Multiple hits on multiple udp server ports on the firewall - General Discussion

Multiple hits on multiple udp server ports on the firewall

5 replies, posted
In This Thread

Hello, After deploying two Rust servers inside my infrastructure i have been seeing from almost day one, multiple UDP hits on the configured server ports. I get UDP packets to port 28015 (standard server port) and 28115 (second server port). I Get this hits exactly at the same time from all the world but mainly from eastern countries. So a couple of days after the servers where up they went crazy ... lagging all around players getting disconnected with Disconnected: packet flooding: player tick. At the same time my 500 Megabytes MPLS internet connection went dead. I know opinions vary , but it felt a lot like a DDOS atack. I have some evidences of the event. I found it weird after looking at the logs that both my servers recieved udp packets at their respective udp ports. wouldn't a player trying to play, connect only to one or the other servers port ? why both ? So i thought that maybe a evil angry person with little s3x, took my servers information and used it in some sort of distribution denial of service. So i decided to block countries in my IPS and blocked russia, china, brazil, and a half a dozen more identified as the source of a large part of the connections. Since my player base was largely from other countries, and i only had to make sure i could talk to facepunch servers this seemed ok. The configuration still stands and i block over 11 Million connections a day that look just like the ones below Now i have been thinking about this, and i wonder if this behavior, that made little sence at the begining , i am talking about getting both udp connections at diferent server ports isn't just a mechanic of the game and how people get some information on server browse screen or something. Does any one know anything about this ? https://files.facepunch.com/forum/upload/395832/3758c01a-6eb1-4d1e-adc0-3715adf2a864/image.png

How do you think the server browser works? And DDOSes happen, that's unfortunately a fact of life on the Internet now.

I do not know how the server browser works. I guess i could actually wireshark it and see from myself. I will do just that. At the time i did not remember. But the question still hangs, how are this Denial of Service attacks constructed ? they emulate a lot of people trying to connect or browsing the servers list ? any ideias ?

DDOS's work by lots of "bots" trying to join or send data to a server at once which will make it laggy for normal users

What are you using to monitor traffic?

Checkpoint firewall.

Sorry, you need to Log In to post a reply to this thread.