A call to (nerdy) arms - Page 2

azxten · #1 07-19-2013, 11:13 AM

Its pretty simple really. There is some volume of traffic directed at the server. Some percentage of this is malicious DDOS attack traffic.

Can that malicious traffic be differentiated from legitimate traffic?

If yes, then it can be filtered out. However, filtering takes CPU cycles and more complex rules typically require more cycles.

Where do we do the filtering? Options are on the server ($) or on an upstream router ($$) or security appliance ($$$). Doing it on your own server is cheap but its also a bit too late because now the server is handling the packet filtering thus overloading itself. Doing it on an upstream router is more expensive because XYZ data center has to maintain the rules for you but moves the load off the server. Doing it on a security appliance is most expensive because they cost to buy but is most effective due to being purpose built.

If no, then all of that traffic needs to hit the server and the server needs to keep up. ($$$$)

This typically means bringing in a load balancer and shifting to a multi-server architecture which typically means the server software will require adjustments to run properly since this is all custom code. ($$$$$)

I'm guessing the server is at the point where the attack is being mitigated on an upstream router/security appliance but its dynamic enough in nature that it can still cause outages until the firewall adjusts to the new sources.

spoils · #2 07-19-2013, 01:51 AM

Yea ***** don't u know dem shitz?

Lopretni · #3 07-19-2013, 02:07 AM

Maximius, can you gather anything from the image Tiggles posted in another thread?
https://www.project1999.org/forums/s...9&postcount=54

azxten · #4 07-19-2013, 10:45 AM

There are only two ways to mitigate a DDOS. Expensive hardware (both on the network and server side) and well written firewall rules.

If I had to guess I would say that the firewall rules are already fine and this is purely a matter of money. P99 is already hosted by a company that offers DDOS mitigation. However, as with all things, you get what you pay for. It's likely that if the P99 staff payed out another $5k-$10k a month the attack would be fully mitigated.

What we have right now is the best performance we can get with the resources available.

It would be interesting to see a packet capture from the server side though if any sensitive information could be stripped.

Nirgon · #5 07-19-2013, 10:54 AM

Donate button to save your beloved project

Time to have a bake sale or some shit

Need to know if having a bake sale and hitting the donate button is considered RMT first

Nirgon · #6 07-19-2013, 11:20 AM

Is this ICMP or what?

I know the server is being DDoS'd but we know nothing of the nature of the attack.

Going jihad on Kegz and pissing him off (if its not him) is just going to add more problems.

azxten · #7 07-19-2013, 11:28 AM

I'd be interested to see a packet capture as well or hear something from staff.

Considering the amount of trouble this has caused I imagine this is something more custom built which mimics legitimate traffic. Login server login attempts or something like that.

Then I would guess there is a firewall rule which watches for X packets per Y time to the server which is considered abnormal and blacklists the IP for some period of time.

So, every time there is a lag spike its when the attack starts from a new collection of IPs which must be allowed access for a period of time to determine if they are malicious or not.

This is all just a rough guess but hopefully it provides some insight into how these things work for those who are curious.

rickjames · #8 07-19-2013, 12:07 PM

There are two potential effects:

A) There is a socket connection and the server is requested to perform some sort of task (i.e. login) This taxes the servers process resources.

B) Its mostly dropped trash traffic (ICMP flood etc.) and overwhelms network equipment.

Scenario B is mitigated by over-provisioning bandwidth usually. Scenario A is much more difficult to respond to unless a solution is developed to trust connections sources and therefore drop packets before they reach the server.

Regardless, to fix the problem by throwing money at it is unlikely to be very efficient or effective.

Now one potential theory I had (im a receptionist at an IT firm too) is that they may be abusing socket connections to the webserver (spam HTTP requests) as it seems the website goes down (colocated/same box/same VM) with the game server. If someone would be able to confirm or refute this, i would be willing to pony up a little cash to help get the website/forums hosted on a separate instance to mitigate that vulnerability.

MaximiusM · #9 07-19-2013, 01:10 PM

Quote:

Originally Posted by rickjames [You must be logged in to view images. Log in or Register.]

Now one potential theory I had (im a receptionist at an IT firm too) is that they may be abusing socket connections to the webserver (spam HTTP requests) as it seems the website goes down (colocated/same box/same VM) with the game server. If someone would be able to confirm or refute this, i would be willing to pony up a little cash to help get the website/forums hosted on a separate instance to mitigate that vulnerability.

you've essentially come to the same conclusion as me, fellow internet receptionist. PM'ing with details.

August · #10 07-19-2013, 05:48 PM

If I can help in any way let me know. I have a background in cryptography and filter analysis and have been in software for 7 years.

More importantly, if you need to find out how to do something, I can find that out almost assuredly. I'm not an expert in cyber security, however.