[ReFlexPoison]

Quote:

Originally Posted by TheAvengers2 I don't know about that. If you're on a 100mbps connection or weaker, then you'll have people saturating the whole line with relative ease. I'm on a 1gbps line and even that doesn't hold up well. Every so often, I'll get some DDoS attacks which saturate the whole 1gbps link. I can't even imagine the peek strength of one of these attacks. And no, there's no firewall or software which can prevent these sort of attacks. You'll have to hope your host will kindly mitigate it for you or you're out of luck.

Okay, after seeing all of this, why doesn't Valve do something? Do they not care? Just weird that server hosting has to have so much 3rd party security that isn't even 100% valid to work 100% of the time. I mean honestly, either one, Valve is too lazy (which i doubt), two, they don't care (i hope not), or three, there is no patch. (seems plausible)
(Valve has created some of the most unique gaming code ever, just curious on why they don't protect it more than they do atm)

- End rant

[TheAvengers2]

Valve can't do anything about DDoS attacks. That's more of an issue for governments and hosting companies. They can, however, put an end to the low bandwidth cpu intensive attacks which utilize exploits and flawed security in srcds. These attacks are much easier for the average joe to implement and just as equally destructive. Based on valve's track record though, maybe it's a good thing they aren't pushing updates all the time. They tend to create as many problems as they fix.

[pillepallus]

meanwhile im using 2 firewalls (configuration is like dmz-environment) so its easier to block some attacks because cpu-workload issues during attacks and logging has failed. i needed much time to configure. i tried to solve exact same attacks on windows too. windows will lagg and crash all the time during attacks.
all the time i try to attack myself. fact is only 2% of all internet users can perform massive attacks.
my first firewall will limit new connections (without logging to reduce workload) to only some new connections each minute. rest dropped. second firewall (on gameserver) seems to be doing nothing since i did that. i have many many rules more but after implementation of new connection limits on a external firewall with powerful quad-core (only for that) the workload of the second firewall on gameserver is now about 10-15% maximum during some attacks.

if u like u can test to attack me (test are very important). yesterday i've installed another gameserver only for hacking. 46.4.230.86:27015. all firewalls are off atm, only logging is activated. start spamming! limit new connections is disabled too on external firewall. i monitor now the usage of all. do ur best!

[ReFlexPoison]

When a player is using attacks like stated from above posts, can it effect other things on your pc? Paranoia question here. Is it just crashing your server or is it doing other things? (Don't really know how to rephrase that question to make it make more sense)

[Doodil]

You mean DDoS? Crashes the server at most, you can think of it as spamming the server with false requests. The server tries to answer every request, but the person starting the attack spams so many of those request(+ doesn't even wait for the response of the server, but just spams more and more) that the server will eventually go down(unless the attack is so weak that the server can handle all the requests).

The worst thing to happen would be that the server goes down(noone could play/join) and you'd have to restart it, but other than that nothing.

[jackliu92]

Quote:

Originally Posted by pillepallus meanwhile im using 2 firewalls (configuration is like dmz-environment) so its easier to block some attacks because cpu-workload issues during attacks and logging has failed. i needed much time to configure. i tried to solve exact same attacks on windows too. windows will lagg and crash all the time during attacks. all the time i try to attack myself. fact is only 2% of all internet users can perform massive attacks. my first firewall will limit new connections (without logging to reduce workload) to only some new connections each minute. rest dropped. second firewall (on gameserver) seems to be doing nothing since i did that. i have many many rules more but after implementation of new connection limits on a external firewall with powerful quad-core (only for that) the workload of the second firewall on gameserver is now about 10-15% maximum during some attacks. if u like u can test to attack me (test are very important). yesterday i've installed another gameserver only for hacking. 46.4.230.86:27015. all firewalls are off atm, only logging is activated. start spamming! limit new connections is disabled too on external firewall. i monitor now the usage of all. do ur best!

Haha, it is not a good idea to ask people to do a test like this. Unless we have the permission from your host, our ISP, and from other different security system, otherwise we may get in to trouble with launch a DDOS attack to your server. (like you dont expect an attacker using his home/company ip to launch the attack).

Also, what are the two firewalls are u using? and how did u configure a dmz-environment? like what type of server do you have?

Quote:

Originally Posted by Doodil You mean DDoS? Crashes the server at most, you can think of it as spamming the server with false requests. The server tries to answer every request, but the person starting the attack spams so many of those request(+ doesn't even wait for the response of the server, but just spams more and more) that the server will eventually go down(unless the attack is so weak that the server can handle all the requests). The worst thing to happen would be that the server goes down(noone could play/join) and you'd have to restart it, but other than that nothing.

The easiest way to get people understand this is to describe DDOS like:
If you get phone calls from advertisements, telephone marketing 1 second per call from different numbers, will you be overwhelmed? [Unplug your phone? what about calls from your friends? your boss? etc. (like disconnect your server from the internet??)] [Keep plugged will make you overwhelmed even u just pick-up, hand-up[like firewall drops the packages] immediately <--- this is how DDOS gonna be like on server side. (unless you are telling me you are able to handel all these phone calls, lol)]

[pillepallus]

Quote:

Originally Posted by jackliu92 Haha, it is not a good idea to ask people to do a test like this. Unless we have the permission from your host, our ISP, and from other different security system, otherwise we may get in to trouble with launch a DDOS attack to your server. (like you dont expect an attacker using his home/company ip to launch the attack). Also, what are the two firewalls are u using? and how did u configure a dmz-environment? like what type of server do you have?

heheh its the best way to got attacks... only so i know my firewalls are working. and btw... i have like 500 ip-adresses so i can move into another range and network... my external firewall is a securepoint utm device (im security consultant therefore i have real firewalls) the other external firewall is just iptables (at work we have some more...). local firewall on my game servers is always iptables. im using always debian or ubunto derivates.

normally i'm using both firewalls with iptables for my lan's (2 lans between gameserver and "internet", so 3 firewalls but one will only forward). but for some attacks (less 3%) the firewall can't handle all requests. so i need to switch to securepoint to get a log.... iptables wont log in some cases during massive flood. but securepoint will crash too for some attacks...

my ISP wont block ur attack, this ip-range is requested for that... but some ISP's in other backbones will block.... lol

[pillepallus]

Quote:

Originally Posted by jackliu92 The easiest way to get people understand this is to describe DDOS like: If you get phone calls from advertisements, telephone marketing 1 second per call from different numbers, will you be overwhelmed? [Unplug your phone? what about calls from your friends? your boss? etc. (like disconnect your server from the internet??)] [Keep plugged will make you overwhelmed even u just pick-up, hand-up[like firewall drops the packages] immediately <--- this is how DDOS gonna be like on server side. (unless you are telling me you are able to handel all these phone calls, lol)]

LOL (nice idea)

[jackliu92]

Quote:

Originally Posted by pillepallus heheh its the best way to got attacks... only so i know my firewalls are working. and btw... i have like 500 ip-adresses so i can move into another range and network... my external firewall is a securepoint utm device (im security consultant therefore i have real firewalls) the other external firewall is just iptables (at work we have some more...). local firewall on my game servers is always iptables. im using always debian or ubunto derivates. normally i'm using both firewalls with iptables for my lan's (2 lans between gameserver and "internet", so 3 firewalls but one will only forward). but for some attacks (less 3%) the firewall can't handle all requests. so i need to switch to securepoint to get a log.... iptables wont log in some cases during massive flood. but securepoint will crash too for some attacks... my ISP wont block ur attack, this ip-range is requested for that... but some ISP's in other backbones will block.... lol

I know you want to test, but launching DDOS is against the law, you can get arrested for doing this. Unless the attacker knows what he is doing.

Who is your ISP? and how much do you pay for? I am just wondering, maybe ill switch some day...xD

[recon0]

Quote:

Originally Posted by ReFlexPoison Okay, after seeing all of this, why doesn't Valve do something? Do they not care? Just weird that server hosting has to have so much 3rd party security that isn't even 100% valid to work 100% of the time. I mean honestly, either one, Valve is too lazy (which i doubt), two, they don't care (i hope not), or three, there is no patch. (seems plausible) (Valve has created some of the most unique gaming code ever, just curious on why they don't protect it more than they do atm) - End rant

Valve is too busy delaying episode 3 to fix their net code, and based on their inaction, they don't care, so there is no patch ;)


A few random comments on the last batch of replies:

1. Hosts that aren't completely clueless will be able to deal with dDoS attacks by blocking the attack further up stream in their network, which is usually at their core routers. If it's beyond the host's ability to deal with the problem (attacks on this scale are rare), their upstream providers will be required to deal with since the host has an SLA with them.

2. All DoS and dDoS attacks are against Federal law (a felony depending on the circumstances) in the US; however, getting the FBI to investigate is next to impossible unless you hire a lawyer; in other words, the illegality of it is almost irrelevant for server admins who are trying to deal with the attacks.

3. dDoS attacks, especially large ones, will get the attention of upstream providers who can actually do something about it. In most other cases (e.g. a small dDoS or DoS), NoCs will not give you the time of day without a court order.

4. Most attacks against Source servers are low bandwidth exploits of vulnerabilities in the engine's net code. Because of the connectionless nature of UDP, falsifying the source IP is trivial, so the odds of tracing it without a court order are extremely low. Additionally, since some of these attacks use legitimate packets, they are difficult to block.

5. For most server admins, dealing with a DoS attack works something like this:

Can I block it with a firewall?

--- Yes, problem solved. If the source IP isn't spoofed, send a brief letter with the relevant logs to the abuse department listed by ARIN for the IP block responsible for the attack so they can take action.

--- No, what are my options?

----- IPs are spoofed, so you can't easily trace it, and blocking by IP is obviously out of the question.

----- Pursue some kind of technical solution to block / mitigate the attack. This is usually your best bet.

----- Beg your host to work with their upstream providers to track down the source of the falsified IPs. Since falsifying IP headers (which contain the source IP) is against the AUP/TOS of every major ISP and upper tier provider, you could get lucky and convince someone at a NoC to track it down.

----- Get a lawyer and a court order (AFAIK it's called Doe subpoena in the discovery phase) to track the attacker down and shut off the attack. This will take a long time and be expensive while your server remains under attack and is basically unusable. (You'll spend hours upon hours on the phone with NoCs telling them about the court order you have and demanding that they trace the packets through their network.)