(D)DoS Survival Checklist

Recently, a lot of servers have come under attack from some form of DoS or DDoS. I’ve decided to make this this thread so you hosters know what to do in the event of an attack.
[h2]1. Pre-attack checklist[/h2]
Get DoS attack fixer - set it up as instructed, its use will be explained later.
Get wireshark, it’s a packet and network monitoring tool.
Subscribe to any relevant mailing lists. You can always ask server hosters questions there and stay up to date with the latest protection.

[h2]2. Identify the Attack[/h2]
Are you being attacked with a DoS or DDoS?
Most people seem to confuse one with the other, it’s far more likely that you’re being attacked with a DoS rather than a DDoS.
A DoS involves preventing access to your server through a single person and means, by saturating your ports or using a source exploit in order to prevent access to the server - the most common of which is the A2C_INFO or A2C_PRINT spam attack. DoS attack fixer blocks this. UDP flooding is also a viable DoS.
A DDoS would involve some form of botnet or group of people dedicated to attacking your server at once, far more unlikely due to the resource cost and the utter incompetence of most Garry’s Mod “hackers”. Laugh at whoever is attacking you for me.
One other form of attacking is DRDoS, which can occur when the attacker ‘bounces’ traffic towards your server - often associated with ICMP attacks. Wireshark can easily filter for these attacks providing you filter by “ICMP”. These are typical of DDoS’ also, and can easily be filtered.
An example of a DRDoS using source involves querying the master server of a game and bouncing the replies towards your victim continuously. The packet will probably look something like “<randomstring> TSource Engine Query”

[h2]3. Responding to the attack[/h2]
[li]Don’t blame it on a DDoS, blame it on maintenance, it’s the easiest way to draw attention away from the attacker. Most attackers do it for attention or some other reason, simple way to correct this is by telling your members that you’re the person taking the server down. Basically, you need to ignore the person attacking you and deal with what he’s doing, don’t even speak to him if you can prevent it.[/li][li]Take the server down if necessary.[/li][li]Use wireshark to identify the attacker’s IP (if he’s that stupid), or the bad packets. If you’re running Linux, look up how to filter packets successfully. On windows, you’ll need to block the IP using a rule.[/li][li]The DoS attack fixer will probably deal with most “skiddie” attacks.[/li][li]If the attack isn’t fixed by this stage, contact your server host or send a message to the relevant HLDS mailing list.[/ol][/li]
[h2]4. Your host’s response[/h2]
They have a few options;
If you’re with a good host they’ll offer you something called a Cisco Guard, which’ll basically mitigate the attack provided it doesn’t hit their tipping point, which is 1GB/s for most hosts (Limestone Networks, for example).
If your attack is severe enough they’ll probably Null Route you (most cheap hosts will do this), this’ll prevent you from hosting but it’ll also mitigate the attack to a virtual ‘black hole’. Basically useless to you, but it keeps the server host running.


Probably unfinished, anything I should add?


Added, thanks.

Useful OP.

1gbit DRDoS attacks from COD and Quake servers aren’t as easily filtered. You need a massive uplink and insane amounts of processing power to do it right. It is also not a Source Engine Query attack - that’s normally a DoS packet flood.

Example packet header:

Example packet contents:

I haven’t seen any simple query DoS attacks lately. And DAF doesn’t do much anymore these days, still good if you’re handling the “LOIC” kind of skid that found a query spam tool on hackforums.

serversecure2 is the better way to prevent query attacks.

Allways gave the same result for me “fuck this, I give up”.
Only real effective tool I found was a UDP tunnel with query cache, but that’s way harder to run decently.

I don’t even own a server and I found this incredibly useful.

ServerSecure is what you should be using.

Wireshark is okay but it’s useless to 99% of server owners as they won’t have a method to block the attacking IP or it will be a DDoS/DRDoS attack.

All ICMP should be blocked.

ICMP is worthless to a gameserver hoster and should be turned off.

95% of attacks are normally from shell booters which generally just send worthless repetitive data, “botnets” are also commonly just a bunch of these linked together.

No one even uses the A2C_PRINT attack anymore, that’s the only thing that DAF actually blocks.

No, No, No, No, No, No, No…

You are an idiot and this is letting them win in every way.

Blaming it on maintenance means that you aren’t strong enough to address a problem.

Taking down the server at all is simply letting them win, this is obviously the result they want so why the fuck would you even think about doing this?

Valve doesn’t care unless you attack servers which they are behind, the only time which they will actually try to fix vulnerabilities in their networking code is if it effects them. It’s fairly obvious they are susceptible to UDP spoofing and nothing has been done.

Cisco Guard would most likely just block a bunch of data which is actually legitimate. Besides that putting your server under Cisco Guard(they do this at softlayer) entails 2-3 hours of downtime to put it on and the same to take it off. Not to mention that they will only allow you to use it for 24 hours at a time.

Getting null routed means your server is offline for quite a while. Your data center may insist that this is for your own good but as you should already know accepting downtime is loosing the battle and this is the last thing you should ever do as a server hoster. Mentioning a DoS attack to your datacenter is normally something you NEVER want to do as they will commonly null route you on the spot.

Limestone Networks mentioned they have some sort of employee made network filtering, this probably would automatically drop most shell booter traffic. They like most datacenters offer a “hardware” firewall, however all of these are generally shit and are only worthwhile to big enterprises or webhosters as they do stuff like VPNs or TCP and IP based filtering.

[editline]18th June 2011[/editline]

ServerSecure2: Windows - Linux

It’s a server plugin though so you need to make a vdf for it.

Just a note to slayer’s post; don’t worry about telling OVH/kimsufi if you’re getting attacked; they don’t give a fuck. Though they’re no help either, they’ll offer you an entry level hardware firewall that only filters 100mbit.

[editline]19th June 2011[/editline]

At least you don’t get nullrouted though.