Delimiter DDoS / Shutting Down Server

johoja

Hey Guys,

I have a dedicated server at delimiter / dual e5420/16gb ram/1tb hd/10tb transfer

The problem i have though is for some reason i keep getting shutdown for hours at a time - right now at 12 hours - and i'm not running anything public on my server no game server, no teamspeak etc.

Do you guys have any alternatives in the same price range ( i have the black friday deal which I believe is 20$ a month)

Wolf

Short:
no. They are by far the cheapest.

@MarkTurner <-- get in touch with him.

stallion

Have you tried to contact support? Contact @MarkTurner here. He usually is quick to solve problems.

GCat

@MarkTurner

MarkTurner

What are you running on the server?

GM2015

I've got the same server with no issues I know of.

johoja said:

MarkTurner

GM2015 said: I've got the same server with no issues I know of.

If he is being null routed, he is attracting incoming DOS/DDOS. Once we know what he is actually running then we can take it from there.

My money is on: Teamspeak / Gameservers / Plex

Francisco

MarkTurner said: Plex

Wat

MarkTurner

Francisco said: Wat

We have had a lot of DDOS against Plex servers. Both incidents we had last week were aimed at two unrelated customers with Plex servers.

Francisco

@MarkTurner said:

That doesn't even make sense. Why would someone attack someones Plex server? Of all things to target...

It's like the people that attack porn sites. WHY?

Francisco

MarkTurner

Francisco said: That doesn't even make sense. Why would someone attack someones Plex server? Of all things to target...

I think for fun, they know people are using them to watch some films and it causes disruption.

Best thing is to whitelist IPs/IP ranges to 32400 then when the port scans happen Plex is not detected.

Its like Teamspeak or gameservers - why DDOS them? Sour grapes?

Wolf

@Francisco

johoja

I am running Plex. I wasn't aware that plex was also targeted - i'll have to setup a whitelist for IPs then, Still waiting for it to come back up - will have to wait until then.

@MarkTurner does the null route get lifted automatically after the ddos subsides ?

MarkTurner

johoja said: I am running Plex.

Lock down port 32400 to the IPs you use and you won't get a 'drive-by' DDOS

linuxthefish

MarkTurner said: We have had a lot of DDOS against Plex servers. Both incidents we had last week were aimed at two unrelated customers with Plex servers.

Someone trying to get delimiter clients in trouble?

MarkTurner

linuxthefish said: Someone trying to get delimiter clients in trouble?

I think just a new sport, I see it on other brands too.

joshb

Any idea what country the Plex DDos IP's came from mainly?

ATHK

I'd be pissed... Watching a movie then BAM some.knob is DDoSing you..

mike0000

@joshb said:
Any idea what country the Plex DDos IP's came from mainly?

The IPs doing the ddosing likely come from all over, the IPs port scanning to find your plex server are probably from China. Blocking Chinese IPs usually fixes most security issues.

joshb

Ok, since I have no one outside of the USA, I simply allowed only US ip blocks to access to my Plex server in Iptables.

Francisco

@joshb said:
Ok, since I have no one outside of the USA, I simply allowed only US ip blocks to access to my Plex server in Iptables.

Use ipset, you're completely mudering your network performance with that big of an ACL.

Francisco

hawc

Yea, as every connection to your server is having to be checked against that incredibly long list of IPs that are blocked.

johoja

I've been using ufw to allow a few block of IPs but with plex it's hard as you can be on your phone at a hotel etc and you have to keep allowing IPs.

Do you guys think using ipset to block China would do the trick? They never sent me the logs so not sure where the attack / poet scan came from

Nekki

johoja said: I've been using ufw to allow a few block of IPs but with plex it's hard as you can be on your phone at a hotel etc and you have to keep allowing IPs.

Buy a couple of LES, setup VPN's, only allow those through, job done.

mike0000

@Nekki said:
Buy a couple of LES, setup VPN's, only allow those through, job done.

I was chatting with @MarkTurner about a way to effectively whitelist folks, especially in a multi-user situation. His suggestion was have a webpage up that people need to login to which automatically updates the ACL to allow that /32. Rather than doing IP ranges at the country/ASN level, you just need to visit server.com/plex and punch in a user/pass to unblock the /32 you're on.

Kris

https://www.rfxn.com/projects/advanced-policy-firewall/

Run install.sh, it will give you the active ports to open and configure, leave Plex's port out*. Set them in conf.apf.

Make sure to use the monokern flag if you're on OVZ, etc.

Then use the below to refresh your IP set daily for global allowed. While you're at it, block ISPs you don't like with global deny.

/etc/apf/conf.apf :

##
# Global Trust
##
# This is an implementation of the trust rules (allow/deny_hosts) but
# on a global perspective. You can define below remote addresses from
# which the glob_allow/deny.rules files should be downloaded from on
# a daily basis. The files can be maintained in a static fashion by
# leaving USE_RGT=0, ideal for a host serving the files.
USE_RGT="0"

GA_URL="yourhost.com/glob_allow.rules"
GA_URL_PROT="http"

GD_URL="yourhost.com/glob_deny.rules"
GD_URL_PROT="http"

*EDIT: Make sure not to add your Plex ports in the conf.apf, so only your global trust IPs can access it.

ManofServer

Time to buy up that Netflix subscription you've been evading!

theroyalstudent

@ManofServer said:
Time to buy up that Netflix subscription you've been evading!

NETFLIX AND CHILL

tehdan

I guess the children who do this sort of stuff view it as target practice...

Sounds like a perfect job for port knocking. I'd best get it set up before they start DDOSing my home range...

yhuza

can someone offers me dedicated 20usd, my budget is 15usd to 20usd only

Wolf

@MarkTurner