poter21 Posted October 12, 2012 Group: Members Topic Count: 11 Topics Per Day: 0.00 Content Count: 25 Reputation: 1 Joined: 08/05/12 Last Seen: October 22, 2020 Share Posted October 12, 2012 Hi, i dont know if i can post it here, sorry. My problem is that i've a server that have 300~400 users online but i had ddos attack from 3~5 gbps. I bought too much dedicated in Limestone, Gnax, Softlayer, VPS with Cisco. Install all the free software protection and they can down the server 10 minutes regularly. When i had Limestone they only block my ip 2 days. Now i have RoDocs, the server support 1~2 Gbps but they can down the server regularly. I need to know if exist someone solution about DDoS, i cant pay too much money (100$) Regards. Quote Link to comment Share on other sites More sharing options...
poter21 Posted October 13, 2012 Group: Members Topic Count: 11 Topics Per Day: 0.00 Content Count: 25 Reputation: 1 Joined: 08/05/12 Last Seen: October 22, 2020 Author Share Posted October 13, 2012 any notice? Quote Link to comment Share on other sites More sharing options...
Asura Posted October 14, 2012 Group: Members Topic Count: 3 Topics Per Day: 0.00 Content Count: 707 Reputation: 168 Joined: 01/26/12 Last Seen: February 7, 2014 Share Posted October 14, 2012 Hi, i dont know if i can post it here, sorry. My problem is that i've a server that have 300~400 users online but i had ddos attack from 3~5 gbps. I bought too much dedicated in Limestone, Gnax, Softlayer, VPS with Cisco. Install all the free software protection and they can down the server 10 minutes regularly. When i had Limestone they only block my ip 2 days. Now i have RoDocs, the server support 1~2 Gbps but they can down the server regularly. I need to know if exist someone solution about DDoS, i cant pay too much money (100$) Regards. Hi Poter21, I had recently replied to your question that you submitted to AH's client area; but I shall reply here as well just in case you did not see my reply. If you are having issues with a huge DDOS attack, I would recommend checking out Staminus and purchasing the SecurePort system for the amount of traffic you wish to be filtered. You have asked if AsuraHosting can handle this type of attack, and I stated no. We handle up to 10Gbit/s of traffic which is equivalent to about 1.2Gbps; we use a 2 dedicated server array for our DDOS protected services. 1 dedicated server equipped with Snort & pFSense, placed in front of the other dedicated server to host our RO services; not an advanced scrubbing method like other big providers, but good enough to get the job done against reasonably sized TCP-based DDOS attacks and all UDP attacks. What I would recommend is contacting LSN, and get 5 IP's. Bind each map, char, and login server with different IP's and set up custom ports which should be something like '12203,12204,12205'; and then hex your client to read a hidden clientinfo.xml. For SYN protection; please contact me and I will provide you with the sysctl.conf which AsuraHosting uses for our dedicated servers; this will help a lot in deterring Spoofed Attacks. And for software, you should use CSF+LFD; with the proper PORTFLOOD, CT_LIMIT, CONNLIMIT, and SYNFLOOD values set. Again, you will need to contact me, and I can provide a personal service. --- Unfortunately there isn't a cheap way to deter DDOS attacks, so there only way is to spend $200-$500 a month for a somewhat decent provider with protection. And RoDocs does not have DDOS protection; they rely on a 1Gbit port, no filtration, and their network technicians to manually mitigate. (PNAP datacenter, this is what they do.) 1 Quote Link to comment Share on other sites More sharing options...
poter21 Posted October 17, 2012 Group: Members Topic Count: 11 Topics Per Day: 0.00 Content Count: 25 Reputation: 1 Joined: 08/05/12 Last Seen: October 22, 2020 Author Share Posted October 17, 2012 Oks thanks for all. Actually i've 900mb of UDP FLood. How can i block ALL UDP connections? Thanks Asura Quote Link to comment Share on other sites More sharing options...
Asura Posted October 17, 2012 Group: Members Topic Count: 3 Topics Per Day: 0.00 Content Count: 707 Reputation: 168 Joined: 01/26/12 Last Seen: February 7, 2014 Share Posted October 17, 2012 Hi poter21, I would recommend that you consult your provider and ask them to set ACL's on their network router to prevent UDP to all ports besides the ones that you truly need; this is the best method in preventing your port from being hogged by the attack. On your server, you may use IPTables to block out all the attacks that you don't want. Here is a basic IPTables script for you; #!/bin/sh # Clear all settings /sbin/iptables -F /sbin/iptables -X /sbin/iptables -t nat -F /sbin/iptables -t nat -X /sbin/iptables -t mangle -F /sbin/iptables -t mangle -X /sbin/iptables -P INPUT ACCEPT /sbin/iptables -P FORWARD ACCEPT /sbin/iptables -P OUTPUT ACCEPT # Allow unlimited traffic on the loopback interface /sbin/iptables -A INPUT -i lo -j ACCEPT /sbin/iptables -A OUTPUT -o lo -j ACCEPT # Set default policies /sbin/iptables --policy INPUT DROP /sbin/iptables --policy OUTPUT DROP /sbin/iptables --policy FORWARD DROP # Allow unlimited input/output traffic /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # Set SYNFLOOD inspection chain /sbin/iptables -N AH_SYNFLOOD /sbin/iptables -A AH_SYNFLOOD -f -j DROP /sbin/iptables -A AH_SYNFLOOD -p tcp ! --syn -m state --state NEW -j DROP /sbin/iptables -A AH_SYNFLOOD -p tcp --tcp-flags ALL ALL -j DROP /sbin/iptables -A AH_SYNFLOOD -p tcp --tcp-flags ALL NONE -j DROP /sbin/iptables -A AH_SYNFLOOD -p tcp --tcp-flags ACK,FIN FIN -j DROP /sbin/iptables -A AH_SYNFLOOD -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP /sbin/iptables -A AH_SYNFLOOD -p tcp --tcp-flags ACK,PSH PSH -j DROP /sbin/iptables -A AH_SYNFLOOD -p tcp --tcp-flags ACK,URG URG -j DROP /sbin/iptables -A AH_SYNFLOOD -p tcp --tcp-flags FIN,RST FIN,RST -j DROP /sbin/iptables -A AH_SYNFLOOD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP /sbin/iptables -A AH_SYNFLOOD -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP /sbin/iptables -A AH_SYNFLOOD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP /sbin/iptables -A AH_SYNFLOOD -p tcp -j ACCEPT # Allow incoming TCP port 22 (ssh) traffic /sbin/iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j AH_SYNFLOOD # Allow Ragnarok Online (TCP) /sbin/iptables -A INPUT -p tcp --dport 6900 -m state --state NEW -j AH_SYNFLOOD /sbin/iptables -A INPUT -p tcp --dport 6121 -m state --state NEW -j AH_SYNFLOOD /sbin/iptables -A INPUT -p tcp --dport 5121 -m state --state NEW -j AH_SYNFLOOD # Allow MySQL /sbin/iptables -A INPUT -p tcp --dport 3306 -m state --state NEW -j AH_SYNFLOOD Please note that this is a static rule for generally blocking out basic attacks. It would be more recommended if you use a more dynamic and active firewall such as CSF or APF; these may proactively protect you from DOS attacks. After installing CSF or APF (your choice); you need to adjust a lot of settings to enable/disable different functions. And then you should install (D)DOS Deflate; http://deflate.medialayer.com/ If you have done all this and still suffer from attacks; contact your host to fix their 'sysctl.conf'. A lot of spoofed attacks and martian packets can be dropped at the server level before it reaches to your VPS; so it'd be their responsibility to make sure that it's properly configured to do this. Good luck with your issue! 1 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.