Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


SYN Flood; 1GBit -- Quick fix?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

SYN Flood; 1GBit -- Quick fix?

eastoncheastonch Member
edited September 2012 in General

Dear LET Users;

I'm on this one box and I'ts being absolutely crippled by a 1 Gbit flood. I'm not a network specialist, and I don't know my way around IpTables; Anychance somebody can give me a buzz on what I should be doing to kill this off? There's a pool of IP's that would take me a month to write down the entirity of.

Seems to be aiming at 25565 and it's on eth1: http://screensnapr.com/v/NCkkRM.png

(Before you ask' this is a MC Server node ;)) Clearly a HackForum target.

Comments

  • JacobJacob Member
    edited September 2012

    :-) 1Gbit of Pure SYN, Would rip IPTables to shreads.. You need some serious bandwidth behind this or a Hardware Firewall(no cisco guard crap, Or if you did you would need more then 1 Gbit modules).

    80K PPS is not much so it is not a big attack, but still consuming quite alot of bandwidth.

    Thanked by 1Jun
  • lele0108lele0108 Member
    edited September 2012

    Whoever is hosting Minecraft on your node has some script kiddies on his back.

  • JacobJacob Member
    edited September 2012

    What is the uplink (1Gbit, 10Gbit, etc.) on this server, and install tcpdump and do "tcpdump -n", That should show some more Information.

  • Shut the node down It's a clients dedi. There's no way it's even usable. It's 1Gbit strict uplink.

  • AlexBarakovAlexBarakov Patron Provider, Veteran

    80k pps is nowhere near 1gbps syn flood. As jacob said, more information is required, however if the application can not withstand it, I do not thing that you would be able to do anything, except maybe nullrouting the IPs, unless it is comming from multiple spoofed sources.

  • We've just put the node down. Bash was a slug.

  • You do realize that a tcpdump of this thing is gonna eat 130~ MB every second, right? -

  • @eastonch said: We've just put the node down. Bash was a slug.

    Nullroute the IP, it is a minecraft server getting hit. Unless yours is the server. At this rate nothing you can do.

  • @Spencer it's a dedi server, like mentioned, one client, owns the node. we're just overseeing this; had to shut it down, can't nullroute if it's a spoof'd pool of IP's, or a large botnet having a larger than 1Gbit attack on us; not sure to be honest, feels like a Stresser from HF.

  • @eastonch said: @Spencer it's a dedi server, like mentioned, one client, owns the node. we're just overseeing this; had to shut it down, can't nullroute if it's a spoof'd pool of IP's, or a large botnet having a larger than 1Gbit attack on us; not sure to be honest, feels like a Stresser from HF

    Nothing you can do just wait it out.

  • n0myn0my Member
    edited September 2012

    I don't know if this will help but you can try this, it helped a little for me in the past.

    http://floodmon.sourceforge.net/

  • Have you enabled SYN COOKIES?

  • SYN cookies was enabled; and it was a 86K PPS and 970MBIT consistent connection, all from "SYN_RECEIVE" and "ACK(SOMETHING)" from netstat -a :)

  • AlexBarakovAlexBarakov Patron Provider, Veteran

    @Jack
    It could be syn flood with larget packets ;)

  • AlexBarakovAlexBarakov Patron Provider, Veteran

    @Jack said: I've never seen a S-SYN flood with 930mbit though.

    It is just not as efficient as small-packet sized ssyn floods, however it exists.

  • @Jacob said: (no cisco guard crap, Or if you did you would need more then 1 Gbit modules).

    Can you elaborate, please? What's bad about Cisco Guard?

  • @pechspilz said: Can you elaborate, please? What's bad about Cisco Guard?

    Well SingleHop told me Cisco Guard is absolutely worthless for gameservers and even if you try it, there's a very good chance it'll drop a lot of legit traffic

  • AlexBarakovAlexBarakov Patron Provider, Veteran

    @pechspilz said: Can you elaborate, please? What's bad about Cisco Guard?

    They are not that bad. They are not bad at all. Just not effective agaisnt DDoS. And they are not targeted to actually protect you from DDoS. DDoS mitigation appliances and normal firewalls have different targeted usergroup. If you want DDoS proection, get riorey, fortinet, etc.

Sign In or Register to comment.