Recently, a lot of servers have come under attack from some form of DoS or DDoS. I’ve decided to make this this thread so you hosters know what to do in the event of an attack.
[h2]1. Pre-attack checklist[/h2]
Get DoS attack fixer - set it up as instructed, its use will be explained later.
Get wireshark, it’s a packet and network monitoring tool.
Subscribe to any relevant mailing lists. You can always ask server hosters questions there and stay up to date with the latest protection.
[h2]2. Identify the Attack[/h2]
Are you being attacked with a DoS or DDoS?
Most people seem to confuse one with the other, it’s far more likely that you’re being attacked with a DoS rather than a DDoS.
A DoS involves preventing access to your server through a single person and means, by saturating your ports or using a source exploit in order to prevent access to the server - the most common of which is the A2C_INFO or A2C_PRINT spam attack. DoS attack fixer blocks this. UDP flooding is also a viable DoS.
A DDoS would involve some form of botnet or group of people dedicated to attacking your server at once, far more unlikely due to the resource cost and the utter incompetence of most Garry’s Mod “hackers”. Laugh at whoever is attacking you for me.
One other form of attacking is DRDoS, which can occur when the attacker ‘bounces’ traffic towards your server - often associated with ICMP attacks. Wireshark can easily filter for these attacks providing you filter by “ICMP”. These are typical of DDoS’ also, and can easily be filtered.
An example of a DRDoS using source involves querying the master server of a game and bouncing the replies towards your victim continuously. The packet will probably look something like “<randomstring> TSource Engine Query”
[h2]3. Responding to the attack[/h2]
[li]Don’t blame it on a DDoS, blame it on maintenance, it’s the easiest way to draw attention away from the attacker. Most attackers do it for attention or some other reason, simple way to correct this is by telling your members that you’re the person taking the server down. Basically, you need to ignore the person attacking you and deal with what he’s doing, don’t even speak to him if you can prevent it.[/li][li]Take the server down if necessary.[/li][li]Use wireshark to identify the attacker’s IP (if he’s that stupid), or the bad packets. If you’re running Linux, look up how to filter packets successfully. On windows, you’ll need to block the IP using a rule.[/li][li]The DoS attack fixer will probably deal with most “skiddie” attacks.[/li][li]If the attack isn’t fixed by this stage, contact your server host or send a message to the relevant HLDS mailing list.[/ol][/li]
[h2]4. Your host’s response[/h2]
They have a few options;
If you’re with a good host they’ll offer you something called a Cisco Guard, which’ll basically mitigate the attack provided it doesn’t hit their tipping point, which is 1GB/s for most hosts (Limestone Networks, for example).
If your attack is severe enough they’ll probably Null Route you (most cheap hosts will do this), this’ll prevent you from hosting but it’ll also mitigate the attack to a virtual ‘black hole’. Basically useless to you, but it keeps the server host running.
Probably unfinished, anything I should add?