Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


VPS with ddos protection ?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

VPS with ddos protection ?

Hello,

I run a public TeamSpeak3 server since a 20~30 day some guy offered a cracked TS3 license we ignored him a few days later he stared ddosing our server daily for few hours

we were hosted @ OVH there anti ddos works fine but lack the configuration options ..
TS3 is UDP based server so legit users gets filtered too and get 40% paketloss when the mitigation is active.. we asked OVH for anti ddos pro or any way to configure the mitigation .. the reply was simply take it or leave it thats what we got...

we moved to RamNode ddos filtered IP as usual ramnode never failed me the support is great and very helpful thy setup a profiled filter for voice servers with little tweak to suite our needs

no paketloss under attack only some disconnects still its understandable and way better that OVH

but sometimes the attack is larger than 10Gbps (ramnode limit) and our IP gets nullrouted

so what can i do in this situation ?? some VPS service with descent/configurable DDOS filter ??

Thanks

Comments

  • Urm,

    Try to find,

    Someone hosted with voxility or i have never tried them but claim to have 120 Gbps ddos protection.

    ddosdeflect.com [Note i've never tried them]

    If someone comes to mind i'll let you know.

  • tr1ckytr1cky Member
    edited September 2014

    Is it really greater than 10gbps or is RamNode failing to filter enough? They still nullroute you if more than some 100k pps pass through. That is easily achievable with e.g. small spoofed UDP attacks. The last time I tested these attacks with RamNode, they failed to set a proper filter. Due to the nature of these, they are very hard to filter.
    ddosdeflect uses voxility for their Romanian servers, Voxility is the greatest I found so far regarding DDoS protection for UDP services.
    If you want even better protection with Voxility, get something with x4b.net in Romania, they use javapipe and javapipe has additional filtering inside of Voxility's dc.

    Edit: Wasn't RamNode filtering bigger attacks for GreenValueHost? I thought they do that for every client?

  • ShivamShivam Member
    edited September 2014

    Yeah Forgot to mention javapipe but their costs are pretty high. for their proxies. doubt it would be within his budget

  • perennateperennate Member, Host Rep

    tr1cky said: Is it really greater than 10gbps or is RamNode failing to filter enough? They still nullroute you if more than some 100k pps pass through. That is easily achievable with e.g. small spoofed UDP attacks. The last time I tested these attacks with RamNode, they failed to set a proper filter. Due to the nature of these, they are very hard to filter. ddosdeflect uses voxility for their Romanian servers, Voxility is the greatest I found so far regarding DDoS protection for UDP services. If you want even better protection with Voxility, get something with x4b.net in Romania, they use javapipe and javapipe has additional filtering inside of Voxility's dc.

    Usually RamNode wouldn't null route for DDoS-filtered IP, it'd get null routed on Staminus/cnserver I think.

  • actually RamNode was great the ddos filter is good but thy cant offer more than 10Gbps :/

    like perennate said its on Staminus/cnserver side

    The IP was nullrouted due to the magnitude of the attack:

    15.37 Gbps 4,062,074 pps

    that what the support said and i asked if thy have anything better to offer but with no luck :/

  • BuyVM use Staminus and have upto 20Gb/s 8Kpp/s protection.

  • ^ See if the guys at BuyVM can do any better.

  • actually i got a an offer in a PM from BuyVM thy were already on my list but got no EU location thy said thy will have EU in October so will check it when its available

  • BuyVM are really good but they also use Staminus so their mitigation capability would be limited to 10-20 Gbps. Looks like you need OVH's PRO anti-DDoS from an OVH reseller where you can ask them for specific firewall rules. mycustomhosting.net would be a good choice. You may contact @MCHPhil for details

  • i was hosted @ OVH and asked them for help and if i can get anti ddos pro or profiled ddos filter for extra fee thy simply replied :

    There is a single offer protection.

    As I said what you want will not be possible.

    and mycustomhosting.net seems CA only in need EU based service

    Thanks

  • @catalystium said:

    Thanks just sent them a msg :)

  • How is the guy getting your TeamSpeak IP address when you move to a new server?

  • AhmedAhmed Member
    edited September 2014

    TS3 got global list of servers + he said he was paid to ddos even tho our server is the first Iraqi free public server and used to be ranked in the top 100 global ts3 servers on gametracker before this issue started so its not that hard to get the IP :P

  • SplitIceSplitIce Member, Host Rep

    OVH's DDoS protection is best categorized as "basic" when compared to either Voxility IPS or offerings by many other companies.

    While voluminous it misses many floods (Professional Use options can be used to firewall in such a case). Its not possible to configure any settings with their mitigation, and currently it isn't able to mitigate UDP attacks perfectly (false positives).

    UDP attacks on UDP based services are often the most difficult to mitigate, I don't believe our larger offerings have any issues with TS3 (we have handled many attacks against such services), Our Romanian offering is usually the best choice if in doubt as maximum configuration is available regarding the filters.

    Thanked by 1linuxthefish
  • If soyoustart's game range is out yet, they have filters for teamspeak that might help.

  • @SplitIce said:

    most of the attacks now on RamNode is on port 22 not the voice/ts3 ports sometimes its just TCP so basically hes doing whatever just to effect the server

    our user base is limited to few IP ranges/countries and the attacks are 85% from china and we got no users from there so a CC filter would be great

    i heard bad things about soyoustart :P like old hardware and bad support do you have any experience with them ?

  • @Ahmed said:
    i heard bad things about soyoustart :P like old hardware and bad support do you have any experience with them ?

    Nothing but praise so far; nothing like KS range as far as support.

  • SplitIceSplitIce Member, Host Rep

    @Ahmed SYS = OVH without any configuration ability (i.e no Pro options or hardware changes). Its hit and miss.

    If its just a TCP attack, it should be easily dropped and should not effect UDP services. At-least not with any well designed filter using dynamic rules. Usually when an attack is detected the detector will build a specific based on the attack pattern recognized. A mitigation solution using static rules might be the problem in which case it should be adjusted.

    Furthermore if its just UDP being used, drop TCP and be done with it (if you have a network level ACL capability). It however wont help if the attack changes type or if spoofing is then used.

    Dropping all CN traffic is a little more complex, as blocking CN is usually 1,500 - 4,000 range rules (which is more than you really want in a firewall, and more than the usual limits). Of course in software like iptables ipset would solve this, however the hardware firewalls provided by the likes of OVH & Voxility do not have this capability and are usually limited to 100 or so rules. Furthermore spoofing easily bypasses this, so its a bit moot.

  • @SplitIce said:

    its just 120 user server and SYS cheapest server available for our location i can only see CA location no EU o.O also cheapest is 44$/mo with Xeon W3520 and 16GB ram

    i think its overkill for TS3 which is barely reaches 150mb ram and 3% CPU usage on 2 core VPS...

    thats the main problem i guess the attack is just random what ever he feels like it..
    from my own humble tcpdump/wireshark analyzing...
    sometimes its SSDP sometimes its TCP sometimes just ICMP or just UDP flood or a mix ...

    i think hes just a script kid smashing button on some stresser/booter page...

  • Nick_ANick_A Member, Top Host, Host Rep

    @tr1cky said:
    Is it really greater than 10gbps or is RamNode failing to filter enough?

    Edit: Wasn't RamNode filtering bigger attacks for GreenValueHost? I thought they do that for every client?

    It was over 10Gbps, and we don't filter anything special for GVH.

  • SplitIceSplitIce Member, Host Rep
    edited September 2014

    SSDP is relatively new at at-least one stresser (ipstresser) but fortunately its easily blocked at the hardware level.

    Additionally I am yet to see SSDP exceed 400mbps. You might be able to solve that in software (iptables). Most vulnerable device lists are currently pretty small. :)

    However the stresser likely includes other UDP methods like Chargen, NTP, DNS and even non-amp UDP. So you are just playing whack-a-mole.

  • @Nick_A said:

    always +1 for you guys only if you can get more 10Gbps :D

    @SplitIce said:

    indeed :/ i cant understand why would anyone bother so much to damage a totally free and open service like our voice server...

Sign In or Register to comment.