Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In with OpenID
Advertise on LowEndTalk.com

In this Discussion

SYN Flood; 1GBit -- Quick fix?

SYN Flood; 1GBit -- Quick fix?

eastoncheastonch Member
edited September 2012 in General

Dear LET Users;

I'm on this one box and I'ts being absolutely crippled by a 1 Gbit flood. I'm not a network specialist, and I don't know my way around IpTables; Anychance somebody can give me a buzz on what I should be doing to kill this off? There's a pool of IP's that would take me a month to write down the entirity of.

Seems to be aiming at 25565 and it's on eth1: http://screensnapr.com/v/NCkkRM.png

(Before you ask' this is a MC Server node ;)) Clearly a HackForum target.

Comments

  • JacobJacob Member
    edited September 2012

    :-) 1Gbit of Pure SYN, Would rip IPTables to shreads.. You need some serious bandwidth behind this or a Hardware Firewall(no cisco guard crap, Or if you did you would need more then 1 Gbit modules).

    80K PPS is not much so it is not a big attack, but still consuming quite alot of bandwidth.

    Thanked by 1Jun
  • lele0108lele0108 Member
    edited September 2012

    Whoever is hosting Minecraft on your node has some script kiddies on his back.

    ~ Jimmy VortexUnit. Who likes poptart.cats?
  • JacobJacob Member
    edited September 2012

    What is the uplink (1Gbit, 10Gbit, etc.) on this server, and install tcpdump and do "tcpdump -n", That should show some more Information.

    @eastonch said: SYN+ACK Flood :( http://screensnapr.com/v/cIpLSR.png

  • Shut the node down It's a clients dedi. There's no way it's even usable. It's 1Gbit strict uplink.

  • 80k pps is nowhere near 1gbps syn flood. As jacob said, more information is required, however if the application can not withstand it, I do not thing that you would be able to do anything, except maybe nullrouting the IPs, unless it is comming from multiple spoofed sources.

    Disclosure: I work for Query Foundry LLC.
    I own DA International Group Ltd.
  • ZenZen Member
    edited September 2012

    With virtualization? Not much, with hardware? Something can be done. But a minecraft server wouldn't warrant it.

    Also, give us a feel of how big this attack is - so do a tcpdump like @Jacob said.

    I work for Nodisto.

  • We've just put the node down. Bash was a slug.

  • You do realize that a tcpdump of this thing is gonna eat 130~ MB every second, right? -

    -- BOFH

  • @eastonch said: We've just put the node down. Bash was a slug.

    Nullroute the IP, it is a minecraft server getting hit. Unless yours is the server. At this rate nothing you can do.

  • @Spencer it's a dedi server, like mentioned, one client, owns the node. we're just overseeing this; had to shut it down, can't nullroute if it's a spoof'd pool of IP's, or a large botnet having a larger than 1Gbit attack on us; not sure to be honest, feels like a Stresser from HF.

  • @eastonch said: @Spencer it's a dedi server, like mentioned, one client, owns the node. we're just overseeing this; had to shut it down, can't nullroute if it's a spoof'd pool of IP's, or a large botnet having a larger than 1Gbit attack on us; not sure to be honest, feels like a Stresser from HF

    Nothing you can do just wait it out.

  • n0myn0my Member
    edited September 2012

    I don't know if this will help but you can try this, it helped a little for me in the past.

    http://floodmon.sourceforge.net/

  • 87k p/s of SYN is probably like what 30mbit?

    That looks more like a DNS amp flood.

    Try to see if the provider will drop some of the dest or source ports.

    Who is your provider btw?

  • Have you enabled SYN COOKIES?

    The Original Daniel.

  • SYN cookies was enabled; and it was a 86K PPS and 970MBIT consistent connection, all from "SYN_RECEIVE" and "ACK(SOMETHING)" from netstat -a :)

  • @eastonch It's quite possible you were getting a spoofed SYN flood and a UDP flood at the same time then.

  • @Jack It could be syn flood with larget packets ;)

    Disclosure: I work for Query Foundry LLC.
    I own DA International Group Ltd.
  • JackJack Member
    edited September 2012

    @Alex_LiquidHost said: It could be syn flood with larget packets ;)

    I've never seen a S-SYN flood with 930mbit though.

  • @Jack said: I've never seen a S-SYN flood with 930mbit though.

    It is just not as efficient as small-packet sized ssyn floods, however it exists.

    Disclosure: I work for Query Foundry LLC.
    I own DA International Group Ltd.
  • @Alex_LiquidHost said: It is just not as efficient as small-packet sized ssyn floods, however it exists.

    I know it exists but I doubt it would happen.

  • @Jacob said: (no cisco guard crap, Or if you did you would need more then 1 Gbit modules).

    Can you elaborate, please? What's bad about Cisco Guard?

  • @pechspilz said: Can you elaborate, please? What's bad about Cisco Guard?

    Well SingleHop told me Cisco Guard is absolutely worthless for gameservers and even if you try it, there's a very good chance it'll drop a lot of legit traffic

  • @winston Singlehop use CiscoGuard though? so did they lose you as a client?

  • @pechspilz said: Can you elaborate, please? What's bad about Cisco Guard?

    They are not that bad. They are not bad at all. Just not effective agaisnt DDoS. And they are not targeted to actually protect you from DDoS. DDoS mitigation appliances and normal firewalls have different targeted usergroup. If you want DDoS proection, get riorey, fortinet, etc.

    Disclosure: I work for Query Foundry LLC.
    I own DA International Group Ltd.
  • @Alex_LiquidHost said: They are not that bad. They are not bad at all. Just not effective agaisnt DDoS. And they are not targeted to actually protect you from DDoS. DDoS mitigation appliances and normal firewalls have different targeted usergroup. If you want DDoS proection, get riorey, fortinet, etc.

    +1

    I work for Nodisto.

Sign In or Register to comment.