Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


HELP ATTACK DDOS SERVERS CS 1.6
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

HELP ATTACK DDOS SERVERS CS 1.6

Hello good evening, greetings from Argentina.
I need help .. with this pandemic we decided to build several counter-strike 1.6 servers on a dedicated machine for the same servers, with the passage of time people were entering to the point that they lived full, the problem is that now we are doing DDOS attacks, somehow they saturate the internet connection to the point of not being able to use it at all, this lasts a few minutes and returns to normal, the server is hosted on a Windows servers and we are seeing if we can transfer it to linux / ubuntu

Comments

  • have you tried turning it off and back on again

    Thanked by 2TimboJones eingress
  • georgedatacentergeorgedatacenter Member, Patron Provider

    @Gstrigl said:
    Hello good evening, greetings from Argentina.
    I need help .. with this pandemic we decided to build several counter-strike 1.6 servers on a dedicated machine for the same servers, with the passage of time people were entering to the point that they lived full, the problem is that now we are doing DDOS attacks, somehow they saturate the internet connection to the point of not being able to use it at all, this lasts a few minutes and returns to normal, the server is hosted on a Windows servers and we are seeing if we can transfer it to linux / ubuntu

    Where is your server located?

  • stefemanstefeman Member
    edited January 2021

    Dont host on windows lol.. Theres very little you can do when you get attacked when on windows.

    This goes against all best practices on linux but keeps it super simple for you.

    Install "tcpdump" and "screen" on your linux.

    apt-get install tcpdump screen sudo -y
    or
    yum install -y tcpdump screen sudo

    if that fails, try

    apt-get update -y
    or
    yum update -y

    Find out whats ur network interface name with either "ip addr" or "ifconfig" command.

    Mark down whatever it says near your IP address. Usually eth0, eth1, venet0:1, ens3, or something else.

    create a new file called capture.sh on your root user.

    nano capture.sh

    Copy the contents of: https://pastebin.com/raw/2aBsf5sn

    paste it with right click on putty

    Change the "eth0" on top line to match whatever interface name it said on your IP.

    Click Ctrl + O and Enter to save

    sudo chmod 777 capture.sh

    screen -S capture

    ./capture.sh

    once you see the packet count running, you can close the putty window from "X" and it stays running.

    Now once an attack comes, it creates .pcap file on your /root/ folder.

    If you want your host to help you with the attack, share this .pcap file with your host.

    If you want us to help you with the attack, share this .pcap file with us.

    If you ever restart the server, you must type: ./capture.sh command again to launch the autocapture script.

    Side notes:

    If you get spammed with .pcap files on your /root/ directory even when theres no attack, simply.

    restart the server with sudo reboot (since its easier than killing the screen session).

    change: capture.sh code with nano capture.sh and edit the line:

    if [ $pkt -gt 80000 ]; then

    change "80000" to higher number.

    Click Ctrl + O and Enter to save

    run ./capture.sh again.

    If you don't get any .pcap files on your /root/ directory even when theres an attack, simply.

    restart the server with sudo reboot (since its easier than killing the screen session).

    change: capture.sh code with nano capture.sh and edit the line:

    if [ $pkt -gt 80000 ]; then

    change "80000" to lower number.

    Click Ctrl + O and Enter to save

    run ./capture.sh again.

    In case pastebin link goes down, heres the full code:

    interface=eth0
    dumpdir=/root/
    while /bin/true; do
      pkt_old=`grep $interface: /proc/net/dev | cut -d :  -f2 | awk '{ print $2 }'`
      sleep 1
      pkt_new=`grep $interface: /proc/net/dev | cut -d :  -f2 | awk '{ print $2 }'`
      pkt=$(( $pkt_new - $pkt_old ))
      echo -ne "\r$pkt packets/s\033[0K"
      if [ $pkt -gt 80000 ]; then
        echo -e "\n`date` Under Attack. Capturing Packets..."
        sudo  tcpdump -n -s0 -c 30000 -w $dumpdir/dump.`date +"%Y%m%d-%H%M%S"`.pcap
        echo "`date` Packets Captured."
        sleep 300  && pkill -HUP -f /usr/sbin/tcpdump
      else
        sleep 1
      fi
    done
    
    Thanked by 3alexgold vovler ferri
  • SplitIceSplitIce Member, Host Rep

    We operate with a PoP in Brazil if it helps. You can check for expected latency against lg.x4b.net.

  • Try running task manager on the Windows server and sort by bandwidth usage to confirm it's the game server.

    Is it possible custom map downloads are swamping the connection when the map changes? I think you can configure it to use a separate webserver for the downloads, so you could offload those to another provider.

    If it is truly an attack, you could run wireshark to try to identify the traffic and figure out a firewall rule. Or have a webpage players go to whitelist their IP.

  • Yes you should transfer it to Linux, unlike Windows it's invulnerable to ddos attacks.

  • risharderisharde Patron Provider, Veteran

    @marvel said:
    Yes you should transfer it to Linux, unlike Windows it's invulnerable to ddos attacks.

    Are you sure???

  • stefemanstefeman Member
    edited January 2021

    @risharde said:

    @marvel said:
    Yes you should transfer it to Linux, unlike Windows it's invulnerable to ddos attacks.

    Are you sure???

    With correct settings, scaling, and resources, yes.

    Unlike Windows, Linux has quite powerful tools in the networking and kernel side and is easier to customize for any task. If you are going to run a third party packet filtering software on usermode in windows, you are gonna suffer. besides, netsh advfirewall is just cancer.

  • On windows you could download Wireshark and analyse the IP addresses to see if there is any common pattern or country to block.

    If the connections are persistent/established you can check them via netstat

    If you see a common pattern then block all the attacker IPs via Windows Firewall

  • I'm confused. Should the word "attack" in the title be "defend" or "prevent" ?

Sign In or Register to comment.