How my samp server is being taken down
#1

He simply connects up to 280 different ips on my vps per second and takes it down nice and easy, i'm currently using OVH and they don't give a... about this, they doesn't even answer the ticket.

In 2 hours almost a million ips we're connected to my server. Blocking these ips on samp.ban or firewall like iptables/csf etc. doesn't have any effect at all, it takes down the vps the same, and they are probably spoofed (fake) he can have tons of ips from USA, Brazil or wathever range he wants to.

Here's the link for 2hours of attack (server_log.txt pasted on pawn) if some one wants to see it:
mediafire.com/download/dgv6sdmbv7olw9k/999thousand.pwn


My server has amost 3 years online and it does not have any peace for MONTHS now im sad of letting years of work go but i can't find anything i can do because of jealously of anothers, not many people are suffering from this attack... if someone has a good hosting that have protection against udp spoofing and have efficient packet filtering and can recommend it to me i'd appreciate because ovh does not give a... about this.


Please don't ban me for posting this or delete the topic this attack might start to happen to any samp server any time, we need to find a solution.
Reply
#2

No one is going to ban you, I have seen more people post idiotic threads and yet haven't been warned or banned.

What SA:MP version are you using?

OVH.com isn't for customers hosting game servers, it's for business owners and highly experienced users(Well you can use it, but you get my point). They have resellers that may be a better choice for you. I personally don't like OVH's firewall and the fact I can't really customize it that much, that's why I decided to get the Network Firewall(Cisco ASA) for all my servers, gives me more customization.

I wouldn't be downloading the script, instead you should just post the attack logs in pastebin instead.
Reply
#3

I'm using 0.3.7, 280 different ips udp requests on the machine per second i think it would take down anything not just samp.
Reply
#4

Quote:
Originally Posted by Xandelee
View Post
I'm using 0.3.7, 280 different ips udp requests on the machine i think it would take down anything not just samp.
Can you please provide me network logs? I seriously don't want to download any files
Reply
#5

If you have cisco 5505 on your network i think with the right configurations you might be able to hold spoofing, if you are interested in trying to solve my problem i can host with you for one or 2 days (if for free), if you can solve the problem i host with you permanently, but if you are not interested thank you anyway...
Reply
#6

Heres small server log sample, for tcpdump logs you'd need to download
Just remember any firewall or software inside the machine that hosts my server is useless against this including samp minconectlimit samp ban etc. etc.
[29/05/2015 11:35:33] [connection] 61.244.34.14:31771 requests connection cookie.
[29/05/2015 11:35:33] [connection] 123.43.245.94:14170 requests connection cookie.
[29/05/2015 11:35:33] [connection] 12.44.13.6:47651 requests connection cookie.
[29/05/2015 11:35:33] [connection] 68.235.15.67:12256 requests connection cookie.
[29/05/2015 11:35:33] [connection] 77.51.11.58:55458 requests connection cookie.
[29/05/2015 11:35:33] [connection] 193.85.126.66:1655 requests connection cookie.
[29/05/2015 11:35:33] [connection] 213.80.184.9:33699 requests connection cookie.
[29/05/2015 11:35:33] [connection] 88.99.80.98:45065 requests connection cookie.
[29/05/2015 11:35:33] [connection] 61.143.123.123:38177 requests connection cookie.
[29/05/2015 11:35:33] [connection] 115.187.131.60:5991 requests connection cookie.
[29/05/2015 11:35:33] [connection] 36.246.170.62:25370 requests connection cookie.
[29/05/2015 11:35:33] [connection] 57.216.102.91:63937 requests connection cookie.
[29/05/2015 11:35:33] [connection] 217.228.244.13:32470 requests connection cookie.
[29/05/2015 11:35:33] [connection] 175.248.219.66:2210 requests connection cookie.
[29/05/2015 11:35:33] [connection] 139.107.83.97:20768 requests connection cookie.
[29/05/2015 11:35:33] [connection] 195.164.93.18:4145 requests connection cookie.
[29/05/2015 11:35:33] [connection] 77.225.255.92:21506 requests connection cookie.
[29/05/2015 11:35:33] [connection] 97.102.94.92:17201 requests connection cookie.
[29/05/2015 11:35:33] [connection] 183.77.87.46:52670 requests connection cookie.
[29/05/2015 11:35:33] [connection] 174.190.218.119:63325 requests connection cookie.
[29/05/2015 11:35:33] [connection] 18.143.153.117:35787 requests connection cookie.
[29/05/2015 11:35:33] [connection] 66.49.32.119:22963 requests connection cookie.
[29/05/2015 11:35:33] [connection] 146.243.190.0:20675 requests connection cookie.
[29/05/2015 11:35:33] [connection] 23.21.161.48:7225 requests connection cookie.
[29/05/2015 11:35:33] [connection] 59.174.246.111:15925 requests connection cookie.
[29/05/2015 11:35:33] [connection] 97.31.51.39:64589 requests connection cookie.
[29/05/2015 11:35:33] [connection] 120.107.99.83:23381 requests connection cookie.
[29/05/2015 11:35:33] [connection] 109.102.3.33:51273 requests connection cookie.
[29/05/2015 11:35:33] [connection] 114.182.7.66:56198 requests connection cookie.
[29/05/2015 11:35:33] [connection] 115.8.235.95:7631 requests connection cookie.
[29/05/2015 11:35:33] [connection] 119.120.222.48:57304 requests connection cookie.
[29/05/2015 11:35:33] [connection] 2.178.121.52:43523 requests connection cookie.
[29/05/2015 11:35:33] [connection] 14.169.25.101:41562 requests connection cookie.
[29/05/2015 11:35:33] [connection] 207.47.11.80:19650 requests connection cookie.
[29/05/2015 11:35:33] [connection] 157.129.230.103:60739 requests connection cookie.
[29/05/2015 11:35:33] [connection] 174.128.186.91:35344 requests connection cookie.
[29/05/2015 11:35:33] [connection] 117.83.114.99:38893 requests connection cookie.
[29/05/2015 11:35:33] [connection] 155.178.129.65:22899 requests connection cookie.
[29/05/2015 11:35:33] [connection] 220.80.79.69:39245 requests connection cookie.
[29/05/2015 11:35:33] [connection] 164.83.194.5:35598 requests connection cookie.
[29/05/2015 11:35:33] [connection] 120.162.138.90:16913 requests connection cookie.
[29/05/2015 11:35:33] [connection] 75.34.48.59:14343 requests connection cookie.
[29/05/2015 11:35:33] [connection] 139.200.144.25:59640 requests connection cookie.
[29/05/2015 11:35:33] [connection] 85.53.155.105:33740 requests connection cookie.
[29/05/2015 11:35:33] [connection] 187.52.38.90:2832 requests connection cookie.
[29/05/2015 11:35:33] [connection] 55.180.96.28:51934 requests connection cookie.
[29/05/2015 11:35:33] [connection] 68.250.195.19:14614 requests connection cookie.
[29/05/2015 11:35:33] [connection] 150.63.91.59:2606 requests connection cookie.
[29/05/2015 11:35:33] [connection] 57.149.12.88:38914 requests connection cookie.
[29/05/2015 11:35:33] [connection] 112.9.95.52:51097 requests connection cookie.
[29/05/2015 11:35:33] [connection] 75.201.171.59:63161 requests connection cookie.
[29/05/2015 11:35:33] [connection] 193.14.93.49:44605 requests connection cookie.
[29/05/2015 11:35:33] [connection] 53.27.212.6:11473 requests connection cookie.
[29/05/2015 11:35:33] [connection] 63.191.79.26:32214 requests connection cookie.
[29/05/2015 11:35:33] [connection] 124.233.106.105:44393 requests connection cookie.
[29/05/2015 11:35:33] [connection] 141.99.188.80:45222 requests connection cookie.
[29/05/2015 11:35:33] [connection] 120.24.242.125:8262 requests connection cookie.
[29/05/2015 11:35:33] [connection] 187.242.53.121:6311 requests connection cookie.
[29/05/2015 11:35:33] [connection] 142.47.47.83:49071 requests connection cookie.
[29/05/2015 11:35:33] [connection] 159.121.211.86:56002 requests connection cookie.
[29/05/2015 11:35:33] [connection] 120.17.127.56:34108 requests connection cookie.
[29/05/2015 11:35:33] [connection] 79.155.205.118:56093 requests connection cookie.
[29/05/2015 11:35:33] [connection] 15.162.154.96:44244 requests connection cookie.
[29/05/2015 11:35:33] [connection] 105.249.250.98:53371 requests connection cookie.
[29/05/2015 11:35:33] [connection] 32.188.236.34:51583 requests connection cookie.
[29/05/2015 11:35:33] [connection] 186.65.119.13:39888 requests connection cookie.
[29/05/2015 11:35:33] [connection] 101.56.187.97:33259 requests connection cookie.
[29/05/2015 11:35:33] [connection] 89.153.148.31:17975 requests connection cookie.
[29/05/2015 11:35:33] [connection] 49.141.8.28:39636 requests connection cookie.
[29/05/2015 11:35:33] [connection] 83.164.224.106:21405 requests connection cookie.
[29/05/2015 11:35:33] [connection] 187.234.203.3:14247 requests connection cookie.
[29/05/2015 11:35:33] [connection] 79.88.146.32:8985 requests connection cookie.
[29/05/2015 11:35:33] [connection] 216.124.183.11:38025 requests connection cookie.
[29/05/2015 11:35:33] [connection] 112.1.172.77:53957 requests connection cookie.
[29/05/2015 11:35:33] [connection] 124.104.28.100:35888 requests connection cookie.
[29/05/2015 11:35:33] [connection] 35.16.40.31:18803 requests connection cookie.
[29/05/2015 11:35:33] [connection] 193.171.4.40:56916 requests connection cookie.
[29/05/2015 11:35:33] [connection] 16.121.87.83:62628 requests connection cookie.
[29/05/2015 11:35:33] [connection] 183.4.140.36:20273 requests connection cookie.
[29/05/2015 11:35:33] [connection] 57.204.143.71:59102 requests connection cookie.
[29/05/2015 11:35:33] [connection] 126.46.231.80:46232 requests connection cookie.
[29/05/2015 11:35:33] [connection] 96.50.179.87:20800 requests connection cookie.
[29/05/2015 11:35:33] [connection] 151.13.147.82:31659 requests connection cookie.
[29/05/2015 11:35:33] [connection] 177.28.128.115:7767 requests connection cookie.
[29/05/2015 11:35:33] [connection] 3.7.193.104:753 requests connection cookie.
[29/05/2015 11:35:33] [connection] 53.242.162.101:30229 requests connection cookie.
[29/05/2015 11:35:33] [connection] 192.169.233.63:48955 requests connection cookie.
[29/05/2015 11:35:33] [connection] 138.140.81.49:48572 requests connection cookie.
[29/05/2015 11:35:33] [connection] 101.162.211.26:13194 requests connection cookie.
[29/05/2015 11:35:33] [connection] 125.175.223.47:59683 requests connection cookie.
[29/05/2015 11:35:33] [connection] 145.249.181.93:48457 requests connection cookie.
[29/05/2015 11:35:33] [connection] 153.223.197.102:16942 requests connection cookie.
Reply
#7

You could simply require online registration before being allowed on the server, this means you're dropping every connection that comes that isn't registered which prevents a lot of bad traffic.

Another solution is finding a provider which offers you the ability to customize your DDoS filters or simply go with OVH's SYS Game Servers Dedicated Servers brand offered at http://www.soyoustart.com/ie/innovat.../game-servers/ which has custom UDP filters designed for SA-MP and other games.
Reply
#8

Quote:
Originally Posted by Jake187
View Post
You could simply require online registration before being allowed on the server, this means you're dropping every connection that comes that isn't registered which prevents a lot of bad traffic.

Another solution is finding a provider which offers you the ability to customize your DDoS filters or simply go with OVH's SYS Game Servers Dedicated Servers brand offered at http://www.soyoustart.com/ie/innovat.../game-servers/ which has custom UDP filters designed for SA-MP and other games.
Why my server would need to do this and lose lots of players if alot of servers are not being taken down by this? and you can DROP everything on iptables or other sofware on the machine you would be still taken down, something physical before is needed to do this like cisco but its expensive and would not still solve the problem correctly that way.

for days ovh doesn't answer my ticket, they didn't even said, "buy the samp ovh game server so we can fix this" they don't even answer, can't trust and risk my money on a company like that.
Reply
#9

Quote:
Originally Posted by Xandelee
View Post
Why my server would need to do this and lose lots of players if alot of servers are not being taken down by this? and you can DROP everything on iptables or other sofware on the machine you would be still taken down, something physical before is needed to do this like cisco but its expensive and would not still solve the problem correctly that way.

for days ovh doesn't answer my ticket, they didn't even said, "buy the samp ovh game server so we can fix this" they don't even answer, can't trust and risk my money on a company like that.
Dropping connections would stop attacks actually, I am not sure where you heard or learned that a attack can still cause effect if dropped but you're wrong. Why do you think when you nullroute a IP the attack stops? It's because you're dropping the connections, the only way this could happen is if you're rejecting the connection which still sends a response.

Also best way to get ahold of OVH is by phone, I wouldn't bother with tickets if you need a quick response. Also OVH's default protection doesn't include special UDP filters it's a default UDP filter which offers basic protection, as stated using their SYS game server range has custom filters made for the game itself. OVH has shitty support and it's very well known but you get what you pay for, it is a good solution though that I would recommend trying, either that or you're going to keep spending money on trying to solve the problem yourself.

A other solution as I gave you is to get with a company that offers you to customize your protection and filters. There is a few companies out there that offer DDoS protection and do such things an example is reliablesite.net
Reply
#10

Droping connections via samp or firewall don't stop the attack i don't heard it, i've seen it.
What hosting do you use? do you use this ovh game server and doesn't have any problems?
realiablesite doesn't say anything about letting you customize the ddos filter and also said they don't guarantee protection against the attack i'm having.
Reply


Forum Jump:


Users browsing this thread: 2 Guest(s)