Grunger Posted February 10, 2012 Group: Members Topic Count: 6 Topics Per Day: 0.00 Content Count: 23 Reputation: 0 Joined: 11/18/11 Last Seen: December 14, 2014 Share Posted February 10, 2012 Someone is DDoSing my server, I'm 100% sure of it. What can I do to prevent this? I've already opened a ticket with my host. Quote Link to comment Share on other sites More sharing options...
Lilith Posted February 10, 2012 Group: Members Topic Count: 14 Topics Per Day: 0.00 Content Count: 407 Reputation: 159 Joined: 11/18/11 Last Seen: November 15, 2014 Share Posted February 10, 2012 (edited) Do you use DDoS Protection Settings in conf/packet_athena.conf? Because athena auto-detect ddos attack ... = Edited February 10, 2012 by Lilith Quote Link to comment Share on other sites More sharing options...
JayPee Posted February 10, 2012 Group: Members Topic Count: 47 Topics Per Day: 0.01 Content Count: 633 Reputation: 78 Joined: 11/14/11 Last Seen: September 20, 2017 Share Posted February 10, 2012 just log the IP and then block it Quote Link to comment Share on other sites More sharing options...
Asura Posted February 10, 2012 Group: Members Topic Count: 3 Topics Per Day: 0.00 Content Count: 707 Reputation: 168 Joined: 01/26/12 Last Seen: February 7, 2014 Share Posted February 10, 2012 (edited) Hi Grunger, I would recommend setting up CSF, APF, or IPTables. Edited February 10, 2012 by Asura Quote Link to comment Share on other sites More sharing options...
Grunger Posted February 10, 2012 Group: Members Topic Count: 6 Topics Per Day: 0.00 Content Count: 23 Reputation: 0 Joined: 11/18/11 Last Seen: December 14, 2014 Author Share Posted February 10, 2012 (edited) Turns out its a botnet. He DDoS' my server every few minutes which halts it for about 40 seconds. packet_athena.conf is configured correctly. It's not just from one IP, it's from a ton. It's a UDP flood on port 5121. I'm not too familiar with DDoS, can he just ddos any open port? Here is an example: http://pastebin.com/1NCDchwZ Edited February 10, 2012 by Grunger Quote Link to comment Share on other sites More sharing options...
Asura Posted February 10, 2012 Group: Members Topic Count: 3 Topics Per Day: 0.00 Content Count: 707 Reputation: 168 Joined: 01/26/12 Last Seen: February 7, 2014 Share Posted February 10, 2012 Hi Grunger, It seems that he is sending randomly sized UDP packets to port 5121; what I would recommend is to install CSF or change your ports and block everything besides the ports you'd want to use. CSF: http://configserver.com/cp/csf.html Good luck. Quote Link to comment Share on other sites More sharing options...
Grunger Posted February 10, 2012 Group: Members Topic Count: 6 Topics Per Day: 0.00 Content Count: 23 Reputation: 0 Joined: 11/18/11 Last Seen: December 14, 2014 Author Share Posted February 10, 2012 (edited) Wouldn't he just target the unblocked port? He can find the port via clientinfo.xml or anything really. Sorry if that's a dumb statement, I've never really used this type of software before. Edit: I've edited the configureation file for csf and started the daemon. I don't have it set to allow ports 5900, 6900 or 5121, but I'm still able to connect while eAthena is running. Edited February 10, 2012 by Grunger Quote Link to comment Share on other sites More sharing options...
Asura Posted February 10, 2012 Group: Members Topic Count: 3 Topics Per Day: 0.00 Content Count: 707 Reputation: 168 Joined: 01/26/12 Last Seen: February 7, 2014 Share Posted February 10, 2012 Hi Grunger, You can configure the CSF to detect the packet spam, and block those IP's. Be careful of how sensitive you put it; because it might start blocking normal players. Quote Link to comment Share on other sites More sharing options...
Fuyuko Posted February 10, 2012 Group: Members Topic Count: 1 Topics Per Day: 0.00 Content Count: 17 Reputation: 0 Joined: 02/10/12 Last Seen: September 3, 2012 Share Posted February 10, 2012 Usually contacting your host helps the most because they can set up a firewall as well especially if you don't own the server. Quote Link to comment Share on other sites More sharing options...
Asura Posted February 10, 2012 Group: Members Topic Count: 3 Topics Per Day: 0.00 Content Count: 707 Reputation: 168 Joined: 01/26/12 Last Seen: February 7, 2014 Share Posted February 10, 2012 Hi Grunger, If you do follow Fuyuko's advice; I can only ask you to exercise pre-caution. A good handful of hosts will terminate your VPS because "being a DOS/DDOS target" violates their terms of service; so read your host's policy before telling your host. Quote Link to comment Share on other sites More sharing options...
Grunger Posted February 10, 2012 Group: Members Topic Count: 6 Topics Per Day: 0.00 Content Count: 23 Reputation: 0 Joined: 11/18/11 Last Seen: December 14, 2014 Author Share Posted February 10, 2012 (edited) I run a dedicated server and my host is aware. I've configured CSF and the attacks seemed to have stopped (for now). Thanks Asura! Edit: Just got DDoS'd again. I added all of the IPs to the csf.deny and changed the ports so that it blocks all UDP ports except a few. Edited February 10, 2012 by Grunger Quote Link to comment Share on other sites More sharing options...
Asura Posted February 10, 2012 Group: Members Topic Count: 3 Topics Per Day: 0.00 Content Count: 707 Reputation: 168 Joined: 01/26/12 Last Seen: February 7, 2014 Share Posted February 10, 2012 Hi Grunger, Make sure you set 'TESTING=0', else the CSF will stop working after the 1st 5minutes. Quote Link to comment Share on other sites More sharing options...
Grunger Posted February 10, 2012 Group: Members Topic Count: 6 Topics Per Day: 0.00 Content Count: 23 Reputation: 0 Joined: 11/18/11 Last Seen: December 14, 2014 Author Share Posted February 10, 2012 (edited) I did, and he is still ddosing my server. Edit: Here is my csn.conf http://pastebin.com/DzADxhMi Edit 2: Is it actually possible to stop this kind of attack? [23:53:00] <R1CH> you can't block it on your server [23:53:10] <R1CH> its maxing out your ethernet port on the switch, nothing you can do will stop it Edited February 10, 2012 by Grunger Quote Link to comment Share on other sites More sharing options...
Asura Posted February 10, 2012 Group: Members Topic Count: 3 Topics Per Day: 0.00 Content Count: 707 Reputation: 168 Joined: 01/26/12 Last Seen: February 7, 2014 Share Posted February 10, 2012 Hi Grunger, You have not properly set the CSF to detect the flood... # Note: Run /etc/csf/csftest.pl to check whether this option will function on # this server PORTFLOOD = "" Quote Link to comment Share on other sites More sharing options...
Grunger Posted February 10, 2012 Group: Members Topic Count: 6 Topics Per Day: 0.00 Content Count: 23 Reputation: 0 Joined: 11/18/11 Last Seen: December 14, 2014 Author Share Posted February 10, 2012 (edited) Should I add portflood for every single inbound tcp/udp port? That's what I've done and he is still DDoSing me. 25;tcp;50;5; etc. Should I use different timings? Probably just going to end up switching to a host that offers DDoS protection. Oh well. Edited February 10, 2012 by Grunger Quote Link to comment Share on other sites More sharing options...
Asura Posted February 10, 2012 Group: Members Topic Count: 3 Topics Per Day: 0.00 Content Count: 707 Reputation: 168 Joined: 01/26/12 Last Seen: February 7, 2014 Share Posted February 10, 2012 (edited) Hi Grunger, I just read <R1CH>'s message; he is correct about maxing out your port. Your server may be blocking the attacks/dropping the packets, but if the botnet is capable of sending enough packets/s; there's really nothing on your part that you can do. Not even the software firewall will stop that... the only solution to this problem is to have your host block the attack on a router level, or simply just null-route your IP to save yourself bandwidth and wait it out. True DDOS Protection against a botnet may require tunneling traffic; and it costs A LOT of money. Edited February 10, 2012 by Asura Quote Link to comment Share on other sites More sharing options...
Question
Grunger
Someone is DDoSing my server, I'm 100% sure of it. What can I do to prevent this? I've already opened a ticket with my host.
Link to comment
Share on other sites
15 answers to this question
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.