Server Down

[maultar]

I talked briefly with Rogean on the new temp server tonight. He said he is too busy to talk on here and go through the posts. But did say yes donations will help and this "should" all be resolved in 5 days. Later told me to donate 300 I loled. I'm good for 20 but not 300. Once I figure out how to donate that is I can't find that thread anymore.

[choklo]

This is good news if this is true. Donations will help keep the server up. If we give a paltry $10 each, this should really help. 10 bucks is a pizza, a movie, a couple of beers. What it buys us is priceless, really. Name another place you get classic EQ with damn good devs.
The thing is, you have to actually DONATE. Click on the paypal logo on the home page and donate 10 or even 5 bucks. Talk is cheap people.

If you don't have a paypal account, make one, it's easy. Go to the website and spend 2 minutes making an account. You just need a credit card.

[Elissa]

Just donated 25$...

[cadiz]

Quote:

Originally Posted by Theiron [You must be logged in to view images. Log in or Register.]

I'm in the business and f5 hardware is very expensive. Maybe not for a $100M company but for personal use it is.

My curiosity comes when I ask is the server itself just on the public network with a public IP or does it have some sort of firewall in front of it? Based on the attacks and what not I'm going to assume it's completely open with a public IP.

Problem being that you'll need a some decent hardware to put in front of it to protect it and maintain the 400+ users it gets on a regular basis.

According to Rogean the abuse is from UDP traffic so it seems that simply rate limiting the traffic should be sufficient to block this, with sane thresholds on bitrate and packet size that would constitute and classify abuse appropriately.

Given that the server runs Windows you don't have kernel level packet filtering functionality available so you'd want a solution available at the switch level or before it arrives to the server.

Most co-location facility carriers provide this functionality, however you could easily use the same approach with a cheaply built unix based machine between drop-->server to rate limit and meter UDP connections.

My 2 copper pieces, this sort of thing is my career outside of Norrath, it pains me dearly to see such an awesome project suffer from a few nerdragers and I'd be more than happy to donate my time and experience to help get us back on track if needed. Rogean, you know how to get in contact with me [You must be logged in to view images. Log in or Register.]

[Aoemek]

Quote:

Originally Posted by Blink [You must be logged in to view images. Log in or Register.]

Wouldn't it be funny if Rogean were faking the ddos to get more people to donate money?

It reminds me of the Pat Robertson south park episode where he gets people to donate money to build a spaceship to spread christianity.

holy shit I was thinking of literally this exact same thing earlier today.. the southpark episode and everything haha

i doubt this to be the case though these seem like good people

[Phineas]

Quote:

Originally Posted by cadiz [You must be logged in to view images. Log in or Register.]

According to Rogean the abuse is from UDP traffic so it seems that simply rate limiting the traffic should be sufficient to block this, with sane thresholds on bitrate and packet size that would constitute and classify abuse appropriately.

Given that the server runs Windows you don't have kernel level packet filtering functionality available so you'd want a solution available at the switch level or before it arrives to the server.

Most co-location facility carriers provide this functionality, however you could easily use the same approach with a cheaply built unix based machine between drop-->server to rate limit and meter UDP connections.

My 2 copper pieces, this sort of thing is my career outside of Norrath, it pains me dearly to see such an awesome project suffer from a few nerdragers and I'd be more than happy to donate my time and experience to help get us back on track if needed. Rogean, you know how to get in contact with me [You must be logged in to view images. Log in or Register.]

Or just shove a Cisco ASA in front of the server, set a max embryonic conneciton limit of say 1000, and then configure an IPS module to also drop packets from obvious attackers.

Someone mentioned that the problem with this kind of solution is the bandwidth being eaten up at the router.

/shrug

We've killed many ddos attempts at our datacenter doing just what I outlined...

~phin

<edit>
it should be noted that I have no idea if limiting the half opened connections would also affect EQ clients. It certainly doesn't harm web traffic from my experience...

[Pyratess]

LOL so I started a toon on the PEQ server to pass the time... got into the tutorial... and EVERYONE (save one) in the zone was from P99 trying to alleviate withdrawal [You must be logged in to view images. Log in or Register.] We had a good laugh about how easy the PEQ server is and how we all miss slaving away over our levelz and moneyz and lootz [You must be logged in to view images. Log in or Register.]

[ooantipostoo]

Quote:

Originally Posted by cadiz [You must be logged in to view images. Log in or Register.]

Given that the server runs Windows you don't have kernel level packet filtering functionality available so you'd want a solution available at the switch level or before it arrives to the server.

)

D-dos attacks can and will affect any operating system given it be wondows Linux or so forth.

[Eastwood]

yeah PEQ is silly,

I started last night and a P1999 friend who used to box insanely on PEQ has power leveled me to 34 in 24 hours of not even close to non stop play.

The useful thing is im playing a class i've been curious about in EQ and I'll probably use PEQ to practice the lambent armor quests, buying the spells around norath, and other time wasting things that I can have polished when time is a little more valueable on P1999.

[cadiz]

Quote:

Originally Posted by Phineas [You must be logged in to view images. Log in or Register.]

Or just shove a Cisco ASA in front of the server, set a max embryonic conneciton limit of say 1000, and then configure an IPS module to also drop packets from obvious attackers.

Someone mentioned that the problem with this kind of solution is the bandwidth being eaten up at the router.

/shrug

We've killed many ddos attempts at our datacenter doing just what I outlined...

~phin

<edit>
it should be noted that I have no idea if limiting the half opened connections would also affect EQ clients. It certainly doesn't harm web traffic from my experience...

That's a solid solution too. The ASA's are really nice improvement upon the PIX, unfortunately they come with a hefty price tag. For SYN proxy functionality and just general usage I've found OpenBSD with pf achieves the same thing for free minus all the contextual stuff. You'll actually find this embedded in most off the shelf firewall/proxy solutions due to its flexible license. I used this quite a bit in my consulting days.

Unfortunately not everyone can operate at Layer 8 (politics and $$). We use ASA's and ACE's at work as well and are quite happy with them, but for smaller shops or the budget constrained some good old pf is hard to beat, combine that with carp/pfsync and you've got some nice redundancy [You must be logged in to view images. Log in or Register.]