Mitigating the DDOS attacks. Possibilities inside. - Page 3

Gaffin Deeppockets · #1 07-27-2013, 03:22 PM

The more you morans talk about it the more its gonna happen.

Glorindale · #2 07-27-2013, 04:10 PM

Quote:

Originally Posted by Gaffin Deeppockets [You must be logged in to view images. Log in or Register.]

The more you morans talk about it the more its gonna happen.

What the hell are morans and do they have anything to do with IP rangers? ;-)

So it will just go away if we stop talking about it? Wow..why didn't think of that?

kingsBlend · #3 07-27-2013, 04:17 PM

What I don't understand is.. Rogean, you are the man. You know your shit when it comes to servers and networking, you proved it to us. How do you not know just a little bit on Network Security?

**Rogean** · #4 07-27-2013, 04:26 PM

Quote:

Originally Posted by kingsBlend [You must be logged in to view images. Log in or Register.]

How do you not know just a little bit on Network Security?

It's not a lack of knowledge. It's a lack of time and resources.

I have a full time job that gets increasingly busy in the summer. I have commitments all this weekend. I have a trip coming up that I leave for very soon that will put me away for a week. The timing of all of this shit happening is the worst it could possibly be.

Look up DNS Amplification attack, and you guys will see just how little there is that I can do about it myself. No amount of equipment I put on my side of our data center drop will help line saturation. It's up to our data center. I'm seeing what they are willing to do, as well as their upstream providers (Level3).

We used to have DDoS protection. It's one of the reasons that we moved to the data center we're at now. But then they decomissioned the device and decided to not replace it, so now we're stuck in the data center without mitigation. If there's nothing they can do to stop this then we're looking at literally a month or two for us to find and move to a data center that can.

captincrust · #5 07-27-2013, 04:34 PM

As far as I am know, this is the most common and effective response to combating DDoS attacks. Often your internet service provider will do this sort of stuff as well since it clogs up their network to a degree. I think this is the best option.

There may be something to be done with the login server - EQEmu has been getting pummeled simultaneously and I suspect there is some bug being exploited with the login server. Various eqemu cheat sites (ie: RedGuides) have alluded to this very recently.

Glorindale · #6 07-27-2013, 04:46 PM

Quote:

Originally Posted by Rogean [You must be logged in to view images. Log in or Register.]

It's not a lack of knowledge. It's a lack of time and resources.

I have a full time job that gets increasingly busy in the summer. I have commitments all this weekend. I have a trip coming up that I leave for very soon that will put me away for a week. The timing of all of this shit happening is the worst it could possibly be.

Look up DNS Amplification attack, and you guys will see just how little there is that I can do about it myself. No amount of equipment I put on my side of our data center drop will help line saturation. It's up to our data center. I'm seeing what they are willing to do, as well as their upstream providers (Level3).

We used to have DDoS protection. It's one of the reasons that we moved to the data center we're at now. But then they decomissioned the device and decided to not replace it, so now we're stuck in the data center without mitigation. If there's nothing they can do to stop this then we're looking at literally a month or two for us to find and move to a data center that can.

Ah. Now all of you conspiracy theorist can put their "duping" conspiracies to rest. This attack isn't exploiting the game. It is exploiting the TCP/IP stack.

Rogean, it sounds like this attack is affecting other hosted customers at your ISP? If so maybe they will actually do something about it.

**Rogean** · #7 07-27-2013, 04:55 PM

Quote:

Originally Posted by Glorindale [You must be logged in to view images. Log in or Register.]

It is exploiting the TCP/IP stack.

DNS is UDP Traffic, not TCP.

Glorindale · #8 07-27-2013, 05:03 PM

Quote:

Originally Posted by Rogean [You must be logged in to view images. Log in or Register.]

DNS is UDP Traffic, not TCP.

UDP is part of the TCP/IP stack. Sorry to play gotcha but you started it.

Pringles · #9 07-28-2013, 11:42 AM

Quote:

Originally Posted by Rogean [You must be logged in to view images. Log in or Register.]

It's not a lack of knowledge. It's a lack of time and resources.

I have a full time job that gets increasingly busy in the summer. I have commitments all this weekend. I have a trip coming up that I leave for very soon that will put me away for a week. The timing of all of this shit happening is the worst it could possibly be.

Look up DNS Amplification attack, and you guys will see just how little there is that I can do about it myself. No amount of equipment I put on my side of our data center drop will help line saturation. It's up to our data center. I'm seeing what they are willing to do, as well as their upstream providers (Level3).

We used to have DDoS protection. It's one of the reasons that we moved to the data center we're at now. But then they decomissioned the device and decided to not replace it, so now we're stuck in the data center without mitigation. If there's nothing they can do to stop this then we're looking at literally a month or two for us to find and move to a data center that can.

I am just speculating here since I dont know the scope of the attack, only what you noted about DNS amplification attack, but what about firewalling all DNS related traffic on the p99 boxen, and have us to use our own DNS resolution for the server (windows hosts file). Would that at all help? I wouldnt mind making host entries to resolve p99 DNS so that you can shut it off.

Glorindale · #10 07-28-2013, 12:49 PM

Quote:

Originally Posted by Pringles [You must be logged in to view images. Log in or Register.]

I am just speculating here since I dont know the scope of the attack, only what you noted about DNS amplification attack, but what about firewalling all DNS related traffic on the p99 boxen, and have us to use our own DNS resolution for the server (windows hosts file). Would that at all help? I wouldnt mind making host entries to resolve p99 DNS so that you can shut it off.

I think the only thing that would mitigate the problem is a devices that sits on the ISP's side of Rogean's drop (or somewhere in the path of their connection to the rest of the world). That device would need to be able to track DNS name resolution requests so that when the name resolution responses are returned it could then match them up with the requests and block any responses that don't have matching requests (thus blocking the responses to the spoofed requests). Unfortunately doing that on Rogean's side of the drop wouldn't prevent his drop from being saturated which is what he described was the problem.

I think if his ISP isn't willing to help he has no choice but to move to one that would be willing to help if this happens again.

Boiled down....Rogean really cannot do anything himself to prevent this.