Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


got DDoSed - what to do now?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

got DDoSed - what to do now?

trexostrexos Member
edited October 2015 in General

Hi folks,

I'm running a small teamspeak server for my friends on a WeLoveServer VPS. Everything was good until today. The VPS got suspended and the IP was nullrouted. I asked them about the reason and they told me it was due DDoS. They attached the following list:
http://pastebin.com/PLi0iNRR

I never had problems with DDoS so I don't really get much informations from that list. But it looks like it was an UDP flood? I checked a few IPs and they are mainly from Germany (where my user base comes from).

What should I do now? Maybe ask for more informations like strength of the attack?

Thank you :)

«1

Comments

  • trexos said: What should I do now?

    Look for a new provider that has a decent DDoS protection service included with a good filtering on UDP and Teamspeak protocols.

  • Why do teakspeak servers get attacked so often? Is it because people get banned from game servers and this is their revenge?

  • netomxnetomx Moderator, Veteran

    Because kids with their dad's CC

    Thanked by 1Francisco
  • NeoonNeoon Community Contributor, Veteran

    It happens, you can run months without it, or get one in your first week after booting your TS.

    Get a DDOS Protected IP or DDOS Protected VPS.

  • teamspeak servers are DDoS sponges, most will eventually get attacked. Give it a week and if it happens again you should consider switching providers to one with better DDoS protection.

    Thanked by 1Francisco
  • I've run my ts3 off my 2.99 kimsufi machine for 2 years and never had a problem. It's quite a large public one. Ovhs ddos protection works well

    Thanked by 1netomx
  • Sorry, I couldn't resist the temptation to post this.

    Thanked by 3Francisco ehab rokok
  • Get that 1€/m seflow flexcloud VPS with OVH DDoS protection and you'll be fine: http://seflow.net/2/index.php/en/services/flexcloud/flexpricing

    Thanked by 2netomx sin
  • rm_rm_ IPv6 Advocate, Veteran

    etcSudoers said: Why do teakspeak servers get attacked so often? Is it because people get banned from game servers and this is their revenge?

    For examply in many MMOs there are competitive events between clans which happen on a set schedule and require voice-based coordination between 20-30 people or more. If you are able to take down an enemy clan's TS server, I suppose that's exactly the same as jamming all of the enemy radio comms on a battle field. Not sure if that's what happened in this case, of course.

  • I just moved a group over to Discord which is completely free. Still relatively early in development, but it works very well. Great web app in addition to native apps for Windows (does not work on XP or Vista), Mac, iOS, and Android.

  • thanks for all your answers!

    Well, it was just a small ts and I only banned one person and I'm pretty sure that he isn't able to do something like that. Maybe they found the IP in the server browser and thought that it would be funny to kick 30 persons out. Who knows. Anyway, I moved my ts server to one of my online.net boxes now. I heard that the DDoS protection from online.net isn't that good, but the box was nearly free so lets see. Is there a tab in online.net's interface where I can see current migation or other informations about the DDoS protection? Do I receive notifications?

    @tr1cky 1€ sounds quite good, but I don't expect it to happen again. So lets see. Seflow is that well known italian hoster, isn't it? So safe to go?

    @DH22 I still want to use teamspeak. Although there are way better alternatives out there (like Discord). But still, I'm not interested in forcing my friends to use another client.

  • trexos said: @tr1cky 1€ sounds quite good, but I don't expect it to happen again. So lets see. Seflow is that well known italian hoster, isn't it? So safe to go?

    SeFlow has average support and a bad network in Italy, but for FlexCloud and their France location they use OVH and that works pretty good.

    Thanked by 1trexos
  • Drop the load balancers and call Prolexic.

  • trexos said: Do I receive notifications?

    Yes In your panel https://console.online.net/en/network/ddos

    Thanked by 1trexos
  • There's nothing special in the logs they've provided you, only a few IPs, no payloads, nothing to calculate the amount of packet per seconds and bandwidth that were used in this "attack".

  • saibalsaibal Member
    edited October 2015

    I would doubt if it was actually a DDoS attack. WLS suspended my VPS (UK) due to a DDoS attack once and the logs they provided had only three events with the IPs belonging to Microsoft Corp. As others have mentioned earlier, look for a new provider.

  • saibal said: the IPs belonging to Microsoft Corp

    You know MS owns Azure cloud, and is used for attacks?

  • @netomx said:
    Because kids with their dad's CC

    and dad's CC + Blackhat = bye bye website

    Thanked by 1netomx
  • @tr1cky said:

    Hi,
    sorry for off topic, but why bad network? Are years that we not had outages and we use only premium provider like Level3 and NTT

  • tr1ckytr1cky Member
    edited October 2015

    @matteob said:

    That was my experience with you when I had service in your Italy location.
    Maybe it changed, but your cogent network back then was pretty bad.
    I'm also very interested on why you lie about your network in France.
    You don't have any own filtering appliances there as you said, it's OVH-only.
    When I told you to enable seguard in France you simply enabled OVHs permanent mitigation.

    Thanked by 1Jonchun
  • @tr1cky said:

    cogent? We not had cogent in our bgp. @tr1cky are you sure you're talking about right provider?

    http://bgp.he.net/AS49367

    You see cogent? We use only premium provider :-)

    As Strasbourg Protection we not lie, we always said that we're in colo in OVH, we use ovh protection for bigger attack and our l7 appliances for intelligent attacks.

    @tr1cky based on your words i really suspect you're confusing us with another provider...

  • matteob said: cogent? We not had cogent in our bgp. @tr1cky are you sure you're talking about right provider?

    You used cogent in the past.

    matteob said: As Strasbourg Protection we not lie, we always said that we're in colo in OVH, we use ovh protection for bigger attack and our l7 appliances for intelligent attacks.

    I told you to enable seguard permanently and you enabled OVH VAC permanently.
    It's also very interesting that a TCP ACK attack can take a flexcloud server down just as it can take down any OVH server.

  • matteob said: cogent? We not had cogent in our bgp

    What a load of bs wayback machine of bgp.he.net: https://web.archive.org/web/20120306125337/http://bgp.he.net/AS49367#_peers

    2nd on the list Cogent Communications

  • @Razza said:

    Peer is different then Transit

    Transit = you receive full or partial internet route

    Peer = you receive route of isp's customers.

    We peer with cogent on MIX for cogent customers, but we not had transit with them

  • @matteob a older version of seflow site https://web.archive.org/web/20120618092513/http://www.seflow.net/infrastruttura/network.php The connectivity is provided by three independent carriers: Atrato-IP, CogentCo and KPNQWest. down the page a bit a graph for traffic usage on a 10Gbit link with cogent.
    It looks like seflow had transit with cogent at one time

  • matteobmatteob Barred
    edited October 2015

    @Razza said:

    was 4 years ago and we launched ddos protection 2 years ago and cloud platform last year.... times not coincide :-)

  • WilliamWilliam Member
    edited October 2015

    matteob said: We peer with cogent on MIX for cogent customers, but we not had transit with them

    Cogent peering does not show up on bgp.he.net - Only transit.

  • TACServersTACServers Member
    edited October 2015

    @tr1cky @matteob @razza Dec 19, 2013 is when seflow stopped using Cogent. It was one of two connections, added Sept 19, 2009. Seflow's ASN was initally connected June 18th 2009, Via AS5602, KPNQwest Italia, and you added cogent 3 months later. Want to keep going on this @matteob?

  • @TACServers said:

    i not said "i never used cogent", we used it, but when @tr1cky joined to us we already cheased to use that carrier. You understand now why i said that is impossible that we have "bad cogent network" as @tr1cky said?

    @William you should consult bgp.he better, it show some peers and cogent is inside peer tab. Please not write if you not know how work that tool to not create more misunderstandings

  • @matteob - You did say you never used cogent... "cogent? We not had cogent in our bgp."

    End of conversation from me.

Sign In or Register to comment.