Quote:
Originally Posted by cadiz
[You must be logged in to view images. Log in or Register.]
According to Rogean the abuse is from UDP traffic so it seems that simply rate limiting the traffic should be sufficient to block this, with sane thresholds on bitrate and packet size that would constitute and classify abuse appropriately.
Given that the server runs Windows you don't have kernel level packet filtering functionality available so you'd want a solution available at the switch level or before it arrives to the server.
Most co-location facility carriers provide this functionality, however you could easily use the same approach with a cheaply built unix based machine between drop-->server to rate limit and meter UDP connections.
My 2 copper pieces, this sort of thing is my career outside of Norrath, it pains me dearly to see such an awesome project suffer from a few nerdragers and I'd be more than happy to donate my time and experience to help get us back on track if needed. Rogean, you know how to get in contact with me [You must be logged in to view images. Log in or Register.] |
Or just shove a Cisco ASA in front of the server, set a max embryonic conneciton limit of say 1000, and then configure an IPS module to also drop packets from obvious attackers.
Someone mentioned that the problem with this kind of solution is the bandwidth being eaten up at the router.
/shrug
We've killed many ddos attempts at our datacenter doing just what I outlined...
~phin
<edit>
it should be noted that I have no idea if limiting the half opened connections would also affect EQ clients. It certainly doesn't harm web traffic from my experience...