Script Kiddies Get My Server

Mun

have you checked out /etc/sysctl? It might lower the effect of the attack.

n0my

@GaNi said: I am being attacked with that speed and packets at the moment, whole KVM @ prometeus goes down I got to know who the attacker is & tried to negotiate with him but he wont listen, also he seems to be attacking all the servers around him for fun.

You should not negotiate with him. If he is banned, let him stay banned. You are paying for the server not him.

Get his IP and ban him from server and also share his steam id.

Mun

I wouldn't mind his steam_id.

Ishaq

@Jack

How is a dedicated 100Mbit line going to avoid 286Mbit/s?

Ishaq

@GaNi

What's his 'name' anyway?

Ishaq

@Jack said: Gani gets attacked on 100Mbit port takes out just himself as long as the switch doesn't cap out.

He'll most likely have to pay for dedicated 100Mbit, and that won't even fix his problem

GaNi

Sorry for the lag, he is http://steamcommunity.com/id/kobraxp

I've tried to contact him in all the possible way, but he has me blocked on steam. One of his friend passed me a message stating, he won't quit attacking me.

His IP Range: 5.13.0.0/16, ISP: RCS & RDS Residential, Romania (Blocked it on CSF)

Jack, the attack max went upto 500mbit and stayed there. Seems he's using his home network with loic.

GaNi

I may be incorrect, Prometeus gave me a log last week and IPs were indeed spoofed.
Log: https://docs.google.com/file/d/1FYBx94JG1QDFJqem1jvS63Uu9ONfDVkfJ54hXi9o3s1Jalv7BJ9CcDFGOo21/edit?usp=sharing

Ivan

500Mbit with a home network eh..

Mun

Do you have something running on port 80?

GaNi

@jack

It was pulled offline, I am not planning to go online again. Troubled prometeus enough already....

@Mun
yea, nginx. I provide players a link to download the game addons. The KVM has 3TB+, I wouldn't waste that.

prometeus

Dns amplification and syn floods are both used together in every attack.
Even a dedi with 100m doesnt help since attacks grow quickly and if the ip isn't nulled the used bw will be a lot.
A real ddos mitigation is required...

GaNi

@prometeus

I've contacted over 10 mitigation services, most of them don't want to provide proxy/tunnel service and rest of them are way over an "under-grad student's" budget.

Mun

well they are attacking port 80, I was going to say remove or ask promethus to block all port 80 traffic.

Mun

woops

GaNi

@Mun said: woops

So you did scroll all the way down right? Initial Port 80 connections were legit, then began the flood.

@Jack said: SEFlow.it you tried them?

that was my first option, since it was in Italy, but

Mun

No double posted.

Mun

My suggestion, buy another VPS, and throw all your website data on it. Make it go through cloudflare, and have promethus block all port 80 traffic.

GaNi

@Mun said: My suggestion, buy another VPS, and throw all your website data on it. Make it go through cloudflare, and have promethus block all port 80 traffic.

If you go through the log, towards end you'll see where they are attacking.

@Jack
I am not using Port 22 for SSH, in fact I've stopped using SSH. I use Console to manage server for now. My budget wont go beyond 20$.

taronyu

There is another way, tough it isn't legal. If he really causes you that much trouble just ddos his ip. I'm pretty sure he likes his own network more than yours.

GaNi

@taronyu said: There is another way, tough it isn't legal. If he really causes you that much trouble just ddos his ip. I'm pretty sure he likes his own network more than yours.

As stated earlier, he himself hosts game servers on windows, and pretty much made many community members mad, and they did attack him too but that guy is behind dynamic IP. Not easy to track on.

Ishaq

Whoever this guy is he sure knows how to hide himself.. I traced his usernames and they all come back with 137.116.32.32

Which seems to be:

OrgName Microsoft Corp
OrgId MSFT-Z
Address One Microsoft Way
City Redmond
StateProv WA
PostalCode 98052
Country US

So yes, however he's doing this he knows how to spoof.

Mun

Steam_ID please.

Also a good half of that is port 80, start there and continue.

Mun

Steam_ID please.

Also a good half of that is port 80, start there and continue.

Ishaq

@Mun

http://steamcommunity.com/id/kobraxp

Mun

Also congrats you are getting hit by a DNS reflection attack, I have had never the honor to be hit by one.

GaNi

@Ishaq

I am sure he is not from the US, he is a Romanian. I was a Channel Admin @ Garena Client. Being an admin, I had banned many users for violating the rules back then, few took it seriously. Among those few, he was one, didn't know he would follow me up till here.

@Mun
you lag

Mun

@GaNi said: @Mun

you lag

Actually, my internet is now faster and thus when I click post it goes so fast it knocks two in place.

Mun

@Zen said: If it is solely DNS reflection & not spoofed SYN then you can block the DNS reflection list or get Prometeus to do so - sure it's a couple thousand IP's but it's worth it as a whole.

3.1 - 2.0 MB sessions coming from port 53, as well as a lot of smaller traffic from port 80.

GaNi

Would a i3D 20Euro server tank this attack?

@Zen
Would forward this to @prometeus.