Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Subscribe to our newsletter

Advertise on LowEndTalk.com

Latest LowEndBox Offers

    got DDoSed - what to do now?
    New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

    got DDoSed - what to do now?

    trexostrexos Member
    edited October 2015 in General

    Hi folks,

    I'm running a small teamspeak server for my friends on a WeLoveServer VPS. Everything was good until today. The VPS got suspended and the IP was nullrouted. I asked them about the reason and they told me it was due DDoS. They attached the following list:
    http://pastebin.com/PLi0iNRR

    I never had problems with DDoS so I don't really get much informations from that list. But it looks like it was an UDP flood? I checked a few IPs and they are mainly from Germany (where my user base comes from).

    What should I do now? Maybe ask for more informations like strength of the attack?

    Thank you :)

    OnePoundWebHosting.co.uk | UK XEN VPS from £2 | See their special offers starting from 12£/year here

    Comments

    • trexos said: What should I do now?

      Look for a new provider that has a decent DDoS protection service included with a good filtering on UDP and Teamspeak protocols.

      me | I'm running a large amount of OpenNIC's uncensored, open and democratic alternative Tier2 DNS resolvers. Now with Anycast! | We also provide a lot of locations and providers on our Looking Glass

    • Why do teakspeak servers get attacked so often? Is it because people get banned from game servers and this is their revenge?

    • netomxnetomx Member, Moderator

      Because kids with their dad's CC

      Thanked by 1Francisco
    • It happens, you can run months without it, or get one in your first week after booting your TS.

      Get a DDOS Protected IP or DDOS Protected VPS.

    • ceibaNetceibaNet Member, Provider

      teamspeak servers are DDoS sponges, most will eventually get attacked. Give it a week and if it happens again you should consider switching providers to one with better DDoS protection.

      Thanked by 1Francisco

      laceibanetsociety // 24/7 English/Spanish Support // VPS, Resellers, Dedicated Servers NJ and Honduras Locations available

    • I've run my ts3 off my 2.99 kimsufi machine for 2 years and never had a problem. It's quite a large public one. Ovhs ddos protection works well

      Thanked by 1netomx
    • Sorry, I couldn't resist the temptation to post this.

      Thanked by 3Francisco ehab rokok

      [Disclosure: I work for a public institution, any comments made reflect myself and my personal views only.]

    • Get that 1€/m seflow flexcloud VPS with OVH DDoS protection and you'll be fine: http://seflow.net/2/index.php/en/services/flexcloud/flexpricing

      Thanked by 2netomx sin

      tsdns.io - free, redundant, DDoS-protected TSDNS

    • rm_rm_ Member

      etcSudoers said: Why do teakspeak servers get attacked so often? Is it because people get banned from game servers and this is their revenge?

      For examply in many MMOs there are competitive events between clans which happen on a set schedule and require voice-based coordination between 20-30 people or more. If you are able to take down an enemy clan's TS server, I suppose that's exactly the same as jamming all of the enemy radio comms on a battle field. Not sure if that's what happened in this case, of course.

    • I just moved a group over to Discord which is completely free. Still relatively early in development, but it works very well. Great web app in addition to native apps for Windows (does not work on XP or Vista), Mac, iOS, and Android.

    • thanks for all your answers!

      Well, it was just a small ts and I only banned one person and I'm pretty sure that he isn't able to do something like that. Maybe they found the IP in the server browser and thought that it would be funny to kick 30 persons out. Who knows. Anyway, I moved my ts server to one of my online.net boxes now. I heard that the DDoS protection from online.net isn't that good, but the box was nearly free so lets see. Is there a tab in online.net's interface where I can see current migation or other informations about the DDoS protection? Do I receive notifications?

      @tr1cky 1€ sounds quite good, but I don't expect it to happen again. So lets see. Seflow is that well known italian hoster, isn't it? So safe to go?

      @DH22 I still want to use teamspeak. Although there are way better alternatives out there (like Discord). But still, I'm not interested in forcing my friends to use another client.

      OnePoundWebHosting.co.uk | UK XEN VPS from £2 | See their special offers starting from 12£/year here

    • trexos said: @tr1cky 1€ sounds quite good, but I don't expect it to happen again. So lets see. Seflow is that well known italian hoster, isn't it? So safe to go?

      SeFlow has average support and a bad network in Italy, but for FlexCloud and their France location they use OVH and that works pretty good.

      Thanked by 1trexos

      tsdns.io - free, redundant, DDoS-protected TSDNS

    • Drop the load balancers and call Prolexic.

      True wisdom comes to each of us when we realize how little we understand about life, ourselves, and the world around us.

    • trexos said: Do I receive notifications?

      Yes In your panel https://console.online.net/en/network/ddos

      Thanked by 1trexos

      OpenVz Node + KernelCare uptime - 1275 Days :)

    • There's nothing special in the logs they've provided you, only a few IPs, no payloads, nothing to calculate the amount of packet per seconds and bandwidth that were used in this "attack".

      www.urdn.com.ua - KVM/Qemu hosting in Sweden.

    • saibalsaibal Member
      edited October 2015

      I would doubt if it was actually a DDoS attack. WLS suspended my VPS (UK) due to a DDoS attack once and the logs they provided had only three events with the IPs belonging to Microsoft Corp. As others have mentioned earlier, look for a new provider.

    • saibal said: the IPs belonging to Microsoft Corp

      You know MS owns Azure cloud, and is used for attacks?

      Taking a hiatus.

    • @netomx said:
      Because kids with their dad's CC

      and dad's CC + Blackhat = bye bye website

      Thanked by 1netomx
    • matteobmatteob Member, Host Rep

      @tr1cky said:

      Hi,
      sorry for off topic, but why bad network? Are years that we not had outages and we use only premium provider like Level3 and NTT

      Matteo Berlonghi - SeFlow s.n.c.

      SeFlow.Net - Affordable DDoS Protected Services. SeFlow Secure Network 20+ IXP connected with Default DDoS Protection. - Are you searching remote proxy or network infrastructure protection? Email Contact: [email protected]

    • tr1ckytr1cky Member
      edited October 2015

      @matteob said:

      That was my experience with you when I had service in your Italy location.
      Maybe it changed, but your cogent network back then was pretty bad.
      I'm also very interested on why you lie about your network in France.
      You don't have any own filtering appliances there as you said, it's OVH-only.
      When I told you to enable seguard in France you simply enabled OVHs permanent mitigation.

      Thanked by 1Jonchun

      tsdns.io - free, redundant, DDoS-protected TSDNS

    • matteobmatteob Member, Host Rep

      @tr1cky said:

      cogent? We not had cogent in our bgp. @tr1cky are you sure you're talking about right provider?

      http://bgp.he.net/AS49367

      You see cogent? We use only premium provider :-)

      As Strasbourg Protection we not lie, we always said that we're in colo in OVH, we use ovh protection for bigger attack and our l7 appliances for intelligent attacks.

      @tr1cky based on your words i really suspect you're confusing us with another provider...

      Matteo Berlonghi - SeFlow s.n.c.

      SeFlow.Net - Affordable DDoS Protected Services. SeFlow Secure Network 20+ IXP connected with Default DDoS Protection. - Are you searching remote proxy or network infrastructure protection? Email Contact: [email protected]

    • matteob said: cogent? We not had cogent in our bgp. @tr1cky are you sure you're talking about right provider?

      You used cogent in the past.

      matteob said: As Strasbourg Protection we not lie, we always said that we're in colo in OVH, we use ovh protection for bigger attack and our l7 appliances for intelligent attacks.

      I told you to enable seguard permanently and you enabled OVH VAC permanently.
      It's also very interesting that a TCP ACK attack can take a flexcloud server down just as it can take down any OVH server.

      tsdns.io - free, redundant, DDoS-protected TSDNS

    • matteob said: cogent? We not had cogent in our bgp

      What a load of bs wayback machine of bgp.he.net: https://web.archive.org/web/20120306125337/http://bgp.he.net/AS49367#_peers

      2nd on the list Cogent Communications

    • matteobmatteob Member, Host Rep

      @Razza said:

      Peer is different then Transit

      Transit = you receive full or partial internet route

      Peer = you receive route of isp's customers.

      We peer with cogent on MIX for cogent customers, but we not had transit with them

      Matteo Berlonghi - SeFlow s.n.c.

      SeFlow.Net - Affordable DDoS Protected Services. SeFlow Secure Network 20+ IXP connected with Default DDoS Protection. - Are you searching remote proxy or network infrastructure protection? Email Contact: [email protected]

    • @matteob a older version of seflow site https://web.archive.org/web/20120618092513/http://www.seflow.net/infrastruttura/network.php The connectivity is provided by three independent carriers: Atrato-IP, CogentCo and KPNQWest. down the page a bit a graph for traffic usage on a 10Gbit link with cogent.
      It looks like seflow had transit with cogent at one time

    • matteobmatteob Member, Host Rep
      edited October 2015

      @Razza said:

      was 4 years ago and we launched ddos protection 2 years ago and cloud platform last year.... times not coincide :-)

      Matteo Berlonghi - SeFlow s.n.c.

      SeFlow.Net - Affordable DDoS Protected Services. SeFlow Secure Network 20+ IXP connected with Default DDoS Protection. - Are you searching remote proxy or network infrastructure protection? Email Contact: [email protected]

    • WilliamWilliam Member, Provider
      edited October 2015

      matteob said: We peer with cogent on MIX for cogent customers, but we not had transit with them

      Cogent peering does not show up on bgp.he.net - Only transit.

    • TACServersTACServers Member, Provider
      edited October 2015

      @tr1cky @matteob @razza Dec 19, 2013 is when seflow stopped using Cogent. It was one of two connections, added Sept 19, 2009. Seflow's ASN was initally connected June 18th 2009, Via AS5602, KPNQwest Italia, and you added cogent 3 months later. Want to keep going on this @matteob?

    • matteobmatteob Member, Host Rep

      @TACServers said:

      i not said "i never used cogent", we used it, but when @tr1cky joined to us we already cheased to use that carrier. You understand now why i said that is impossible that we have "bad cogent network" as @tr1cky said?

      @William you should consult bgp.he better, it show some peers and cogent is inside peer tab. Please not write if you not know how work that tool to not create more misunderstandings

      Matteo Berlonghi - SeFlow s.n.c.

      SeFlow.Net - Affordable DDoS Protected Services. SeFlow Secure Network 20+ IXP connected with Default DDoS Protection. - Are you searching remote proxy or network infrastructure protection? Email Contact: [email protected]

    • TACServersTACServers Member, Provider

      @matteob - You did say you never used cogent... "cogent? We not had cogent in our bgp."

      End of conversation from me.

    • matteobmatteob Member, Host Rep
      edited October 2015

      @TACServers said:
      We not had cogent in our bgp."

      Please use all words... i mean:

      We not had cogent in our bgp when tricky was our customer ... is different :-)

      Matteo Berlonghi - SeFlow s.n.c.

      SeFlow.Net - Affordable DDoS Protected Services. SeFlow Secure Network 20+ IXP connected with Default DDoS Protection. - Are you searching remote proxy or network infrastructure protection? Email Contact: [email protected]

    • @matteob said:

      You had cogent when I was your customer. I have multiple identities.

      tsdns.io - free, redundant, DDoS-protected TSDNS

    • matteobmatteob Member, Host Rep

      @tr1cky said:
      ... I have multiple identities.

      ok i understand why you feel bad with us. There are no reason to comment more that.

      Sorry, but our customer base is different..

      Matteo Berlonghi - SeFlow s.n.c.

      SeFlow.Net - Affordable DDoS Protected Services. SeFlow Secure Network 20+ IXP connected with Default DDoS Protection. - Are you searching remote proxy or network infrastructure protection? Email Contact: [email protected]

    • /me can see someone covering his face with blanket & stopping lying.

      I don't have any relation/affiliation with any LET Host, All of my comments are my own
      Simple bash script to clean compromised wordpress site [cPanel/WHM specified]

    • TACServersTACServers Member, Provider

      @matteob - I will use all your words.

      "you should consult bgp.he better, it show some peers and cogent is inside peer tab. Please not write if you not know how work that tool to not create more misunderstandings"

      No... It was listed as your transit provider.

      https://web.archive.org/web/20101013061631/http://bgp.he.net/AS49367

      "We peer with cogent on MIX for cogent customers, but we not had transit with them"

      Yes, you had transit with them.

      Your story changes... You never had Cogent, Now you didn't have them when someone was your customer. Embrace your history, and run with it. I could care less someone uses cogent, I do have an issue with a company that is supposed to be entrusted with client data that cannot get their facts straight, retracts words, and is running around doing some damage control because they don't want to admit to something from years ago.

      I am really done now.

      https://stat.ripe.net/widget/asn-neighbours-history#w.resource=AS49367&w.starttime=2000-08-01&w.endtime=2015-10-02T12:00

      Thanks,

      Steve W.

      Thanked by 1ATHK
    • WilliamWilliam Member, Provider
      edited October 2015

      matteob said: @William you should consult bgp.he better, it show some peers and cogent is inside peer tab. Please not write if you not know how work that tool to not create more misunderstandings

      I know exactly how bgp.he.net works - I am in IRC with the developers. It does not show Cogent peering as HE has no direct route to it then - It only shows it if you have more than their peering table (notably, after testing i found out the easiest way to get a peer to show up there is to have a path to HE via Telia shorter than 2 ASNs, excluding prepends).

      And as reference - An ISP i know has Cogent peering on VIX, DECIX and AMSIX and it does not show up in bgp.he.net as there is no further route to the other Tier1s that HE collects the data from.

    • matteobmatteob Member, Host Rep

      @TACServers said:

      ok now you completed the mission to try to discredit a competitor. You should focus your energies to improve your service

      @William said:

      Ok i not know what carrier & peering i use, sorry i will assume you to compensate my ignorance.

      Ok now all are happy, good work :-)

      Matteo Berlonghi - SeFlow s.n.c.

      SeFlow.Net - Affordable DDoS Protected Services. SeFlow Secure Network 20+ IXP connected with Default DDoS Protection. - Are you searching remote proxy or network infrastructure protection? Email Contact: [email protected]

    • Couldn't resist:

      OnePoundWebHosting.co.uk | UK XEN VPS from £2 | See their special offers starting from 12£/year here

    • CoreyCorey Member, Provider

      I've had a public teamspeak server for YEARS and never been ddosed. I guess it depends on the type of people you attract to your server.

      Thanked by 2netomx ATHK
      BitAccel - OpenVZ VPS / IRC,VPN,Anything Legal & Unrivaled Support!
    Sign In or Register to comment.