DDOS Help.

[Exterminator-[Fury]]

As some of you might know, I've already pmed couple of you devs before. To assist me stop this attack.

I hope opening this thread will help me out and many more new servers, that face such an attack.

So anyone who has some decent knowledge about this. Share you knowledge with us.


Details from attack:





Already tried this Syn flood protection.

 Spoiler

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters

Set Value as
Value Name Data Type Set Value

SynAttackProtect REG_DWORD 2

Causes TCP to adjust retransmission of SYN-ACKS. When you configure this value the connection responses timeout more quickly in the event of a SYN attack.

Also, You can set the below Values which are Recommended values.

Value Name Value (REG_DWORD)

TcpMaxPortsExhausted 1
IPEnableRouter 0
TcpMaxHalfOpen 500
TcpMaxHalfOpenRetried 400
TcpMaxConnectResponseRetransmissions 3
TcpMaxDataRetransmissions 2
KeepAliveTime 300000 (5 minutes)
NoNameReleaseOnDemand 1

Description of the above value :
TcpMaxPortsExhausted :Specifies the threshold of TCP connection requests that must be exceeded before SYN flood protection is triggered.

IPEnableRouter = 0 : To disable all IP forwarding between interfaces

TcpMaxHalfOpen :To limit the total number of half-open connections allowed by the system at any given time

TcpMaxHalfOpenRetried :To fix the number of half-open connections allowed by the system at any given time

TcpMaxConnectResponseRetransmissions :To set any SYN/ACK handshake to time out at 3 seconds and drop the connection at nine (9) seconds

TcpMaxDataRetransmissions :Specifies the number of times that TCP
retransmits an individual data segment (not connection request segments) before aborting the connection.

NoNameReleaseOnDemand :Specifies to not release the NetBIOS name of a computer when it receives a name-release request.

Thanks!

[iClasher]

Did u try to reform it on the Settings?

[Exterminator-[Fury]]

what do you mean ?

Quote:

Originally Posted by iClasher

Did u try to reform it on the Settings?

[airstreeeeks]

Quote:

Originally Posted by exter16

what do you mean ?

I think he asked you if you tried to format your computer.
but in my opinion this would not help either you have maleware on your computer. Try to install a ddos protetction. this will widthstand such an attack because the syn requests that are sent come from one ip adress.

[アルカード]

Well u can always ask mongreldogg.as far know he is very good at ddos protection.If he will assist you

[Exterminator-[Fury]]

I've setup some security settings to see if it helps.
About malware... i don't think this is the case. Because if i'll close the gameserver.exe it stops...

Quote:

Originally Posted by airstreeeeks

I think he asked you if you tried to format your computer.
but in my opinion this would not help either you have maleware on your computer. Try to install a ddos protetction. this will widthstand such an attack because the syn requests that are sent come from one ip adress.

Thanks, already send him a pm he didn't reply yet.

Quote:

Originally Posted by アルカード

Well u can always ask mongreldogg.as far know he is very good at ddos protection.If he will assist you

[SilentWisdom]

I didn't respond to your email because I'm not really the person to ask about DDoS. But I see there the attempts to connect are across a wide range of ports. One of the first things you learn when coding secure programs and securing server access etc.. is that any ports that aren't directly related to your use case is a no no.

Second if the remaining ports as/gs are open a DDoS attacker can STILL bring your system to it's knees. This is a fundamental flaw in the way Windows TCP/IP protocols work. In windows when a connection attempt is made, if your computer is available to the caller, your windows will accept the connection then determine if it allowed or not on that port and then disconnect it or "drop"

But that still leaves windows having to "handle the connection" which is what DDoS attackers exploit. The only TRUE way to get around it would be to host your auth server on a Linux machine and to get really comfy and google up how to set up IP Tables to detur DDoS. OR pay shitloads of money for a Anti-DDoS server which most of the time fails to truly stop/divert real attackers.

[Exterminator-[Fury]]

No problem, been doing research myself.
I've managed to setup the server how to handle tcp reqeusts.. Normally every tcp reqeust is putting on hold by the server and uses server resources cpu/ram. If the attacker send thousands of reqeusts the server can't handle this so it crashes the gameserver. So what i did now is setting up a way how to handle these reqeusts. Now it should just request max for example 5-10 reqeusts at once. If non of them goes through the handshake and being accepted. It automaticly cancels/drops the reqeusts after x sec/min. Hope it works fine now.

Btw i've only opened the reqeuired ports that are posted in the rappelz section. (compared this topic link with the newest epic 9.1 file ports)


It's just a security leak in the older windows servers. That isn't enabled automaticlly.

This links explains more how to enable the security if anyone is interested.

Quote:

Originally Posted by SilentWisdom

I didn't respond to your email because I'm not really the person to ask about DDoS. But I see there the attempts to connect are across a wide range of ports. One of the first things you learn when coding secure programs and securing server access etc.. is that any ports that aren't directly related to your use case is a no no.

Second if the remaining ports as/gs are open a DDoS attacker can STILL bring your system to it's knees. This is a fundamental flaw in the way Windows TCP/IP protocols work. In windows when a connection attempt is made, if your computer is available to the caller, your windows will accept the connection then determine if it allowed or not on that port and then disconnect it or "drop"

But that still leaves windows having to "handle the connection" which is what DDoS attackers exploit. The only TRUE way to get around it would be to host your auth server on a Linux machine and to get really comfy and google up how to set up IP Tables to detur DDoS. OR pay shitloads of money for a Anti-DDoS server which most of the time fails to truly stop/divert real attackers.

[AutX]

seems like any dumbfags don t like the new tournament server cuz it takes the most of the community BECAUSE its is the best server around !

so sad ...

[アルカード]

Well i can only assume 3 server that would do this

[Exterminator-[Fury]]

As you can see... more login attempts. I tried to limit the sql connections to see if this would help.. but it doesn't keep getting 1000+ unlogined connections

[mongreldogg]

first: SYN flood protection isnt even close to a problem since SYN flood doesnt appear to even establish a connection (normally SYN flood doesnt respond with ACK to a server).

second: i see a lot of connections to a database server, and those are loopback connections. it may be caused by Layer 7 attack so it means someone requesting data from some of your services that causes your software to make that much database connections. it can be everything, game server, website, anything else that uses your mssql.

third: TIME_WAIT status of an opened socket means that connection was established and both sides of transfer didnt yet notify each other that connection should be closed. it means: amount of connections you see (moreover with a third party tool) is different from real, as soon as windows sockets API behaves that way: it usually won't notify a second side of transfer to close a connection when its closed by an application. hardening TCP stack makes sense but not in this case.

fourth: message from unlogined connection only means that there was a packet sent by a client which is an actual Rappelz client packet but out of order, server doesnt allow them to clients who are not authenticated and notifies a console when it appears.

more info by PM so it needs advanced research

[Exterminator-[Fury]]

Thanks for the info.
I'll do some more research.

Quote:

Originally Posted by mongreldogg

first: SYN flood protection isnt even close to a problem since SYN flood doesnt appear to even establish a connection (normally SYN flood doesnt respond with ACK to a server).

second: i see a lot of connections to a database server, and those are loopback connections. it may be caused by Layer 7 attack so it means someone requesting data from some of your services that causes your software to make that much database connections. it can be everything, game server, website, anything else that uses your mssql.

third: TIME_WAIT status of an opened socket means that connection was established and both sides of transfer didnt yet notify each other that connection should be closed. it means: amount of connections you see (moreover with a third party tool) is different from real, as soon as windows sockets API behaves that way: it usually won't notify a second side of transfer to close a connection when its closed by an application. hardening TCP stack makes sense but not in this case.

fourth: message from unlogined connection only means that there was a packet sent by a client which is an actual Rappelz client packet but out of order, server doesnt allow them to clients who are not authenticated and notifies a console when it appears.

more info by PM so it needs advanced research

[rz-crazyfun]

del

[Ghost Informatics]

The only way to fix this is by record the attack by wireshark and send it to your datacenter maybe they will edit the firewall for you or the old and simple solution is buying a DDos filter from JavaPipe.