OVH Community, your new community space.

Need advice regarding DRDoS


Myatu
28-08-2011, 14:45
If you look at the UDP packets captured by Wireshark, you'll find the e-mail addresses you need to contact the owners of the servers that have been hammering you.

Perhaps you can let them know of the issue, and maybe they can block outgoing traffic to your IP for the time being.

An iptables won't do much. The only thing you could possibly do with that, is block UDP to port 80 where it's going, but it won't stop the traffic flow.

Getting a 1 Gbps server wouldn't matter, if this person has access to several "drone" servers - surely they can match it, and if not, it's a simple matter of adding more "drones".

Also get into contact with OVH about this, they are in a better position to stop the traffic flow than you are - even with a Cisco firewall - by blocking these UDP port 80 dest packets. Send them the Wireshark output when you contact them.

Arran
26-08-2011, 22:48
Looking at some of the data the game is call of duty, didn't look into which one though.

Whoever it was hasn't been at it for 2 days now, if it starts again I'll look into it further. I still can't believe people can spoof an IP, the internet is quite primitive if you can get away with that.

yonatan
26-08-2011, 15:37
Have you tried contacting the game server developers regarding your issue?

he might be exploiting a DOS vuln in the game software itself, which a little patch might block instantly. ( that used to be on call of duty servers, and some other game servers.. )

also, have you played around with iptables yet?

Myatu
26-08-2011, 11:37
20 Mbps per source and 20 Mbps per destination. Actually thought it was 50 Mbps still when Oles posted it, but it has been reduced to 20 Mbps as someone pointed out. See http://status.ovh.co.uk/?do=details&id=1449

Razakel
26-08-2011, 05:30
Quote Originally Posted by Myatu
I'm rather curious as to why you're receiving nearly 100 Mbps in UDP traffic, given that OVH has capped incoming traffic per server to 20 Mbps. Have you asked them to lift this cap, given you're running a game server, or is this something that hasn't even been implemented for your particular server?
Wasn't it 20 Mbps per IP?

Myatu
25-08-2011, 20:14
I'm rather curious as to why you're receiving nearly 100 Mbps in UDP traffic, given that OVH has capped incoming traffic per server to 20 Mbps. Have you asked them to lift this cap, given you're running a game server, or is this something that hasn't even been implemented for your particular server?

Arran
24-08-2011, 22:42
It isn't a one off and I know a lot of smart people read this forum so here goes.

About 1 to 2 months ago our server was getting DRDoS'd on and off for about 1 to 2 weeks and today it has started again and I know its not going to end for a long time, if ever. This person is content on keeping my game server down, its a popular one that peaks 254 players most days.

So last time it happened we were reading around looking for a solution and just hoping it would go away and luckily it did but now its back and I am not going to sit around this time just hoping they'll grow up, it would be a great injustice to let some child ruin the enjoyment of so many people.

So I need some advice. So far I can see only two options out of this both of which are expensive and can't guarantee resolution.

A) Moving from kimsufi to OVH, getting professional usage and then getting the cisco firewall. But surely the firewall just gets flooded the same way the servers NIC is being flooded? Spending all that just to find out a firewall is useless, I wouldn't be happy.

B) Get the cheapest 1gbps server available and hoping he can't flood 1gbps.

Apart from waiting are there any other options available?

Details about the attack type: It a distributed reflected denial of service and I know that because the data being sent are all packets that a game server would send to a player wants to get info of a server like server name, map name, player count, etc. Several different games have been used by the attacker.

Why is some kid able to fake my servers IP (94.23.153.11) and send out requests to these game servers using my IP so I get flooded with 98mbps of traffic and get away with it?

If any further info is needed I will happily provide it.

Edit: Here's a wireshark capture so you can see for yourselves: http://94.23.153.11/ddos/drdos25th.rar