DAF no longer working?

DAF, the DoS Attack Fix, doesn’t seem to work anymore.

My dedicated server is being DDoS’d through some kind of orphaned/nonexistant process of srcds.exe. This is reported by Netlimiter, a firewall tool that displays all incoming and outgoing connections and lots of information. I am being hit at about 50 megabits/second by thousands of IPs, although most of them belong to only three class B IPs subsets.

Can someone confirm that DAF doesn’t work anymore or otherwise suggest a fix? IP Range banning is a possibility but I’ve tried it a few times and usually screw up and have to hard reboot the server which takes a while.

			[View Image](http://www.facepunch.com/)

http://k.min.us/ijCsLg.png

http://k.min.us/ijCsLg.png


(User was banned for this post ("Wrong section" - mahalis))

There are different methods of "DDoS"ing a server, and a lot of them aren’t really DDoS’s by definition.

There’s all sorts of nasty things these kiddies can do to your server to take it down, DAF only solves the actual DDoS issue. I installed DAF on my server and it perfectly blocked all conventional DDoS attacks, but the server can still be exploited and brought down through other methods that aren’t actually DDoS.

I said DDoS way too many times in my post :frowning:

Actually reading my post back again, I shouldn’t say it’s not an actual “DDoS” attack, its just that when people think of DDoS they usually think of a botnet or something similar to LOIC, which might not be the case, sorry if I wasn’t making sense.

It doesn’t matter if it’s LOIC or something, but it’s definitely some sort of botnet to have over 1000 IP addresses.

I just want to block it :expressionless: My Garry’s Mod servers are unplayable.

You can’t block it, thats the point of a dos.

wireshark?

A thousand IP’s is a DDoS - not a DoS. And yes, you can block them. Depending on the size and strength though it can be difficult.

DAF is shit. Good luck accomplishing anything with it.

DAF only prevents against a2c_print and bell characters in it.

I really don’t think it does a single other damn thing than waste hard drive space.

I smell devnull. You’re lucky you’re only getting 50mbit. We got hit by 950mbit (And managed to stay online)

I got 10 gbit. :X

Hi guys, this just started happening again today, being attacked at 50 megabits/second. Same IP ranges as last time. Anybody have any help?

OS: Windows Server 2003

wireshark!

Wireshark looks more like an indepth packet analyzer than a bandwidth shaper/firewall. How would I use it to prevent a DDoS? Using other tools to block IP address ranges has only caused more harm than good.

Show us the packets from the attack.


No.     Time        Source                Destination           Protocol Info
 335940 11.219315   174.120.141.174       216.245.193.100       DNS      Standard query response

Frame 335940: 270 bytes on wire (2160 bits), 270 bytes captured (2160 bits)
    Arrival Time: Mar 19, 2011 23:23:04.469692000 Pacific Daylight Time
    Epoch Time: 1300602184.469692000 seconds
    [Time delta from previous captured frame: 0.000004000 seconds]
    [Time delta from previous displayed frame: 0.000004000 seconds]
    [Time since reference or first frame: 11.219315000 seconds]
    Frame Number: 335940
    Frame Length: 270 bytes (2160 bits)
    Capture Length: 270 bytes (2160 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ip:udp:dns]
    [Coloring Rule Name: UDP]
    [Coloring Rule String: udp]
Ethernet II, Src: Cisco_31:94:00 (00:0c:ce:31:94:00), Dst: IntelCor_b8:59:a4 (00:1c:c0:b8:59:a4)
    Destination: IntelCor_b8:59:a4 (00:1c:c0:b8:59:a4)
        Address: IntelCor_b8:59:a4 (00:1c:c0:b8:59:a4)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Source: Cisco_31:94:00 (00:0c:ce:31:94:00)
        Address: Cisco_31:94:00 (00:0c:ce:31:94:00)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Type: IP (0x0800)
Internet Protocol, Src: 174.120.141.174 (174.120.141.174), Dst: 216.245.193.100 (216.245.193.100)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 256
    Identification: 0x1feb (8171)
    Flags: 0x00
        0... .... = Reserved bit: Not set
        .0.. .... = Don't fragment: Not set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 54
    Protocol: UDP (17)
    Header checksum: 0x8d81 [correct]
        [Good: True]
        [Bad: False]
    Source: 174.120.141.174 (174.120.141.174)
    Destination: 216.245.193.100 (216.245.193.100)
User Datagram Protocol, Src Port: domain (53), Dst Port: 27015 (27015)
    Source port: domain (53)
    Destination port: 27015 (27015)
    Length: 236
    Checksum: 0x0c94 [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
Domain Name System (response)
    Transaction ID: 0x000a
    Flags: 0x8100 (Standard query response, No error)
        1... .... .... .... = Response: Message is a response
        .000 0... .... .... = Opcode: Standard query (0)
        .... .0.. .... .... = Authoritative: Server is not an authority for domain
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...1 .... .... = Recursion desired: Do query recursively
        .... .... 0... .... = Recursion available: Server can't do recursive queries
        .... .... .0.. .... = Z: reserved (0)
        .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
        .... .... ...0 .... = Non-authenticated data: Unacceptable
        .... .... .... 0000 = Reply code: No error (0)
    Questions: 1
    Answer RRs: 0
    Authority RRs: 13
    Additional RRs: 0
    Queries
        <Root>: type ANY, class IN
            Name: <Root>
            Type: ANY (Request for all records)
            Class: IN (0x0001)
    Authoritative nameservers
        <Root>: type NS, class IN, ns K.ROOT-SERVERS.NET
            Name: <Root>
            Type: NS (Authoritative name server)
            Class: IN (0x0001)
            Time to live: 6 days
            Data length: 20
            Name server: K.ROOT-SERVERS.NET
        <Root>: type NS, class IN, ns L.ROOT-SERVERS.NET
            Name: <Root>
            Type: NS (Authoritative name server)
            Class: IN (0x0001)
            Time to live: 6 days
            Data length: 4
            Name server: L.ROOT-SERVERS.NET
        <Root>: type NS, class IN, ns M.ROOT-SERVERS.NET
            Name: <Root>
            Type: NS (Authoritative name server)
            Class: IN (0x0001)
            Time to live: 6 days
            Data length: 4
            Name server: M.ROOT-SERVERS.NET
        <Root>: type NS, class IN, ns A.ROOT-SERVERS.NET
            Name: <Root>
            Type: NS (Authoritative name server)
            Class: IN (0x0001)
            Time to live: 6 days
            Data length: 4
            Name server: A.ROOT-SERVERS.NET
        <Root>: type NS, class IN, ns B.ROOT-SERVERS.NET
            Name: <Root>
            Type: NS (Authoritative name server)
            Class: IN (0x0001)
            Time to live: 6 days
            Data length: 4
            Name server: B.ROOT-SERVERS.NET
        <Root>: type NS, class IN, ns C.ROOT-SERVERS.NET
            Name: <Root>
            Type: NS (Authoritative name server)
            Class: IN (0x0001)
            Time to live: 6 days
            Data length: 4
            Name server: C.ROOT-SERVERS.NET
        <Root>: type NS, class IN, ns D.ROOT-SERVERS.NET
            Name: <Root>
            Type: NS (Authoritative name server)
            Class: IN (0x0001)
            Time to live: 6 days
            Data length: 4
            Name server: D.ROOT-SERVERS.NET
        <Root>: type NS, class IN, ns E.ROOT-SERVERS.NET
            Name: <Root>
            Type: NS (Authoritative name server)
            Class: IN (0x0001)
            Time to live: 6 days
            Data length: 4
            Name server: E.ROOT-SERVERS.NET
        <Root>: type NS, class IN, ns F.ROOT-SERVERS.NET
            Name: <Root>
            Type: NS (Authoritative name server)
            Class: IN (0x0001)
            Time to live: 6 days
            Data length: 4
            Name server: F.ROOT-SERVERS.NET
        <Root>: type NS, class IN, ns G.ROOT-SERVERS.NET
            Name: <Root>
            Type: NS (Authoritative name server)
            Class: IN (0x0001)
            Time to live: 6 days
            Data length: 4
            Name server: G.ROOT-SERVERS.NET
        <Root>: type NS, class IN, ns H.ROOT-SERVERS.NET
            Name: <Root>
            Type: NS (Authoritative name server)
            Class: IN (0x0001)
            Time to live: 6 days
            Data length: 4
            Name server: H.ROOT-SERVERS.NET
        <Root>: type NS, class IN, ns I.ROOT-SERVERS.NET
            Name: <Root>
            Type: NS (Authoritative name server)
            Class: IN (0x0001)
            Time to live: 6 days
            Data length: 4
            Name server: I.ROOT-SERVERS.NET
        <Root>: type NS, class IN, ns J.ROOT-SERVERS.NET
            Name: <Root>
            Type: NS (Authoritative name server)
            Class: IN (0x0001)
            Time to live: 6 days
            Data length: 4
            Name server: J.ROOT-SERVERS.NET

Does this help? I’m getting attacked again and it’s frustrating that there is nothing I can do.

Another one if you’re curious:
http://pastebin.com/raw.php?i=2uWFSwwQ

Yes. block source port 53 to 27015 for easy fix.

How would I do so exactly?

If you still haven’t figured it out add me on steam.