Mitigating the DDOS attacks. Possibilities inside.

[Splorf22]

Anycast will not work for P1999 because we cannot replicate our service across multiple data centers (that would result in 10 copies of the server). Turp the problem with your diagram is that somehow your router is magically detecting which traffic is 'bad' and sending it elsewhere, and unfortunately that is not possible.

I think Rogean could actually do a lot more against these attacks then he has, probably because he has a job and such. Some interesting things:

• Why not keep a list of IPs that send each packet and crossreference against the list of IPs that are logged in? It would not surprise me at all if this is one guy, or one IP is sending a hugely different set of packets than anyone else. Probably they have only found one vulnerability and are just hammering on it, so you should see 1 IP with 95% "requesttrackinginfo" packets or something when no one else has more than 20%.
• Detecting a DOS attack should be fairly easy (just have a ping process or monitor cpu load or whatnot) and at that point enable profiling to see which part of the code they are attacking (if they are overloading the CPU, not the network)
• Search the logs for AON transactions and try to trace them back to their source to find which ones were duped and which characters acquired the duped ones.

The corollary to all of this is that I'm making the assumption they are sending Everquest packets because they have found some vulnerability in the server code. If they are just flooding the datacenter with DNS packets or whatnot, there is nothing Rogean can do other than pay for more bandwidth.

[Rogean]

Quote:

Originally Posted by kingsBlend [You must be logged in to view images. Log in or Register.]

How do you not know just a little bit on Network Security?

It's not a lack of knowledge. It's a lack of time and resources.

I have a full time job that gets increasingly busy in the summer. I have commitments all this weekend. I have a trip coming up that I leave for very soon that will put me away for a week. The timing of all of this shit happening is the worst it could possibly be.

Look up DNS Amplification attack, and you guys will see just how little there is that I can do about it myself. No amount of equipment I put on my side of our data center drop will help line saturation. It's up to our data center. I'm seeing what they are willing to do, as well as their upstream providers (Level3).

We used to have DDoS protection. It's one of the reasons that we moved to the data center we're at now. But then they decomissioned the device and decided to not replace it, so now we're stuck in the data center without mitigation. If there's nothing they can do to stop this then we're looking at literally a month or two for us to find and move to a data center that can.

[captincrust]

As far as I am know, this is the most common and effective response to combating DDoS attacks. Often your internet service provider will do this sort of stuff as well since it clogs up their network to a degree. I think this is the best option.

There may be something to be done with the login server - EQEmu has been getting pummeled simultaneously and I suspect there is some bug being exploited with the login server. Various eqemu cheat sites (ie: RedGuides) have alluded to this very recently.

[Glorindale]

Quote:

Originally Posted by Rogean [You must be logged in to view images. Log in or Register.]

It's not a lack of knowledge. It's a lack of time and resources.

I have a full time job that gets increasingly busy in the summer. I have commitments all this weekend. I have a trip coming up that I leave for very soon that will put me away for a week. The timing of all of this shit happening is the worst it could possibly be.

Look up DNS Amplification attack, and you guys will see just how little there is that I can do about it myself. No amount of equipment I put on my side of our data center drop will help line saturation. It's up to our data center. I'm seeing what they are willing to do, as well as their upstream providers (Level3).

We used to have DDoS protection. It's one of the reasons that we moved to the data center we're at now. But then they decomissioned the device and decided to not replace it, so now we're stuck in the data center without mitigation. If there's nothing they can do to stop this then we're looking at literally a month or two for us to find and move to a data center that can.

Ah. Now all of you conspiracy theorist can put their "duping" conspiracies to rest. This attack isn't exploiting the game. It is exploiting the TCP/IP stack.

Rogean, it sounds like this attack is affecting other hosted customers at your ISP? If so maybe they will actually do something about it.

[kingsBlend]

I'm sure there are plenty of network security specialists here, which given the right information, could easily put a stop to it.

[Rogean]

Quote:

Originally Posted by kingsBlend [You must be logged in to view images. Log in or Register.]

I'm sure there are plenty of network security specialists here, which given the right information, could easily put a stop to it.

Again, it's not a lack of information. We already know how to stop it. It's up to the data center if they want to help or not.

And no, other customers are not getting affected. The attack would need to be over 10 GBit for that to occur.

[Agatha]

Quote:

Originally Posted by kingsBlend [You must be logged in to view images. Log in or Register.]

I'm sure there are plenty of network security specialists here, which given the right information, could easily put a stop to it.

As a network security specialist myself. I can't recommend just offering anyone with their hands up saying they are a network security specialist and just offering their services a position. As i would tell my client that is not very secure thing to do.

On the other hand, I am a computer security specialist that has worked in many job sectors, defense and private alike. Get at me Rogain i can help you out.

Edit: take an ip address that is sending verified ddos attack, gain root, recover the bot from that computer,debug,see where it connects, join as zombie, see what login commands owner is using, use them to gain control to his net and add it to mine, i mean destroy it.

[Glorindale]

Quote:

Originally Posted by kingsBlend [You must be logged in to view images. Log in or Register.]

I'm sure there are plenty of network security specialists here, which given the right information, could easily put a stop to it.

If it is line saturation like Rogean says there isn't anything he can do about it since that is the ISP's equipment. It isn't just about knowledge. He can ask them to do something about it but it is ultimately up to them which course of action to take. If this is affecting their other customers as well they might be willing to do something. Or they might have to put pressure on their upstream provider. However, Rogean cannot force them to do anything and certainly has no influence with his ISP's provider.

My experience with problems like this is they are not really worried about it unless you are a large customer or if it affects many customers. However, it sounds like it is only affecting project1999's link to the ISPs network.

Even if Rogean installed a tricked out firewall with IPS capabilities it wouldn't matter cause the attacker is sending so much traffic it is saturating his pipe. If Rogean paid for a bigger pipe it would likely get saturated, it would just take that many more DNS responses to do it.

[Rogean]

Quote:

Originally Posted by Glorindale [You must be logged in to view images. Log in or Register.]

It is exploiting the TCP/IP stack.

DNS is UDP Traffic, not TCP.

[SamwiseRed]

Rogean, any chance of throwing up a new temporary red for us to play on. It would be cool to see how well it does. Just a thought, no idea if it would be possible to setup a server in less than an hour or so but it would be pretty fun. Fresh pvp servers are the best.