An idea against DDOS

I had this idea few days ago, im not sure if im wrong on everything or if this can be a good idea:

Custom Antiddos:

Player enter on website with his game account, go to control panel and click on button: LET ME PLAY.

This button (LET ME PLAY) will get automatic the IP from the web browser and add on the table of database: SRO_VT_ACCOUNT._AllowedIP.

This query wont work as INSERT INTO, will work as UPDATE and WHERE (when a guy register new account, the ID + IP are added to this table)

Then, with a virtual host with linux (and iptables):
Script for make a text file with all the IPs from SRO_VT_ACCOUNT._AllowedIP.
Iptables DENY ALL except IPs from that text file.
Make iptables redirect ALL to the host where files are. So this should work as 'proxy'.

And from the host where server files are need configure firewall for deny all and just accept ports (normally 15779,15881,15884) from the proxy linux host.

OR/AND:
Then, a little program as launcher, with a simple 'iframe' to the website where we added that button (LET ME PLAY). So when a player enter with user and password, his IP update at AllowedIP table and START button of launchers appear.
(This wont be a problem for Mbot or others since after login at launcher, you can open bot without problem (ports are open then).

That mean, no more DDOS, maybe DOS (but thats not hard to block), lets say we add a max petitions per IP (at iptables ofcourse).
Also, a procedure at the sql that is executed every 24h (it checks the last logout, if it happen 24hours ago, then delete it from AllowedIP table).
And also, only 1 IP per Account are allowed at _AllowedIP table (That mean every account will have his own allowed IP [Remember we are talking about the iptables, so actually we are talking about ports not about login ingame]).

(For prevent a program to create random accounts for example on infected pcs (with troyan), we add Captcha at create account.)

This custom antiddos will stop also the exploits from example on Agentserver?: ofcourse no, thats just for prevent 'botnets' and things like that. So you will still need to fix those bugs anyway.

And my noby question: Firewall (iptables) will be able to do this for example at Transport Layer? (I think yes but im not sure).

Hello,

It will not work to avoid DoS/DDoS, this will only avoid in certain cases, an exploit.

The DoS/DDoS will happen in a Layer above Layer 7 (which is the layer you can control in your server), however all the traffic you receive in Layer 4 will still make your server crash and go down, during a DoS or DDoS attack.

Don't confuse software solutions in a regular server / pc, with any other solutions regarding this.

Also what you have to understand is that a 'linux proxy' is weak, it can barely handle 70~100 Kpps, imagine a regular tcp attack which over than 500 Kpps or over 1 Mpps ? No way, a regular server / PC doesn't have enough I/O for this and it will be your bottleneck.

For small things, it works.

For the idiots paying booters/stressers against your IP, it won't work.

Also don't forget that many users don't have a real IP, many ISPs are doing NAT or concentrating connections with different IPs for different purposes, like in philippines or turkey, where a user have an IP for 'http/80' traffic and another yet IP for other ports such as FTP, or Games...

It will be really troubleful, while working around 80-85% still many guys won't be able to play your server, due to problems with their ISPs (Internet Service Providers).

The only way to avoid this, is really letting who knows, do this job for you, so you don't have to worry with anything regarding that :).

But anyways, good initiative :).

Quote:

Originally Posted by MaximumDark Hello, It will not work to avoid DoS/DDoS, this will only avoid in certain cases, an exploit. The DoS/DDoS will happen in a Layer above Layer 7 (which is the layer you can control in your server), however all the traffic you receive in Layer 4 will still make your server crash and go down, during a DoS or DDoS attack. Don't confuse software solutions in a regualr server / pc, with any other solutions regarding this. Also what you have to understand is that a 'linux proxy' is weak, it can barely handle 70~100 Kpps, imagine a regular tcp attack which over than 500 Kpps or over 1 Mpps ? No way, a regular server / PC doesn't have enough I/O for this and it will be your bottleneck. For small things, it works. For the idiots paying booters/stressers against your IP, it won't work. Also don't forget that many users don't have a real IP, many ISPs are doing NAT or concentrating connections with different IPs for different purposes, like in philippines or turkey, where a user have an IP for 'http/80' traffic and another yet IP for other ports such as FTP, or Games... It will be really troubleful, while working around 80-85% still many guys won't be able to play your server, due to problems with their ISPs (Internet Service Providers). The only way to avoid this, is really letting who knows, do this job for you, so you don't have to worry with anything regarding that :). But anyways, good initiative :).

Alright, seems like you know about this subject, i like to see replies like this one! Thank you ^^
Lets see what other people think about it :)

Quote:

Originally Posted by victorsalido Alright, seems like you know about this subject, i like to see replies like this one! Thank you ^^ Lets see what other people think about it :)

I just try to contribute, the idea is cool, but in pratice it won't be effective (not in server / pc level).

It will only be effective as I said, in small circunstances.

Probably other people, which aren't skilled on this subject might say, "Yes, cool", "It will work" and so on, but they must observe all the elements around what is proposed :

- Resource Usage (OS tied, Hardware tied).
- Processing Capability (OS tied, Hardware tied).
- Bottlenecks (Network Card, Network Connection, Datacenter Switch, Datacenter Router Threshoulds and so on).
- External Issues (such as ISP Limitations, NAT and so on).

So it is much more complicated than it really seems.

Idea is good against exploits, not against botnets.

And what about people with dynamic IP?

Quote:

Originally Posted by dimkacool Idea is good against exploits, not against botnets. And what about people with dynamic IP?

vpn.
and even dynamic ips don't refresh until the pc, router or modem was restarted.

Why not paying someone who know how to avoid DDoS,DoS and other skript kiddies attack? I mean DDoS protection.
Any way you have to get here one extra dedicated to setup it for all this job, why not spending this money for protection?
I was in silkroad server thing and I know that sometime you can get this money in one day, why people are so greedy... Just spend few buks and stay cool.

Quote:

Originally Posted by pushipu Why not paying someone who know how to avoid DDoS,DoS and other skript kiddies attack? I mean DDoS protection. Any way you have to get here one extra dedicated to setup it for all this job, why not spending this money for protection? I was in silkroad server thing and I know that sometime you can get this money in one day, why people are so greedy... Just spend few buks and stay cool.

Why we can't try to learn or find new ways?, why we should always depend from someone? is not just about money

you can just attack the website, not to say you could still attack the firewall (it's called Denial of Service for a reason)

Well of course the website need be at another host, anyway seems like i was wrong.. thank for the replies :)

Quote:

Originally Posted by victorsalido Well of course the website need be at another host, anyway seems like i was wrong.. thank for the replies :)

not to mention, that getting a server's ip is quite simple
I dont think someone will bother with the website if they can take down your server

Quote:

Originally Posted by PortalDark not to mention, that getting a server's ip is quite simple I dont think someone will bother with the website if they can take down your server

some people just do it to be pain in the asses though, like taking down the website so users can't access registration, so users then blame it on the owner, when really, they're getting ddosed.

Quote:

Originally Posted by victorsalido Why we can't try to learn or find new ways?, why we should always depend from someone? is not just about money

I understand your point, but in this case it's like Don Quixote and Windmills.
With such problems you should search for professional solutions in my opinion :)

Quote:

Originally Posted by pushipu I understand your point, but in this case it's like Don Quixote and Windmills. With such problems you should search for professional solutions in my opinion :)

I wonder if anyone else understood what you meant with don quixote.

Quote:

Originally Posted by Royalblades I wonder if anyone else understood what you meant with don quixote.

I did haha... [Only registered and activated users can see links. Click Here To Register...]