Quick question - is everyone here hosting on NFO?
My server was knocked down as well, and judging by the amount of servers being hit, it's possible they're trying to take down NFO.
Spoke with their support, and they said that the size of the botnet was about 100k.
[b]EDIT:[/b] Oops, just saw some are using OVH and other. Ignore the NFO theory.
I bet I know who's behind it...
... [url]http://www.jbmod.com/[/url]
[sp]but yeah my IP hosted by NFO has been under attack for a few days now[/sp]
I'm using Intreppid.
Overclocked desktop GPU to 4.4ghz because of that SRCDS single-threaded bullshit.
Their support is awesome and servers are reliable.
20gbps ddos mitigation.
$500/mo though lol
[QUOTE=Inelegant;46795874]I'm using Intreppid.
Overclocked desktop GPU to 4.4ghz because of that SRCDS single-threaded bullshit.
Their support is awesome and servers are reliable.
20gbps ddos mitigation.
$500/mo though lol[/QUOTE]
I wouldn't pay $500/month for that.
Quickly browsing the Terms of Service revealed that they charge $100 per IP on ANY BLACKLISTING. It doesn't matter if you spam or not - if anyone even wants to blacklist it on a whim you pay $100 per IP.
They also charge $300/[B]hour [/B]([URL="http://i.imgur.com/rDcvWQH.png"]click here[/URL] to view image). With the way it's phrased you could end up being charged $300/hour for anything extra not just hardware upgrades..
ie administrative fees for dealing with dmca, custom filter rules, hardware replacement due to failures etc.
In other words stay the hell away from them.
are you really being taken off by all those 40mbps attacks? or are they just listed anyway
[QUOTE=Inelegant;46795874]I'm using Intreppid.
Overclocked desktop GPU to 4.4ghz because of that SRCDS single-threaded bullshit.
Their support is awesome and servers are reliable.
20gbps ddos mitigation.
$500/mo though lol[/QUOTE]
You're bonkers!
My servers have been attacked since Christmas day. I get null-routed for eight hours and then the server comes back up and I'm null-routed again. *Sigh*
Also, with NFO.
Since Christmas my server keeps loosing connection to Steam
"Could not establish connection to Steam servers."
It stays like that for about an hour or so then comes right again only to be up for a few hours then it goes down again.
Is this some sort of attack?
(With Elpis so I cant see whats going on internally)
Commander, don't use Elpis man! They are the worst! I used to use them. Just open a support ticket and ask them if you're being DDoSed. I just got hit again last night and today. This is getting old.
[QUOTE=CatsBananas;46804517]Commander, don't use Elpis man! They are the worst! I used to use them.[/QUOTE]
I disagree.
What OS are you all hosted on? We were having some DDoS-like issues around the time of this post as well. I contacted NFO support and they applied some filtering up the line from our box. What's interesting is that they mentioned that this was a specific issues with Windows Firewall. Now when I check the firewall section in our control panel I see this:
[quote]
The firewall is disabled on your machine due to a serious Windows performance limitation which causes servers to collapse under certain types of DoS attacks, that we brought to the attention of Microsoft in 2013.
[/quote]
Ever since this change has been made we have had no more problems with this attack.
[QUOTE=Dgc2002;46804804]What OS are you all hosted on? We were having some DDoS-like issues around the time of this post as well. I contacted NFO support and they applied some filtering up the line from our box. What's interesting is that they mentioned that this was a specific issues with Windows Firewall. Now when I check the firewall section in our control panel I see this:
Ever since this change has been made we have had no more problems with this attack.[/QUOTE]
what did you ask them specifically
[QUOTE=nettsam;46804927]what did you ask them specifically[/QUOTE]
Paraphrased question:
[QUOTE=Me]
It seems that within the past few hours(maybe longer) our box has been crashing/going offline without recovering. Are there any known issues on NFO's end? I don't believe we have made any recent changes, however I would like to rule out anything related to your end before I get too deeply into troubleshooting this.
[/QUOTE]
Paraphrased reply:
[QUOTE=NFO]
Thanks for contacting us today. It appears that another customer on the machine is being hit with an attack that the Windows Firewall is having trouble coping with. I'll need to forward this to see if we can apply a filter on our router to block this, as well as disable the machine firewall so that other servers aren't effected for future attacks like this. Please allow some time for his response here.
[/QUOTE]
@Commander, Use NFO man.
One of the darkrp servers i play on has been being DDOSed for about 2 months now, and the owner can not get the server backup
Usually my servers only get hit, once a month maybe? This last week I've had like 7-8 DDoS attacks on my servers.
These attacks have made my ranking drop from the 100's to around 250 now...
Damn it.
I've noticed an increase in SSDP attacks to gameservers recently. They don't seem high pps or high throughput, but are high impact due to something I'm not going to mention publicly.
For anyone on Linux.
iptables -I INPUT -p udp -m multiport --port 1900 -j DROP
If you're running on a vps which is routed not bridged with the host node (e.g. venet on openvz), your host will have to firewall it or there's a good possibility the whole node will get knocked offline. We're already firewalling it at Afterburst.
iptables -I INPUT -p udp -m multiport --port 1900 -j DROP why port 1900?
what does this exactly do?
[QUOTE=Flapadar;46814820]I've noticed an increase in SSDP attacks to gameservers recently. They don't seem high pps or high throughput, but are high impact due to something I'm not going to mention publicly.
For anyone on Linux.
iptables -I INPUT -p udp -m multiport --port 1900 -j DROP
If you're running on a vps which is routed not bridged with the host node (e.g. venet on openvz), your host will have to firewall it or there's a good possibility the whole node will get knocked offline. We're already firewalling it at Afterburst.[/QUOTE]
Didn't know it was called ssdp, but found a matching dump of what I captured here [url]http://blog.sucuri.net/2014/09/quick-analysis-of-a-ddos-attack-using-ssdp.html[/url]
Except mine didn't originate from port 1900, so that filter would be ineffective.
used this instead
iptables -I INPUT -m string --to 300 --algo bm --hex-string '|2055506e502f312e30|' -j DROP
[QUOTE=frietje2008;46815394]iptables -I INPUT -p udp -m multiport --port 1900 -j DROP why port 1900?
what does this exactly do?[/QUOTE]
Port 1900 traffic is SSDP which I've seen being used in attacks more recently in the past few months. SSDP isn't needed on servers so there's absolutely no reason to receive traffic on that port, so dropping it is better than not dropping it.
[QUOTE=Blasteh;46815419]Didn't know it was called ssdp, but found a matching dump of what I captured here [url]http://blog.sucuri.net/2014/09/quick-analysis-of-a-ddos-attack-using-ssdp.html[/url]
Except mine didn't originate from port 1900, so that filter would be ineffective.
used this instead
iptables -I INPUT -m string --to 300 --algo bm --hex-string '|2055506e502f312e30|' -j DROP[/QUOTE]
If the traffic you received didn't originate on port 1900, it wasn't an SSDP attack. Also good luck using string matching, its far from ideal.
k thx for the information
[QUOTE=Flapadar;46815420]Port 1900 traffic is SSDP which I've seen being used in attacks more recently in the past few months. SSDP isn't needed on servers so there's absolutely no reason to receive traffic on that port, so dropping it is better than not dropping it.
If the traffic you received didn't originate on port 1900, it wasn't an SSDP attack. Also good luck using string matching, its far from ideal.[/QUOTE]
Create a filter for this then?
[code]
User Datagram Protocol, Src Port: 56138 (56138), Dst Port: 27045 (27045)
HTTP/1.1 200 OK
CACHE-CONTROL: max-age=1800
DATE: Tue, 13 Jan 1970 22:44:00 GMT
EXT:
LOCATION: http://192.168.1.1:52869/gatedesc.xml
SERVER: Linux, UPnP/1.0, Portable SDK for UPnP devices/1.6.6
X-User-Agent: redsonic
ST: uuid:uuid:20809696-105a-3721-e8b8-2089867120d7
USN: uuid:uuid:20809696-105a-3721-e8b8-2089867120d7
[/code]
edit: looking through this dump, there's every source port used between 10000-65535 and all aimed at the srcds port.
1900 is not anywhere, and the packet contents matches what the website describes...
[QUOTE=Blasteh;46815444]Create a filter for this then?
[code]
User Datagram Protocol, Src Port: 56138 (56138), Dst Port: 27045 (27045)
HTTP/1.1 200 OK
CACHE-CONTROL: max-age=1800
DATE: Tue, 13 Jan 1970 22:44:00 GMT
EXT:
LOCATION: http://192.168.1.1:52869/gatedesc.xml
SERVER: Linux, UPnP/1.0, Portable SDK for UPnP devices/1.6.6
X-User-Agent: redsonic
ST: uuid:uuid:20809696-105a-3721-e8b8-2089867120d7
USN: uuid:uuid:20809696-105a-3721-e8b8-2089867120d7
[/code]
edit: looking through this dump, there's every source port used between 10000-65535 and all aimed at the srcds port.
1900 is not anywhere, and the packet contents matches what the website describes...[/QUOTE]
u32 match HTTP/1.1 200 OK in a UDP packet at the specific location in the packet it starts at. More work but much faster. That's the first reference to SSDP/UPnP attacks that doesn't come from port 1900 I've ever seen. Very strange.
[QUOTE=Flapadar;46815496]u32 match HTTP/1.1 200 OK in a UDP packet at the specific location in the packet it starts at. More work but much faster. That's the first reference to SSDP/UPnP attacks that doesn't come from port 1900 I've ever seen. Very strange.[/QUOTE]
Ah yes, that would work.
I still have the capture file if you're interested.. but they contain real IPs of compromised routers /shrug
[QUOTE=Blasteh;46815517]Ah yes, that would work.
I still have the capture file if you're interested.. but they contain real IPs of compromised routers /shrug[/QUOTE]
I'd be quite interested in seeing it ( though I'd suggest against posting it publicly incase anyone decided to use said routers)
[QUOTE=Flapadar;46814820]
For anyone on Linux.
iptables -I INPUT -p udp -m multiport --port 1900 -j DROP
[/QUOTE]
Surely on Linux and Windows people should be using a global deny/drop rule (catch all) after specifically whit-listing allowed connections or am I just going bonkers? This is standard security practice....
EDIT: I mean the firewall should be set to Implicit Drop/Deny basically.
[QUOTE=frosty802;46817250]Surely on Linux and Windows people should be using a global deny/drop rule (catch all) after specifically whit-listing allowed connections or am I just going bonkers? This is standard security practice....
EDIT: I mean the firewall should be set to Implicit Drop/Deny basically.[/QUOTE]
Generally people do that for their ports that are active on their server - not which ports should be sending traffic to those ports. SSDP traffic will target your active port that you've specifically allowed traffic for, normally from port 1900 (not always, as above)
[QUOTE=frosty802;46817250]Surely on Linux and Windows people should be using a global deny/drop rule (catch all) after specifically whit-listing allowed connections or am I just going bonkers? This is standard security practice....
EDIT: I mean the firewall should be set to Implicit Drop/Deny basically.[/QUOTE]
In a perfect world everyone would have properly configured firewall rules, a nice IDPS, their webserver on a DMZ rather than the game server, all security patches would be applied on time, you wouldn't be able to flip over a worker's keyboard and find a sticky note with their past 7 passwords on it, etc. But the average gmod server owner won't know the first thing about best security practices.
[IMG]http://fs2.directupload.net/images/141230/li3383ub.png[/IMG]
[IMG]http://fs2.directupload.net/images/141230/b36wnrm6.png[/IMG]
[IMG]http://fs2.directupload.net/images/141230/b6mlnkm3.png[/IMG]
[IMG]http://fs2.directupload.net/images/141230/2uwmy9wj.png[/IMG]
[IMG]http://fs2.directupload.net/images/141230/k3ijg575.png[/IMG]
[IMG]http://fs2.directupload.net/images/141230/5ni73sb2.png[/IMG]
Switch to a DDOS protected Dedicated, like we did. And for all others, ban this SteamID should be helpfull.
Sorry, you need to Log In to post a reply to this thread.
