|
|
#11
07-19-2013, 09:43 AM
|
||||
|
Quote:
On a serious note...I am tech savvy as a mofo. I was the editor of the school newspaper in high school so I know the Apple IIe inside and out. And I once programmed a game where you shoot exclamation marks at equal signs in QBasic. If you need my l33t haxxor skills lmk. | |||
|
|
||||
|
#12
07-19-2013, 10:45 AM
|
|||
|
There are only two ways to mitigate a DDOS. Expensive hardware (both on the network and server side) and well written firewall rules.
If I had to guess I would say that the firewall rules are already fine and this is purely a matter of money. P99 is already hosted by a company that offers DDOS mitigation. However, as with all things, you get what you pay for. It's likely that if the P99 staff payed out another $5k-$10k a month the attack would be fully mitigated. What we have right now is the best performance we can get with the resources available. It would be interesting to see a packet capture from the server side though if any sensitive information could be stripped. | ||
|
Last edited by azxten; 07-19-2013 at 10:47 AM..
|
|
||
|
#14
07-19-2013, 11:03 AM
|
||||
|
Quote:
but in all seriousness, ty to the people who PM'd. I sent Rogean a note regarding this we'll see where if goes (if anywhere). | |||
|
|
||||
|
#15
07-19-2013, 11:13 AM
|
|||
|
Its pretty simple really. There is some volume of traffic directed at the server. Some percentage of this is malicious DDOS attack traffic.
Can that malicious traffic be differentiated from legitimate traffic? If yes, then it can be filtered out. However, filtering takes CPU cycles and more complex rules typically require more cycles. Where do we do the filtering? Options are on the server ($) or on an upstream router ($$) or security appliance ($$$). Doing it on your own server is cheap but its also a bit too late because now the server is handling the packet filtering thus overloading itself. Doing it on an upstream router is more expensive because XYZ data center has to maintain the rules for you but moves the load off the server. Doing it on a security appliance is most expensive because they cost to buy but is most effective due to being purpose built. If no, then all of that traffic needs to hit the server and the server needs to keep up. ($$$$) This typically means bringing in a load balancer and shifting to a multi-server architecture which typically means the server software will require adjustments to run properly since this is all custom code. ($$$$$) I'm guessing the server is at the point where the attack is being mitigated on an upstream router/security appliance but its dynamic enough in nature that it can still cause outages until the firewall adjusts to the new sources. | ||
|
Last edited by azxten; 07-19-2013 at 11:15 AM..
|
|
||
|
#16
07-19-2013, 11:20 AM
|
|||
|
Is this ICMP or what?
I know the server is being DDoS'd but we know nothing of the nature of the attack. Going jihad on Kegz and pissing him off (if its not him) is just going to add more problems. | ||
|
|
|||
|
#17
07-19-2013, 11:28 AM
|
|||
|
I'd be interested to see a packet capture as well or hear something from staff.
Considering the amount of trouble this has caused I imagine this is something more custom built which mimics legitimate traffic. Login server login attempts or something like that. Then I would guess there is a firewall rule which watches for X packets per Y time to the server which is considered abnormal and blacklists the IP for some period of time. So, every time there is a lag spike its when the attack starts from a new collection of IPs which must be allowed access for a period of time to determine if they are malicious or not. This is all just a rough guess but hopefully it provides some insight into how these things work for those who are curious. | ||
|
|
|||
|
#18
07-19-2013, 11:59 AM
|
|||
|
No clue what is really going on here but if I had to guess, I'd say just plain UDP flooding.
UDP is connectionless, meaning it's one way from the sender to the P99 server. This allows the source IP to be spoofed, thus a single host can pretend to be sending from a few thousand different IP's making blocking very hard. Most good ISP's will have spoof protection turned on, but it only takes a handful of zombied hosts that don't have the protection on to overwhelm the server. I would assume that the EQ client uses some UDP connections back to the server, which the port they are spoofing on. You can;t block that port, because it is how the legit clients work. This is all just a wild guess, but probably pretty close. -Chris | ||
|
|
|||
|
#19
07-19-2013, 12:07 PM
|
|||
|
There are two potential effects:
A) There is a socket connection and the server is requested to perform some sort of task (i.e. login) This taxes the servers process resources. B) Its mostly dropped trash traffic (ICMP flood etc.) and overwhelms network equipment. Scenario B is mitigated by over-provisioning bandwidth usually. Scenario A is much more difficult to respond to unless a solution is developed to trust connections sources and therefore drop packets before they reach the server. Regardless, to fix the problem by throwing money at it is unlikely to be very efficient or effective. Now one potential theory I had (im a receptionist at an IT firm too) is that they may be abusing socket connections to the webserver (spam HTTP requests) as it seems the website goes down (colocated/same box/same VM) with the game server. If someone would be able to confirm or refute this, i would be willing to pony up a little cash to help get the website/forums hosted on a separate instance to mitigate that vulnerability. | ||
|
|
|||
 |
|
|
Linear Mode
