Hello everyone. Id like to say thank you in advance for any advice or help. I have a dedicated with a few servers running for my community. (mainly a PERP and a DarkRP) along with the webserver for my website, and some future client test servers. Recently we made some SH users mad because we detected their hacks and still detected it when they tried to implement their workarounds. (all we do is first go to them and ask them to please disable their hacks and then rejoin) So they went and cried on the SH forums. (saw it myself with my ip in the post title and all). Since then I have been having many ddos issues. I have had them before but since upgrading to a gigabit all has been fine and dandy. Well now they are saturating the gigabit port. Causing my provider to null route me.
I have done much research but have only found expensive solutions. Figured i might as well post here because i really dont know what to do at this point and i could really use some solid advice.
So my questions are.
What are some good ddos mitigation companies? One that isnt expensive would be great but if there arent any cheap ones any would do.
What did you end up doing about your ddos problems? (if you were ever in this pinch)
Is there anything I could do on my server to try to combat the ddos?
Once again I cant thank you guys enough for any help or advice that you give. I am at a loss of things to do.
[url]www.peerblock.com[/url]
Get the IPs, block them.
As for getting the IPs, fairly sure you can use cmd.exe (on windows, terminal on *nix systems) and the command "netstat". Look for the addresses. There are other ways I'm sure, if anyone else knows a better way please do tell.
Contact your provider after you get those IPs as well.
[QUOTE=Gnomical;36776030][url]www.peerblock.com[/url]
Get the IPs, block them.
As for getting the IPs, fairly sure you can use cmd.exe (on windows, terminal on *nix systems) and the command "netstat". Look for the addresses. There are other ways I'm sure, if anyone else knows a better way please do tell.[/QUOTE]
You can't stop a DDoS attack by blocking the offending IP addresses. The traffic from the DDoS is still reaching the machine, it's just the machine is set to reject such traffic. Rejecting bad traffic from a DDoS will actually cause more traffic, because the machine is actively sending back responses to the source that the packets were rejected.
It also has a nasty side effect of eating up tons of CPU time, since many NICs aren't actually NICs, but just implement the hardware layer of the connection and rely on the host CPU to do packet processing in software.
The best solution would be to do what your host is doing and null route the incoming bad traffic, or instruct your machine to silently drop it. It won't stop the DDoS, but it will make it more annoying for the skids running the attack to keep it up. Other than that, I suggest just waiting the attack out. They'll eventually become bored of attacking you and find something else to attack.
[QUOTE=bohb;36776371]You can't stop a DDoS attack by blocking the offending IP addresses. The traffic from the DDoS is still reaching the machine, it's just the machine is set to reject such traffic. Rejecting bad traffic from a DDoS will actually cause more traffic, because the machine is actively sending back responses to the source that the packets were rejected.
It also has a nasty side effect of eating up tons of CPU time, since many NICs aren't actually NICs, but just implement the hardware layer of the connection and rely on the host CPU to do packet processing in software.
The best solution would be to do what your host is doing and null route the incoming bad traffic, or instruct your machine to silently drop it. It won't stop the DDoS, but it will make it more annoying for the skids running the attack to keep it up. Other than that, I suggest just waiting the attack out. They'll eventually become bored of attacking you and find something else to attack.[/QUOTE]
Since the attacks are saturating the entire port its simply overloaded. i cant go in to change anything via remote desktop and the companys auto null route kicks in if the incoming is more than what my port can handle.There response to me suggesting banning hte ips was its "impractical".
Wait the attacks out, and then when they've stopped contact your host and change your IP.
[QUOTE=Dankie;36809466]Wait the attacks out, and then when they've stopped contact your host and change your IP.[/QUOTE]
Does changing the IP truely help? I think not. If it's people from a gmod server, he has a website, as he said he does, which means the new IP would be posted somewhere within reach of said DDoSers so they could just get the new IP and start all over again..
Personally, I believe it's a lot of work though may be worth it, but look for the IP's in command prompt as said before, then call up the ISP and request the IP's to be blocked. Then use whois to find out the IP's ISP and contact them through their abuse email and report the IP's for DDoSing. From what I have experienced, ISP's take DDoSing matters quite seriously.
Unless you have thousands of pounds, combating a DDOS attack is simply not possible. From experience the only real option is to wait the attack out and hope that attacker gets bored and eventually goes for another community.
When access to your server is next possible I'd recommend setting up a firewall configuration, of course it's not going to be possible to block large scale attacks but those small scaled can easily be prevented if your system is correctly configured.
My servers typically run Linux (CentOS 5.x) with config server firewall (It has built in syn-flood protection) . DDoS deflate is also a suitable option to consider.
If your running windows tweaking the maximum number of TCP connections, maximum number of incoming UDP/ICMP packets per second, and the maximum number of incoming TCP concurrent half-open connections could indeed do the trick.
Good Luck!
Sorry, you need to Log In to post a reply to this thread.
