Are there any sysadmins here who know how to deal with ddos attacks properly? I can even offer pay. Situation is that I launched my java app (gameserver) on linux debian and configured iptables to allow only specific ips. Basically I made only 1 port open for loginserver and if player logins into loginserver it adds his ip to iptables so hes able to proceed to gamesever. However I am still receiving massive up to 900MB/s attacks for example: http://prntscr.com/q3dwe8

It appears that even if I left only one port open, I still can't defend against ddos attacks. I made some captures with tcpdump and analyzed them on wireshark but to be honest I cant really tell what I'm looking at.

I am using OVH which is supposed to be ddos protected but maybe I messed up during iptables configuration, I'm not sure.

Can anyone help?

  • 0
    What type of rejection are you using for unauthorized IPs?
  • 0

    This is a layer7 attack as far as I know.

    I'm using iptables, the script is here


    It goes from top to the bottom, first I allow whitelist ips and at the bottom I block all of the rest with -A INPUT -j DROP

    Basically only port 2106 is open for everybody and only specific ips can access port 80 or port 7779, everything else is closed
  • 0
    Hmm, the open ports are the obvious targets then.
    Take a look at the tcpdump again. Are there many different attackers or just a few?
  • 0
    @PrivateGER I was told this:

    You can't stop this effectively without either a ton of work of some higher-end equipment. Your ISP can, however. Contact them and have this handled upstream.

    Is there no other way?
  • 2
    @zemaitis The last thing you can do is detect flooding IPs and drop them completely.

    The rest is hardware or provider based. Maybe you could also contact OVH, since there's obviously a problem with their DDOS protection.
  • 3
    Even dropping the requests requires cpu time and more importantly bandwidth. ddos has to be stopped before it reaches the last instance. Your ISP should deal with it, you probably don't want to spend the money to do it yourself
  • 0
    @Kimmax This pretty much. Or maybe an nginx reverse proxy with rate limiting or something?

    Also wondering if/how CSF would be able to help here...
  • 0
    @linuxxx you can rent a stresser botnet for 5 usd a month and try out layer7 attacks in your demo environment to test it
  • 0
    @zemaitis I can't do that legally :)
  • 0
    @zemaitis @linuxxx you're just moving the problem to the next machine. Don't deal with this problem yourself, that's your ISP's job. Netcup covers you for at least 5 Gbit/s included in your packet and they are cheap already. If your ISP really doesn't want to filter this for you, you should look to move to one that does. This is basic support everyone should have
  • 0
    @linuxxx yes you can if you want to, just get an agremeent from multiple isps and create your own botnet if you are so much limited by your principles. How else security engineers perform penetration tests? You need real world situations to fix real world problems. Hell some doctors even risked their lives and tested diseases on themselves just to prove that their created medicine works. And here you are years later afraid of iLLeGaL stuff. Just grow a pair mate. Again if you are too limited by your own principles there are other ways
  • 0
    @zemaitis My contract with my VPS provider (and my dedicated servers) says different!
  • 1
    @linuxxx wow now youre just acting childish or trolling
  • 1
    @zemaitis Why'd you say that?

    My contracts with my vps provider and two dedicated ones say that I am not allowed in any way to cause conditions where their network, which is used by other customers as well, gets 'stressed', even if its for testing.
    I think they even literally say that you're not allowed to do/test any kind of ddos attack against your vps/server you rent from them.
  • 1
    @zemaitis They both do have quite high levels of ddos protection, though. I've been on networks where other servers were receiving heavy ddos attacks while my server(s) where perfectly reachable.
Add Comment