DDoS

[Grunger]

Someone is DDoSing my server, I'm 100% sure of it. What can I do to prevent this? I've already opened a ticket with my host.

[Lilith]

Do you use DDoS Protection Settings in conf/packet_athena.conf? Because athena auto-detect ddos attack ... =

Edited February 10, 2012 by Lilith

[JayPee]

just log the IP and then block it

[Asura]

Hi Grunger,

I would recommend setting up CSF, APF, or IPTables.

Edited February 10, 2012 by Asura

[Grunger]

Turns out its a botnet. He DDoS' my server every few minutes which halts it for about 40 seconds. packet_athena.conf is configured correctly. It's not just from one IP, it's from a ton. It's a UDP flood on port 5121.

I'm not too familiar with DDoS, can he just ddos any open port?

Here is an example: http://pastebin.com/1NCDchwZ

Edited February 10, 2012 by Grunger

[Asura]

Hi Grunger,

It seems that he is sending randomly sized UDP packets to port 5121; what I would recommend is to install CSF or change your ports and block everything besides the ports you'd want to use.

CSF: http://configserver.com/cp/csf.html

Good luck.

[Grunger]

Wouldn't he just target the unblocked port? He can find the port via clientinfo.xml or anything really.

Sorry if that's a dumb statement, I've never really used this type of software before.

Edit: I've edited the configureation file for csf and started the daemon. I don't have it set to allow ports 5900, 6900 or 5121, but I'm still able to connect while eAthena is running.

Edited February 10, 2012 by Grunger

[Asura]

Hi Grunger,

You can configure the CSF to detect the packet spam, and block those IP's. Be careful of how sensitive you put it; because it might start blocking normal players.

[Fuyuko]

Usually contacting your host helps the most because they can set up a firewall as well especially if you don't own the server.

[Asura]

Hi Grunger,

If you do follow Fuyuko's advice; I can only ask you to exercise pre-caution. A good handful of hosts will terminate your VPS because "being a DOS/DDOS target" violates their terms of service; so read your host's policy before telling your host.

[Grunger]

I run a dedicated server and my host is aware. I've configured CSF and the attacks seemed to have stopped (for now). Thanks Asura!

Edit: Just got DDoS'd again. I added all of the IPs to the csf.deny and changed the ports so that it blocks all UDP ports except a few.

Edited February 10, 2012 by Grunger

[Asura]

Hi Grunger,

Make sure you set 'TESTING=0', else the CSF will stop working after the 1st 5minutes.

[Grunger]

I did, and he is still ddosing my server.

Edit: Here is my csn.conf http://pastebin.com/DzADxhMi

Edit 2: Is it actually possible to stop this kind of attack?

[23:53:00] <R1CH> you can't block it on your server

[23:53:10] <R1CH> its maxing out your ethernet port on the switch, nothing you can do will stop it

Edited February 10, 2012 by Grunger

[Asura]

Hi Grunger,

You have not properly set the CSF to detect the flood...

# Note: Run /etc/csf/csftest.pl to check whether this option will function on
# this server
PORTFLOOD = ""

[Grunger]

Should I add portflood for every single inbound tcp/udp port? That's what I've done and he is still DDoSing me. 25;tcp;50;5; etc. Should I use different timings?

Probably just going to end up switching to a host that offers DDoS protection. Oh well.

Edited February 10, 2012 by Grunger

[Asura]

Hi Grunger,

I just read <R1CH>'s message; he is correct about maxing out your port. Your server may be blocking the attacks/dropping the packets, but if the botnet is capable of sending enough packets/s; there's really nothing on your part that you can do. Not even the software firewall will stop that... the only solution to this problem is to have your host block the attack on a router level, or simply just null-route your IP to save yourself bandwidth and wait it out.

True DDOS Protection against a botnet may require tunneling traffic; and it costs A LOT of money.

Edited February 10, 2012 by Asura