[Tutorial] Methods to protect against DDoS attacks
#1

Hey everyone,
So I know a lot of people complain on here about DDoS attacks and how to prevent them and stop them and so forth. I want to be the first to tell you guys there's no permanent way to solve a DDoS attack.

The way a DDoS attack works is flooding your servers connection and depending on your capability making the network unstable and not accessible.

Normally when it comes to servers hosting SA-MP servers, they will flood the UDP port and most people on here get the mistake that a script stopping a certain amount of connections per IP will solve that problem, when in-fact they're wrong. Any experienced attacker with a experienced booter can flood your game server without any direct connections towards the game server but instead the open port such as 7777.

The SA-MP server client by default has protection against a connection flood far as I know of 0.3e and script won't do you much good if the person knows exactly what they're doing.

Now when that doesn't work and they can't take down the UDP port due to lets say protection most advanced attackers will start to attack the DNS open ports or the HTTP open ports and FTP open ports pretty much anything that's accessible to the public.

So what are good methods to protect against such attacks ?
First thing you need to realize is this is a game of bandwidth. The person with the most bandwidth capability is the one who is going to stay standing. So first thing you need is to be hosted on a dedicated server with DDoS protection which has a large network capability.

A good cheap example is OVH which provides dedicated servers with a ddos protection detection system. To keep the costs low, OVH will not protect you all the time but instead when you are attacked and the system notices the attack they will filter your IP being attacked through a firewall and migration system. So you might notice for the first minute that the attack will not be filtered right away until the system notices the attack and filters it.

OVH also provides IP addresses with no monthly fee, just a 2.00$ charge, which is very useful on limiting certain port access.

Another good host is blacklotus.net which is way more expensive but guaranteed protection and you're always protected no matter what, so you will not be left in the dark for a minute.

You can find other places which provide ddos protection, but I always suggest to contact the support ask questions like how large is the network capability, how much protection am I guaranteed if I buy a certain server and how does the protection work, do you protect UDP ports that are game servers, and so forth.

You can also invest in firewalls for protection but it's going to cost you a arm and a leg to do so and most attacks towards SA-MP servers never exceed over 10gbits.

Method 2 - Limit Access
So as I explained earlier ports that are accessed by public are what are mostly attacked by the attackers so any way to limit the port access to public is the best way to prevent against brute force attacks and DDoS attacks.

So what are good ways to limit port access? I personally suggest you buy a hidden IP which nobody knows about, and this be your default IP for SSH / FTP / DNS / SMTH / Control Panels etc. And than you block (drop) these ports from being accessed by a public IP such as your game server, even block the HTTP port and use a dedicated IP for websites.

Nobody will be able to find these ports if they are being dropped and assume it's a dead port.

Now another thing to do is switch the port numbers, SSH switch it, FTP switch it, any control panels like webmin or other things switch them to something different so that somebody would have to port scan these ports to actually find them and if they are limited to your IP only, they won't be able to find them.

Another great thing to do if you are the only one accessing certain things is limit the port access to your IP only. Now lets say your IP is Dynamic like mine, thing I do is I got my linux server with webmin is I leave my webmin port open to public on a hidden IP but limited to my hostname only, so that I can access it whenever and switch the firewall access towards the ports to my new IP address.

I have PR-RP under one dedicated with the website on a dedicated IP and only port access is 80 for that IP, I have the game server under a dedicated IP which only allows access to 7777, than I have my hidden IP which is used for my control panels and DNS, pop3, FTP and SSH. I have on my hidden (default IP) my cPanel WHM blocked to my IP only, the SSH blocked to my IP only, this won't really help with attacks but it's good security measures to take, but dropping all the ports besides the ones needed on the public known IP addresses is a good way to stop most attacks.

I suggest you look on ****** about how to figure out which ports are opened and used on your server and start to limit the access to them to prevent and solve most attacks.

I would also prevent any incoming or outgoing icmps towards your IP besides your hidden (default) IP.

Method 3 - Use the advantage of IPTables

Small scale attacks normally can be handled by your server without any effect towards it. I could write a whole few paragraphs on how this works but this site explains it pretty well
http://linoxide.com/firewall/block-c...acks-iptables/

Another program to check out is CSF http://configserver.com/cp/csf.html

But all of these will not stop the attack permanent, this is only methods to help prevent them and in the end of the day as I said it's a game of bandwidth, I hope I helped you guys with this tutorial, good luck!
Reply
#2

Interesting.
Reply
#3

Another method: Don't get people to hate you. How-ever, most attacks are out of jealousy...
Reply
#4

Quote:
Originally Posted by Abagail
View Post
Another method: Don't get people to hate you. How-ever, most attacks are out of jealousy...
-true

Could follow this method
Reply
#5

Tutorial is okay, gives basics, but there are tons of more things to do. For the most part, if all you have running on the box is a SA-MP server, all you have to worry about is making sure your host can handle layer 4 floods. However, if you run multiple services, you have to make sure for example a layer 7 flood against your web server isn't going to occupy all of your resources. This is where separating your services into different servers really comes into handy.

A proper setup to protect against DDoS attacks, and being able to identify attacks takes experience and tons of knowledge.
Reply
#6

Quote:
Originally Posted by rymax99
View Post
Tutorial is okay, gives basics, but there are tons of more things to do. For the most part, if all you have running on the box is a SA-MP server, all you have to worry about is making sure your host can handle layer 4 floods. However, if you run multiple services, you have to make sure for example a layer 7 flood against your web server isn't going to occupy all of your resources. This is where separating your services into different servers really comes into handy.

A proper setup to protect against DDoS attacks, and being able to identify attacks takes experience and tons of knowledge.
Most web applications have settings to provide basic over usage protection including CSF from floods so I don't know what you're going on about far as how a flood would take all your resources if your web server is on a resource limit as is.

But as said this is a game of bandwidth, just because you're hosted on different servers means that you're more protected. Long as something is available to public there will always be a way to overload it and it will become a game of bandwidth.

A proper setup would take time to learn yeah but I am not trying to show advanced ways, only basics but as stated long as you're under a large network with ddos protection all you really need is one server for everything and just use a dedicated IP for each service. It's a waste of money to use more than one server and waste of resources if you're already under a large protection network and have custom IPs for each service. And you could talk to the support and set up filters for each dedicated IP address which would fit each services special needs, making it just as equal to having a different server to host it far as protection goes. It might even be better because you can afford better protection and more resources.

By limiting access to each IP, talking to support for custom filters for each IP for each service such as explaining to them one is for the web another is for my game server, even make certain cores of CPU for each service to use and resources will never ever be a issue. This will allow you to use all your resources and have easier access to all systems and have easier monitoring of all systems, easier handling if set up right, save money, have more resources available to you and have the same protection and quality so I don't understand why you would separate each service onto different servers when it's quite pointless and a waste in about 99 percent of all cases long as you do as I said.

This is SA-MP if you're hosting only a few game servers and maybe a few websites there is no point in wasting money in more than one server when you could likely afford the protection needed for them and have a overall easier experience setting things up and set it up so that floods don't take your resources that you're so concerned about.
Reply
#7

Almost nothing can stop DDOSing. i added a Anti-DDOS script, it didn't worked. I applied this formula, Didn't worked.

So, i'll go wwith my opinion
Reply
#8

Look, guide you wrote right now I think is right, I'm really with you regarding IP "occult" is the best method for me, hide all the approaches that exist in my storage, but in addition there are several network programs that work and actually protect the welder then to not have No storage company, the program will do everything, downing server thfump it's like a knock, just a different port, basically when doing DDOS is basically a poster on the server and the server really can not deal with it then collapses.
Reply
#9

Quote:
Originally Posted by Jankingston
View Post
Almost nothing can stop DDOSing. i added a Anti-DDOS script, it didn't worked. I applied this formula, Didn't worked.

So, i'll go wwith my opinion
You might want to read about what ddos is. Most people got no idea how it works.
The servers network interface gets spammed with invalid requests. It keeps trying to process them and to respond to the sender, but this takes pretty long compared to the high amount of incoming new requests. So at some point the server cant process any new requests, you lost the connection to it.
So whats the most logical step? Make the network interface ignore those invalid requests. Dropping spammed packets is much faster than processing them. Suddenly, the amount of incoming data seems pretty small. "personal" dos attacks wont have a big bandwidth, and the server wont have much trouble blocking 1mbps of incoming spam packets. This will stop any effects of the attack. It just gets problematic, if the attack bandwidth gets bigger than the downstream of the server. In that case its not the network interface that causes trouble, but the network connection itself, theres just too many incoming data. A firewall cant help you in that case, it doesnt matter how many packets are dropped if the connection is still at maximum load. The common (and probably the only working) way to stop such attacks is to increase your own bandwidth, so the attack cant push it to full load. Thats what most "DDoS protection services" do, they give you some kind of a proxy server with a very strong internet connection, that filters spammed packets and just forwards the good ones to your server. Another type of that would be to cluster the server (thats what the big websites do) The server is redundant on several machines with independent internet connections, and some manager distibutes the users to all machines. Once a single machine gets attacked and becomes unreachable, the manager disables it and users are simply redirected to the other machines. As the number of independet machines practically isnt limited, this is the only way that could protect even against the biggest attacks. But unfortunately, this isnt applicable for samp.
Reply


Forum Jump:


Users browsing this thread: 3 Guest(s)