WinGate Forums

[regacct2]

Hello everyone. I've got a basic question about NetPatrol's capabilities.

I've got a server that's being DDOS attacked and I'm trying to stop it. The big problem is that there are 100s of source hosts and the amount of traffic hitting my NIC is more than my NIC can handle, so it tanks my connection till the attack ends.

What I'm looking for is software that can keep track of how many IP addresses are currently talking to a certain IP address (I have 10 on this server) and if it goes over that amount, just drop all traffic from that IP address.

The hope is, because the DDOS comes in in a wave - 10 people start attacking, 20 more in a bit, 30 more, and so on - that when the 1st 20 join, the server will shut the IP down, then the 1st 20 will stop, 20 more will join on, the next 20 will drop, and the traffic will never peek over an amount my NIC can handle.

Because this is more of a Bandwidth flood than a DDOS, I can't really do anything else software wise, and my server host can't do much network side to stop it. Also, the attack is on a CounterStrike game server, and they attack port 27015 on UDP, so it's not session based.

Any thoughts would be great.

Thanks everyone.

[adrien]

Hi

unless you get a full 3-way TCP handshake you can't trust the source IP in the packet, so trying to use that information in a DDOS attack is basically pointless, the source addresses are probably spoofed, and if you start recording or blocking them, you'll probably be blocking something else like google or something.

Is there anything else about the packets being sent in that would allow you to identify / filter them - e.g. payload?

Regards

Adrien

[regacct2]

Thanks for the reply. I'm trying to figure out if there's anything specific, but I've found nothing yet.

But, on that note, I'm not trying to block the individual IPs. What I'm hoping for is, if the number of IP addresses coming in peaks over a certain number, I will just block the entire local IP address. What this will hopefully achieve is, even though it drops one of my IP address (It's a game server so a couple people in game will be disconnected), it will hopefully stop the attack right away, before it affects the entire box. Then the firewall can unblock the IP address alter.

I'm still looking for something within the packets though. If that's the case, I'll try to block it on that basis.

[adrien]

Hi

if they are attempting a denial of service, then you turning off the service actually makes their attack more effective.

Since the protocol is over UDP, it will always be susceptible to denial of service which you can basically do nothing about, since there's no validation done on the source IP, it can be spoofed. So counting a set of spoofed source IPs I don't know will get you anywhere.

If the source IPs are re-used often then you can filter on it if you notice, but there are close to 4 Billion possible sources. Collecting information about those quickly consumes a large amount of memory if the source IP is randomly generated by the attacker.

There's no way to run the service in TCP mode instead? Then you can do things like SYN cookies to ignore DOS like that, and attackers have to use an IP they have access to instead of spoofing. Being able to spoof source address allows an attacker to greatly increase effectiveness of their attack without needing access to a lot of computers to attack you with.

[regacct2]

I'll explain better maybe.

These are game servers. I have one physical box with 10 external IP addresses, and 10 game server, 1 on each IP. The game itself if UDP, nothing I can do about that. When the attack comes in, it looks like 100s of IPs (whether they are spoofed or not). When the attack happens, it is only directed at one of the IP addresses, but, because of the massive amount of data, it consumes the bandwidth on the entire NIC, thus taking down all 10 game servers.

So, if I could tack how many IP addresses are coming into one IP address (I don't care if they're legit or not), and shut off that one IP address to stop the attack, I actually will keep up 9 game servers and lose 1, instead of losing all 10.

I do realize that due to the UDP protocol, there's not much I can do about the individuals. But, I am 100% willing to take one IP address off line for a short time in order to keep 90% of my servers running.

Does that clarify what I'm wondering about better? Sorry, I'm not trying to be rude. Just thought I would explain differently as I think you're thinking I would like to avoid taking my IP down. I don't. In fact, I'm quite sure that taking it down is the only way I will be able to stop the attack from affecting everything.

[adrien]

Hi

in the end, even if you shut off the IP, the incoming packets may still be enough to saturate your link. Is the server responding to these packets which is what is contributing to the link saturation?

I guess they're just hitting one of your IPs because that's what they know to hit. Is the stuff they are hitting you with valid in any way (e.g. does it make the game server respond, or do nothing?).

If the game server is not currently responding, then shutting off the IP may make it worse, since the OS will then send ICMP packets back saying the port isn't open.

If you were to just block all incoming packets with that destination IP, then you'd prevent any response packets, but you wouldn't necessarily make them stop, so then it just becomes a matter of who has more bandwidth - them or you. You may need to work with your ISP to choke it before it comes down your pipe and saturates your link.

Regards

Adrien

[adrien]

Hi

did you block ping to the server? I see some reports that that helps.

Regards

Adrien

[regacct2]

Again everyone, thanks for reading and responding to this, it's very much appreciated.

I have blocked all pinging. The guys who are attacking it used to play with us, so they don't need to ping it to see if it's up - they know it's up before they attack it. Of course, I have no proof they are doing it so nothing can be done on that end.

And I apologize, I used the wrong terminology in my last response. I don't want to shut off the IP, I want to drop the packets. Our host provider does have network security setup right now which, when a certain bandwidth on the entire link hits a certain amount, it will apply filters, and the filters are quite effective. Unfortunately, they only partially filter, and when they do filter, they end up filtering the game data as well, since the attack is on the same UDP port 27015 as the game is running on. Plus, their filters take hours to remove themselves, even though the attack is over in 10 minutes - but they say that's normal :/ What I normally do is, if I'm online, I log into the host's remote site, and put a full block on the individual IP address, which applies a deny rule of some sort on the edge switches (protecting the hosting network as well).

What I've found over time, which is why I think the dropping rules on the server might work, is that if I don't filter the connection, the attack usually lasts about 15 minutes. If I block the whole IP, and thus the server stops responding to the attackers, I can usually lift the IP block within 3-5 minutes and the attack is over. I honestly have no idea how the attacking hosts know that the server is down, but it seems like they do. And, from doing some Wireshark analysis, it seems like the IP addresses slowly join over the time of the attack (I don't think they are all joined on at the same time), which is what leads me to believe that dropping the packets really soon will cause the initial attackers to stop, before the subsequent attackers join on.

Again, I'm just looking for ideas as I honestly don't think there's any real good way for me to mitigate for this type of attack.