traffic network (flood attack) - Printable Version
+- SA-MP Forums Archive (https://sampforum.blast.hk)
+-- Forum: SA-MP Server (https://sampforum.blast.hk/forumdisplay.php?fid=6)
+--- Forum: Server Support (https://sampforum.blast.hk/forumdisplay.php?fid=19)
+--- Thread: traffic network (flood attack) (/showthread.php?tid=385755)
+- SA-MP Forums Archive (https://sampforum.blast.hk)
+-- Forum: SA-MP Server (https://sampforum.blast.hk/forumdisplay.php?fid=6)
+--- Forum: Server Support (https://sampforum.blast.hk/forumdisplay.php?fid=19)
+--- Thread: traffic network (flood attack) (/showthread.php?tid=385755)
traffic network (flood attack) - guesto - 17.10.2012
Hi,
Since some days my gameserver lag. I check my Network Traffic .
you can see an abnormal amount ( + 8mbps ) result In the game= lag/lost connection. I ask my host to check the logs / minotoring but he say "I don't found anything in the logs/minotoring you need to contact the editors of the game if they can give you the reasons, if it can there have logs activated by all the connections?"
- it is possible of allowed simultaneous connections to connect in the game
- it is possible to know all the possible connexions by IP
- If it is possible to log all the connections for the game.
It's possible he don't find anything in the logs? 8mbps it's only a DoS? This is little why it's lags/lost connection my server?
Thank.
Re: traffic network (flood attack) - Lightning[SV] - 17.10.2012
If its a linux server use tcpdump to capture some packets, you will need to run it continuously or setup a cron job so you get packet samples throughout the day. Then you can look at your graph, find the corresponding packet samples and see what the traffic spikes are.
Re: traffic network (flood attack) - kaisersouse - 18.10.2012
I sustained the same sort of "attack" last week when a couple of players got mad that someone kept using super-nos to ram them. Exact same looking spike, less than 10mbit, would cause people to lag out of the game.
It lasted all of 15 minutes, and stopped the instant I added their IP ranges to the firewall.
A "safer" alternative to tcpdump (which will FILL your hard drive w/ a huge log if you dont use it right) is 'iptraf'. On most RHEL distros you can just run 'yum install iptraf' and it will install. Gives better real-time monitoring, with more options regarding what to look for, etc.
Re : traffic network (flood attack) - ombre - 18.10.2012
A attack of 10mbit can to downtime a server?
Re : traffic network (flood attack) - guesto - 18.10.2012
You ban their ips with iptable? What is the attack type? udp flooding? on the port of the game?
Re : traffic network (flood attack) - guesto - 23.10.2012
nobody can to help? the server lag or lost conection during 2-3 mn.
I test it: but don't work's: iptables -A INPUT -p udp --dport 7777 -m limit --limit 10/s --limit-burst 20 -j Drop
Re: traffic network (flood attack) - Lightning[SV] - 23.10.2012
Well you need to re-read the iptables manual. That rule will drop 10 packets every second to the samp server. Remember each player will be sending a lot of packets to the server per second.
For rate limiting you are better off looking at the ipt_recent module as this can be used to rate limit per ip address. You can also match specific packets with the u32 module.
I noticed an up spike on my server recently caused by a player list query flood. I solved it with rules matching the attack.
You really need to capture some of the packets first, then you can write appropriate rate limiting rules, or even a simple ip block if its only caused by a single ip.
Re : Re: traffic network (flood attack) - guesto - 23.10.2012
Quote:
|
Originally Posted by Lightning[SV]
 Well you need to re-read the iptables manual. That rule will drop 10 packets every second to the samp server.
|