New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
SYN Flood; 1GBit -- Quick fix?
Dear LET Users;
I'm on this one box and I'ts being absolutely crippled by a 1 Gbit flood. I'm not a network specialist, and I don't know my way around IpTables; Anychance somebody can give me a buzz on what I should be doing to kill this off? There's a pool of IP's that would take me a month to write down the entirity of.
Seems to be aiming at 25565 and it's on eth1: http://screensnapr.com/v/NCkkRM.png
(Before you ask' this is a MC Server node ) Clearly a HackForum target.
Comments
:-) 1Gbit of Pure SYN, Would rip IPTables to shreads.. You need some serious bandwidth behind this or a Hardware Firewall(no cisco guard crap, Or if you did you would need more then 1 Gbit modules).
80K PPS is not much so it is not a big attack, but still consuming quite alot of bandwidth.
Whoever is hosting Minecraft on your node has some script kiddies on his back.
SYN+ACK Flood http://screensnapr.com/v/cIpLSR.png
What is the uplink (1Gbit, 10Gbit, etc.) on this server, and install tcpdump and do "tcpdump -n", That should show some more Information.
Shut the node down It's a clients dedi. There's no way it's even usable. It's 1Gbit strict uplink.
80k pps is nowhere near 1gbps syn flood. As jacob said, more information is required, however if the application can not withstand it, I do not thing that you would be able to do anything, except maybe nullrouting the IPs, unless it is comming from multiple spoofed sources.
We've just put the node down. Bash was a slug.
You do realize that a tcpdump of this thing is gonna eat 130~ MB every second, right?
-
Nullroute the IP, it is a minecraft server getting hit. Unless yours is the server. At this rate nothing you can do.
@Spencer it's a dedi server, like mentioned, one client, owns the node. we're just overseeing this; had to shut it down, can't nullroute if it's a spoof'd pool of IP's, or a large botnet having a larger than 1Gbit attack on us; not sure to be honest, feels like a Stresser from HF.
Nothing you can do just wait it out.
I don't know if this will help but you can try this, it helped a little for me in the past.
http://floodmon.sourceforge.net/
Have you enabled SYN COOKIES?
SYN cookies was enabled; and it was a 86K PPS and 970MBIT consistent connection, all from "SYN_RECEIVE" and "ACK(SOMETHING)" from netstat -a
@Jack
It could be syn flood with larget packets
It is just not as efficient as small-packet sized ssyn floods, however it exists.
Can you elaborate, please? What's bad about Cisco Guard?
Well SingleHop told me Cisco Guard is absolutely worthless for gameservers and even if you try it, there's a very good chance it'll drop a lot of legit traffic
They are not that bad. They are not bad at all. Just not effective agaisnt DDoS. And they are not targeted to actually protect you from DDoS. DDoS mitigation appliances and normal firewalls have different targeted usergroup. If you want DDoS proection, get riorey, fortinet, etc.