New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
got DDoSed - what to do now?
Hi folks,
I'm running a small teamspeak server for my friends on a WeLoveServer VPS. Everything was good until today. The VPS got suspended and the IP was nullrouted. I asked them about the reason and they told me it was due DDoS. They attached the following list:
http://pastebin.com/PLi0iNRR
I never had problems with DDoS so I don't really get much informations from that list. But it looks like it was an UDP flood? I checked a few IPs and they are mainly from Germany (where my user base comes from).
What should I do now? Maybe ask for more informations like strength of the attack?
Thank you
Comments
Look for a new provider that has a decent DDoS protection service included with a good filtering on UDP and Teamspeak protocols.
Why do teakspeak servers get attacked so often? Is it because people get banned from game servers and this is their revenge?
Because kids with their dad's CC
It happens, you can run months without it, or get one in your first week after booting your TS.
Get a DDOS Protected IP or DDOS Protected VPS.
teamspeak servers are DDoS sponges, most will eventually get attacked. Give it a week and if it happens again you should consider switching providers to one with better DDoS protection.
I've run my ts3 off my 2.99 kimsufi machine for 2 years and never had a problem. It's quite a large public one. Ovhs ddos protection works well
Sorry, I couldn't resist the temptation to post this.
Get that 1€/m seflow flexcloud VPS with OVH DDoS protection and you'll be fine: http://seflow.net/2/index.php/en/services/flexcloud/flexpricing
For examply in many MMOs there are competitive events between clans which happen on a set schedule and require voice-based coordination between 20-30 people or more. If you are able to take down an enemy clan's TS server, I suppose that's exactly the same as jamming all of the enemy radio comms on a battle field. Not sure if that's what happened in this case, of course.
I just moved a group over to Discord which is completely free. Still relatively early in development, but it works very well. Great web app in addition to native apps for Windows (does not work on XP or Vista), Mac, iOS, and Android.
thanks for all your answers!
Well, it was just a small ts and I only banned one person and I'm pretty sure that he isn't able to do something like that. Maybe they found the IP in the server browser and thought that it would be funny to kick 30 persons out. Who knows. Anyway, I moved my ts server to one of my online.net boxes now. I heard that the DDoS protection from online.net isn't that good, but the box was nearly free so lets see. Is there a tab in online.net's interface where I can see current migation or other informations about the DDoS protection? Do I receive notifications?
@tr1cky 1€ sounds quite good, but I don't expect it to happen again. So lets see. Seflow is that well known italian hoster, isn't it? So safe to go?
@DH22 I still want to use teamspeak. Although there are way better alternatives out there (like Discord). But still, I'm not interested in forcing my friends to use another client.
SeFlow has average support and a bad network in Italy, but for FlexCloud and their France location they use OVH and that works pretty good.
Drop the load balancers and call Prolexic.
Yes In your panel https://console.online.net/en/network/ddos
There's nothing special in the logs they've provided you, only a few IPs, no payloads, nothing to calculate the amount of packet per seconds and bandwidth that were used in this "attack".
I would doubt if it was actually a DDoS attack. WLS suspended my VPS (UK) due to a DDoS attack once and the logs they provided had only three events with the IPs belonging to Microsoft Corp. As others have mentioned earlier, look for a new provider.
You know MS owns Azure cloud, and is used for attacks?
and dad's CC + Blackhat = bye bye website
Hi,
sorry for off topic, but why bad network? Are years that we not had outages and we use only premium provider like Level3 and NTT
That was my experience with you when I had service in your Italy location.
Maybe it changed, but your cogent network back then was pretty bad.
I'm also very interested on why you lie about your network in France.
You don't have any own filtering appliances there as you said, it's OVH-only.
When I told you to enable seguard in France you simply enabled OVHs permanent mitigation.
cogent? We not had cogent in our bgp. @tr1cky are you sure you're talking about right provider?
http://bgp.he.net/AS49367
You see cogent? We use only premium provider :-)
As Strasbourg Protection we not lie, we always said that we're in colo in OVH, we use ovh protection for bigger attack and our l7 appliances for intelligent attacks.
@tr1cky based on your words i really suspect you're confusing us with another provider...
You used cogent in the past.
I told you to enable seguard permanently and you enabled OVH VAC permanently.
It's also very interesting that a TCP ACK attack can take a flexcloud server down just as it can take down any OVH server.
What a load of bs wayback machine of bgp.he.net: https://web.archive.org/web/20120306125337/http://bgp.he.net/AS49367#_peers
2nd on the list Cogent Communications
Peer is different then Transit
Transit = you receive full or partial internet route
Peer = you receive route of isp's customers.
We peer with cogent on MIX for cogent customers, but we not had transit with them
@matteob a older version of seflow site https://web.archive.org/web/20120618092513/http://www.seflow.net/infrastruttura/network.php The connectivity is provided by three independent carriers: Atrato-IP, CogentCo and KPNQWest. down the page a bit a graph for traffic usage on a 10Gbit link with cogent.
It looks like seflow had transit with cogent at one time
was 4 years ago and we launched ddos protection 2 years ago and cloud platform last year.... times not coincide :-)
Cogent peering does not show up on bgp.he.net - Only transit.
@tr1cky @matteob @razza Dec 19, 2013 is when seflow stopped using Cogent. It was one of two connections, added Sept 19, 2009. Seflow's ASN was initally connected June 18th 2009, Via AS5602, KPNQwest Italia, and you added cogent 3 months later. Want to keep going on this @matteob?
i not said "i never used cogent", we used it, but when @tr1cky joined to us we already cheased to use that carrier. You understand now why i said that is impossible that we have "bad cogent network" as @tr1cky said?
@William you should consult bgp.he better, it show some peers and cogent is inside peer tab. Please not write if you not know how work that tool to not create more misunderstandings
@matteob - You did say you never used cogent... "cogent? We not had cogent in our bgp."
End of conversation from me.