresses. Can't be too hard for a high end router to check.
This is well beyond my skill level but late last year Google announced they had a patch for the regular linux listener to handle exponentially more SYN, on the order of 3.5M/sec
https://lwn.net/Articles/659199/
Not sure if that can help you, you've probably googled this to death at this point.
If this level of an attack happened to me, I would not know what to do other than beg cloudflare for help.
Thousand thanks to all for his comments, nowadays i'm hired a dedicated server in www.psychz.net they did an offer to me for 99$ for something that I consider that this more that well (16GB Ram, 1TB Disk, Xeon E3, 20Gbps Mitigation, etc).
And for my surprise hours ago I received a email notification of that my ip was under attack DDoS and the traffic would be leaked, and up to the moment it has entered not even any bad SYN packet and my users have not suffered problems. It will wait approximately 5 days more and if everything goes out for me well. I will do a review of this service.
Man I am sorry for what is happening to you but I'll tell you the most important lessons I learned when I was working for a Game Hosting Provider. It's not something that people usually suggest on forums so I'm prepared to receive a lot of dislikes.
Give up. Plain and simple. Don't waste your time, patience, nights and money trying to defend from ddos attacks. We live in an era where we are no longer allowed to host game servers and VoIP services. A random kid can rent a network to ddos anyone with tons of Gbps for few € meanwhile you need to pay hundreds of € for a mitigation service and a solid hardware firewall.
Unless your budget is high and you are willing to pay a lot for a solution, for every € that the dosser spends to attack you you have to spend 10, 20 even 30 times more. It's a losing battle.
In conclusion, instead of wasting time, money, passion, skills and patience trying to create something that can disappear overnight because of a random kid, invest all your resources on something else. Projects based on gameservers and VoIP services are the most unstable things on the internet.
I want to underline that this is just my personal point of view so please don't be offended.
Giving up is a bit defeatist when there are service out there that take care of the problem for $10 or so dollars + any setup cost.
Sure it will always cost more to defend, thats largely because you are actually paying for the bandwidth (attackers largely use compromised resources or insecure services).
the same result in psychz, I have sent two .pcap to help me, I hope they can
@Katamaze Friend I understand your point of view, in fact I think in these situations, but my approach grew from games for me to do something else is collapse 2 years of effort and do not want to do it at least until they have exhausted every last resource.
In my case the amount of Gbps is zero, it is an attack of the simplest but not detected and comes with a considerable traffic but does not pass out of 5 Mpbs.
Seeing the dump that I realized I found shown many times this IP in GET requests that go through haproxy to the vps and make a whois, yes, it is ovh.
I reported to abuse.
Oh lol... 182.92.x.x...
That's Aliyun Beijing...
So bad. Good luck and hope Aliyun's abuse team can respond (if their mailbox is reachable)...
Another possibility, have your players register on a forum and then use that to whitelist those IPS in the firewall?
Which will absolutely bypass the problem of spoofed IPs and dynamic ranges.
Indeed.
Of course it was just my opinion. I do not want to go off-topic so I'll try to make it as short as possible. A game hosting provider born in 2006, sold tens of thousands of services to thousand of clients. One day someone decided that its existence on the internet had to come to an end. 50+ days of never ending huge ddos attacks on all servers. They tried to defend upgrading their ddos mitigation service and it was "hilarious". Protection 100 Gbps? Attack 100 + 1. Protection 150 Gbps? Attack 150 + 1 and so on. Luckily they already had a plan B (move to another market of IT) so they decided to speed up the process and say bye bye to this market that can depend so much on the mood of idiots with internet connection. They fought hard even with the police but it was useless even when they found the responsibles (all underage).
Hi,
Can you contact me on [email protected] - I will provide you a free server for you to test our protection.
I would also need your pcaps so I can get them analyzed.
Thanks,
Harry