New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
DDOS Attack on CS 1.6 Server VPS [OVH GAME]
It been like on and off i am getting DDOS on my CS 1.6 server but this one is like it lags all players above 700 ms ping and then becomes timeout we have to connect back . For now it just lag so i loose my traffic and then this makes issue with ranking system on www.gametracker.com. here is some info i caught
amsaal@cs:~$ netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head -3
62 127.0.0.1
6 92.96.x.x
1 servers)
what does this 62 127.0.0.1 actually says ?
I need advice how i can mitigate this one . when i get traffic 32/32 then i get attack when its reduced to 16/32 attack stops.
Thanks.
Comments
Buy any reseller of OVH antiddos game protection, they have built-in filters for source protocol (cs 1.6)
i am using ovh game vps
There is no OVH Game VPS.. It has to be from some reseller host. Which host is it?
Enable Game Firewall and Select "CS 1.6", "GoldSRC", "Half Life 2: Source", or "Other" profile
its already enabled .. on the IP . Host: omgserv vps game 3
Probably just another attack that gets past the filters or causes legit traffic to get blocked. Only thing you can do is talk to OVH or ask your host to talk to OVH, but it's very unlikely anyone that isn't OVH can help you because waiting for OVH VAC team to fix game filters/bypasses is like waiting for a sloth to cross a highway.
Then record tcpdump of the attack.
When the attack is ongoing, type:
tcpdump -s 0 -w dump.pcap
Then after few seconds press Ctrl + C
Post the tcpdump file or link of it here and we'll help you.
It's likely a bypass attack and not a volumetric one then, so you need to record sourceport and destination port, then block according to that on network level.. if it can't be done, then you need to open the dump file with wireshark and search for attack packets and find the hex ray value of each packet and block it with netfilter or iptables.
For example:
iptables -A PREROUTING -t raw -p udp --dport 27015:27030 -m string --algo kmp --hex-string '|545333494e495431|' -j DROP
where 545333494e495431 belongs to the hex string.
Then apply your iptables/netfilter rules and it should get dropped and not lag the server.
If the attack is large, you need a decent CPU power for this. Usually bypass attacks have low bandwidth.
Try phpfriends or fastpipe.io, both use arbor peakflow, like the ones OVH uses for GAME protection but, compared with OVH, they have reactive support which is able to add rules to fit your needs.
can you maybe throw the output of an conntrack -E on pastebin?
disable dproto or reunion.
Then many players won't be able to join. DDOS attack is not in just 1 port it in whole attack
I tried fastpipe.io But when DDOS happens gametracker.com lose the connection for like 1 hour . That 1 hour is important as i loose my ranking.
Nobody can help you here if you cannot provide recording of the attack.
it is not point if i provide attack dumps now , there is no attack ongoing .
Did you contact their support about that? Maybe they can whitelist gametracker.
@combahton_it
yes i can try this and give them a try again !!
Found the DDOSer IP Address now filing a abuse-report
https://pastebin.com/NLb5LHgJ
how do i block this method? i also took tcpdump
That pastebin log is useless. just link the raw .pcap file to us.
As for that specific IP, its probly a port scanner or some player of yours at worst case xD
If you really want to block that specific IP just drop it on iptables/netfilter.
root@cs:/home/amsaal# conntrack -E
bash: conntrack: command not found
https://mega.nz/#!4DAS2AgQ!DOjwM5O0X5lpBtZ9o_vTOBbXIt2g-GB5Yutg5NOUKwo [filename: capture-ovh] 14 MB size
File link lacks decryption key and 14MB is rather low. was expecting larger size.. you sure the attack was ongoing during ur recording?
Could you repost the proper link.
updated my post please kindly check again!!
45.55.50.29 is hosted in DigitalOcean and its downloading ur files via steam client during map change/connect. It's probly a player using VPN and not an attacker.
I fail to see any attack in this log. Besides theres exactly 100k packets. did you cut the contents? I would expect several hundred megabytes of filesize after few seconds of recording if there was an attack going on.
Your server responds almost equal times back according to that dump. if there was an attack it would be almost one sided flood towards your server IP.
45.55.50.29 is hosted in DigitalOcean and its downloading ur files via steam client during map change/connect. It's probly a player using VPN and not an attacker.
we do not host files
neither any one download okay?
after blocking attack is stopped .. i just added in firewall on VPS and no more attack.
@stefeman Maybe his host is receiving other attacks or something and causing packet loss on the host system, or the OVH protection is just the problem causing the disconnects.
just to download files why you see so many connection with that IP then?
I do not host files and we have a fast download setup a single IP cannot try with soo many connection you know.
Yeah cause this is how bypass attack should look like on the server's end.
1,4 million packets in 11 seconds.
Then just block that IP if it floods your HTTP server where you store the maps and skins and sounds (Which is called fastdl). Or even better, seperate those servers from each others.
Might as well look into your webserver settings too. Are you sure this is not CPU based lag? Is the server overloaded? Might want to type "top" into your ssh console and check the CPU steal and CPU and RAM usage.
how you assume its downloading a map or skin? can you judge that way you sure?
FYI: i just have a server with files not needed to download. its a plain server public.
and i blocked the IP and attack is stopped anyways i have forwarded this evidence to the hosting they will see and respond to me by tomorrow . so lets hope they find a method or whatever it may be to see and block it.
Because it attempts to access http://xxx.xxx.xxx.xxx/cstrike/ by using multiple user agents, which is what the game client will do if something goes wrong.
You also have insane amount of custom files that get downloaded on first join, so i'm not surprised about the amount of connections xD
He is checking after attacking if web works :P he knows that i have /cstrike but who ever he is i am aware of it ..
That many connections of that single IP is flooding the port 80 which is causing this LAG/Spikes for temporary after it stops no more LAG/Spikes . Anyways i am thinking to move to nginx as it provides some kind of blocking lets see.