[JessyChaos]

Can anyone help me how to configure my firewall

my vps is hosted at: https://www.nfoservers.com

I am getting ddos attacks as you can see:

http://prntscr.com/5c7dfs

I need someone to help me configure the firewall nfo
PHOTO Firewall: http://prntscr.com/5c7doy

[Vince]

Instead of selectively blocking traffic like a blacklist, selectively allow traffic like a whitelist. You only need to allow UDP packets on port 7777. Drop everything else. Assuming that localhost and SSH traffic is allowed by default, you only need two rules:

Rule #1: Allow UDP traffic on port 7777
Rule #2: Drop any traffic on any port

[JessyChaos]

as I can block all traffic?

[Khanz]

Why don't you ask your host?

[mati233]

Quote:

Originally Posted by Vince Instead of selectively blocking traffic like a blacklist, selectively allow traffic like a whitelist. You only need to allow UDP packets on port 7777. Drop everything else. Assuming that localhost and SSH traffic is allowed by default, you only need two rules: Rule #1: Allow UDP traffic on port 7777 Rule #2: Drop any traffic on any port

For my experience, a couple of firewall rules won't solve it, unless it's a very small attack.
Most likely, what will happen is the vps will end shutting down due to overload of resources checking all the packets coming in...
The best to do is move to a provider that offers you ddos protection by default. In most cases this is too expensive or doesn't work well for gameservers because they use the UDP protocol which is harder to block.
I'm not sure of the market offers right now, but I would try some game provider like verygames, or maybe OVH, which claims to have a great anti ddos system, but I haven't tested it yet.

Good luck with that bro

[JessyChaos]

firewall ovh is good, but the one is not better

[SimplyFragHosting]

I think a dedi is out of his budged based on him running what will most probably a 1-2gb ram VPS which would be a similar price to a rented server opposed to a dedicated server.

[Mauzen]

Quote:

Originally Posted by Vince Instead of selectively blocking traffic like a blacklist, selectively allow traffic like a whitelist. You only need to allow UDP packets on port 7777. Drop everything else. Assuming that localhost and SSH traffic is allowed by default, you only need two rules: Rule #1: Allow UDP traffic on port 7777 Rule #2: Drop any traffic on any port

SA-MP traffic is not just on port 7777. Clients get an unique port assigned on connection, you cant efficiently connect multiple remote clients to the same port (without further effort). So if im not completely wrong, blocking everything but the server port would mean players can still query the server, and attempt to connect to it, but they couldnt ever join the server.
The server doesnt listen on ports that werent sent to a player anyways, so just blocking everything wont change a thing, the dDOS just needs to target a port that isnt blocked, they usually dont target any ports except the server port (7777) anyways afaik.

What youll need is a connection limiter script (bash) that automatically reacts to excessive traffic from a single client, and drops its packets then. This will reduce the effect of a dDOS, as the attack just spams the connection then, but does not block the server, as the packets never reach it. Depending on the server's performance and the connection speed this can completely nullify the effects of a common small-scale dDOS.

[Abagail]

NFO has good DDOSS protection, this shouldn't be an issue. They also have very fast(yes imo, they respond within 1-2 minutes no matter the time), so I'm pretty it could be fixed and sorted within minutes if you submit a help ticket. Otherwise, you can try messing around with the firewall as Vince stated a few posts above.

They do try to stop attacks though, but rules should help aswell. You can contact them for more information regarding attack protection. And the title sounds like you want someone to ddoss your server, I'd suggest changing it before more attacks come...(just joking ;p)

[MD5]

You're better off with a VPS from OVH. They have vacuum which notifys you if there's a strange delay or over sent packets.

[JessyChaos]

Avoid any script ddos?

[Mark_Weston]

Holy shit you're overpaying. But you can't really "stop" a DDoS attack.

[Aldo.]

Which NFO location are you using?

[rymax99]

Quote:

Originally Posted by Mark_Weston Holy shit you're overpaying. But you can't really "stop" a DDoS attack.

Considering it's XEN virtualization, dedicated resources, on under-loaded hardware, backed by a SLA, and hosted in an Internap DC, I don't think he's overpaying.

[JessyChaos]

Which NFO location are you using?
Atlanta

[jotajeda]

Quote:

Originally Posted by JessyChaos Which NFO location are you using? Atlanta

http://www.geoiptool.com/es/?ip=162.248.89.185

[Aldo.]

Quote:

Originally Posted by JessyChaos Which NFO location are you using? Atlanta

Ask NFO what's the size of the attacks.

[Vince]

Quote:

Originally Posted by Mauzen SA-MP traffic is not just on port 7777. Clients get an unique port assigned on connection, you cant efficiently connect multiple remote clients to the same port (without further effort). So if im not completely wrong, blocking everything but the server port would mean players can still query the server, and attempt to connect to it, but they couldnt ever join the server. The server doesnt listen on ports that werent sent to a player anyways, so just blocking everything wont change a thing, the dDOS just needs to target a port that isnt blocked, they usually dont target any ports except the server port (7777) anyways afaik.

Well, this model (albeit slightly modified) is currently in place on my VPS and it works fine. These are the iptables rules:

Код:

num   pkts bytes target     prot opt in     out     source               destination
1     423K  113M ACCEPT     all  --  lo     any     anywhere             anywhere
2     151M   14G ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
3    2489K 5650M ACCEPT     udp  --  any    any     anywhere             anywhere             udp dpt:7777
4       40 83522 ACCEPT     udp  --  eth0   any     anywhere             anywhere             udp dpt:7778
5     1098 65262 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:http
6      240 10492 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:https
7     182K   11M ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:ssh
8      229  9296 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:mysql
9    2630K 5785M DROP       all  --  any    any     anywhere             anywhere

[JessyChaos]

as I can add these iptables?

[Khanz]

Yes, but you should contact your host before doing anything!