Register for your free account! | Forgot your password?

You last visited: Today at 07:54

  • Please register to post and access all features, it's quick, easy and FREE!

 

DDOS Help.

Reply
 
Old   #1
 
elite*gold: 0
Join Date: Jul 2010
Posts: 211
Received Thanks: 26
Exclamation DDOS Help.

As some of you might know, I've already pmed couple of you devs before. To assist me stop this attack.

I hope opening this thread will help me out and many more new servers, that face such an attack.

So anyone who has some decent knowledge about this. Share you knowledge with us.


Details from attack:

You must register and activate your account in order to view images.

You must register and activate your account in order to view images.

Already tried this Syn flood protection.



Thanks!



exter16 is offline  
Old   #2
 
elite*gold: 0
Join Date: Aug 2017
Posts: 50
Received Thanks: 5
Did u try to reform it on the Settings?


iClasher is offline  
Old   #3
 
elite*gold: 0
Join Date: Jul 2010
Posts: 211
Received Thanks: 26
what do you mean ?

Quote:
Originally Posted by iClasher View Post
Did u try to reform it on the Settings?
exter16 is offline  
Old   #4
 
elite*gold: 0
Join Date: Oct 2012
Posts: 282
Received Thanks: 61
Quote:
Originally Posted by exter16 View Post
what do you mean ?
I think he asked you if you tried to format your computer.
but in my opinion this would not help either you have maleware on your computer. Try to install a ddos protetction. this will widthstand such an attack because the syn requests that are sent come from one ip adress.


airstreeeeks is offline  
Thanks
1 User
Old   #5

 
elite*gold: 140
Join Date: Mar 2012
Posts: 613
Received Thanks: 140
Well u can always ask mongreldogg.as far know he is very good at ddos protection.If he will assist you
アルカード is offline  
Thanks
1 User
Old   #6
 
elite*gold: 0
Join Date: Jul 2010
Posts: 211
Received Thanks: 26
I've setup some security settings to see if it helps.
About malware... i don't think this is the case. Because if i'll close the gameserver.exe it stops...

Quote:
Originally Posted by airstreeeeks View Post
I think he asked you if you tried to format your computer.
but in my opinion this would not help either you have maleware on your computer. Try to install a ddos protetction. this will widthstand such an attack because the syn requests that are sent come from one ip adress.
Thanks, already send him a pm he didn't reply yet.

Quote:
Originally Posted by アルカード View Post
Well u can always ask mongreldogg.as far know he is very good at ddos protection.If he will assist you
exter16 is offline  
Old   #7
 
elite*gold: 0
Join Date: Jul 2015
Posts: 205
Received Thanks: 220
I didn't respond to your email because I'm not really the person to ask about DDoS. But I see there the attempts to connect are across a wide range of ports. One of the first things you learn when coding secure programs and securing server access etc.. is that any ports that aren't directly related to your use case is a no no.

Second if the remaining ports as/gs are open a DDoS attacker can STILL bring your system to it's knees. This is a fundamental flaw in the way Windows TCP/IP protocols work. In windows when a connection attempt is made, if your computer is available to the caller, your windows will accept the connection then determine if it allowed or not on that port and then disconnect it or "drop"

But that still leaves windows having to "handle the connection" which is what DDoS attackers exploit. The only TRUE way to get around it would be to host your auth server on a Linux machine and to get really comfy and google up how to set up IP Tables to detur DDoS. OR pay shitloads of money for a Anti-DDoS server which most of the time fails to truly stop/divert real attackers.
SilentWisdom is offline  
Thanks
1 User
Old   #8
 
elite*gold: 0
Join Date: Jul 2010
Posts: 211
Received Thanks: 26
No problem, been doing research myself.
I've managed to setup the server how to handle tcp reqeusts.. Normally every tcp reqeust is putting on hold by the server and uses server resources cpu/ram. If the attacker send thousands of reqeusts the server can't handle this so it crashes the gameserver. So what i did now is setting up a way how to handle these reqeusts. Now it should just request max for example 5-10 reqeusts at once. If non of them goes through the handshake and being accepted. It automaticly cancels/drops the reqeusts after x sec/min. Hope it works fine now.

Btw i've only opened the reqeuired ports that are posted in the rappelz section. (compared this topic link with the newest epic 9.1 file ports)


It's just a security leak in the older windows servers. That isn't enabled automaticlly.

This links explains more how to enable the security if anyone is interested.
https://msdn.microsoft.com/en-us/library/ff648853.aspx
https://technet.microsoft.com/en-us/.../cc938202.aspx


Quote:
Originally Posted by SilentWisdom View Post
I didn't respond to your email because I'm not really the person to ask about DDoS. But I see there the attempts to connect are across a wide range of ports. One of the first things you learn when coding secure programs and securing server access etc.. is that any ports that aren't directly related to your use case is a no no.

Second if the remaining ports as/gs are open a DDoS attacker can STILL bring your system to it's knees. This is a fundamental flaw in the way Windows TCP/IP protocols work. In windows when a connection attempt is made, if your computer is available to the caller, your windows will accept the connection then determine if it allowed or not on that port and then disconnect it or "drop"

But that still leaves windows having to "handle the connection" which is what DDoS attackers exploit. The only TRUE way to get around it would be to host your auth server on a Linux machine and to get really comfy and google up how to set up IP Tables to detur DDoS. OR pay shitloads of money for a Anti-DDoS server which most of the time fails to truly stop/divert real attackers.
exter16 is offline  
Old   #9
 
elite*gold: 0
Join Date: Mar 2015
Posts: 8
Received Thanks: 1
seems like any dumbfags don t like the new tournament server cuz it takes the most of the community BECAUSE its is the best server around !

so sad ...
AutX is offline  
Old   #10

 
elite*gold: 140
Join Date: Mar 2012
Posts: 613
Received Thanks: 140
Well i can only assume 3 server that would do this
アルカード is offline  
Old   #11
 
elite*gold: 0
Join Date: Jul 2010
Posts: 211
Received Thanks: 26
As you can see... more login attempts. I tried to limit the sql connections to see if this would help.. but it doesn't keep getting 1000+ unlogined connections

You must register and activate your account in order to view images.
exter16 is offline  
Old   #12
 
elite*gold: 30
Join Date: Mar 2012
Posts: 625
Received Thanks: 280
first: SYN flood protection isnt even close to a problem since SYN flood doesnt appear to even establish a connection (normally SYN flood doesnt respond with ACK to a server).

second: i see a lot of connections to a database server, and those are loopback connections. it may be caused by Layer 7 attack so it means someone requesting data from some of your services that causes your software to make that much database connections. it can be everything, game server, website, anything else that uses your mssql.

third: TIME_WAIT status of an opened socket means that connection was established and both sides of transfer didnt yet notify each other that connection should be closed. it means: amount of connections you see (moreover with a third party tool) is different from real, as soon as windows sockets API behaves that way: it usually won't notify a second side of transfer to close a connection when its closed by an application. hardening TCP stack makes sense but not in this case.

fourth: message from unlogined connection only means that there was a packet sent by a client which is an actual Rappelz client packet but out of order, server doesnt allow them to clients who are not authenticated and notifies a console when it appears.

more info by PM so it needs advanced research
mongreldogg is offline  
Thanks
1 User
Old   #13
 
elite*gold: 0
Join Date: Jul 2010
Posts: 211
Received Thanks: 26
Thanks for the info.
I'll do some more research.

Quote:
Originally Posted by mongreldogg View Post
first: SYN flood protection isnt even close to a problem since SYN flood doesnt appear to even establish a connection (normally SYN flood doesnt respond with ACK to a server).

second: i see a lot of connections to a database server, and those are loopback connections. it may be caused by Layer 7 attack so it means someone requesting data from some of your services that causes your software to make that much database connections. it can be everything, game server, website, anything else that uses your mssql.

third: TIME_WAIT status of an opened socket means that connection was established and both sides of transfer didnt yet notify each other that connection should be closed. it means: amount of connections you see (moreover with a third party tool) is different from real, as soon as windows sockets API behaves that way: it usually won't notify a second side of transfer to close a connection when its closed by an application. hardening TCP stack makes sense but not in this case.

fourth: message from unlogined connection only means that there was a packet sent by a client which is an actual Rappelz client packet but out of order, server doesnt allow them to clients who are not authenticated and notifies a console when it appears.

more info by PM so it needs advanced research
exter16 is offline  
Old   #14
 
elite*gold: 0
Join Date: Feb 2014
Posts: 10
Received Thanks: 0
del
rz-crazyfun is offline  
Old   #15

 
elite*gold: 44
Join Date: Sep 2014
Posts: 104
Received Thanks: 162
The only way to fix this is by record the attack by wireshark and send it to your datacenter maybe they will edit the firewall for you or the old and simple solution is buying a DDos filter from JavaPipe.


Ghost Informatics is offline  
Reply



« Previous Thread | Next Thread »



All times are GMT +2. The time now is 07:54.


Powered by vBulletin®
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
SEO by vBSEO ©2011, Crawlability, Inc.

Support | Contact Us | FAQ | Advertising | Privacy Policy
Copyright ©2017 elitepvpers All Rights Reserved.