Im soon to be launching a new community within LFS. I will be running all my own servers from my co-located dedicated server in Germany. Now i have various iptables rules set and blocked as many proxys that i can find. I have also been assured by my service provider that Router/Hardware Firewall should detect any sort of attack and somehow block it. Now my question is this... im connected to a 1Gbps Backbone will the bandwidth be able to handle any such attack if it does happen? As a new community, Building a good reputation is important so i cant afford for my servers to be going down due to idiocy.

Heres a quick speedtest from an Ubuntu Container running on my Host Dedi Server.

http://www.speedtest.net/my-result/2909887497

Quote from hayward :

Now i have various iptables rules set and blocked as many proxys that i can find.

If you're going down that route, keep an eye on, or parse and update from the Tor exit node list.

Quote from hayward :

Now my question is this... im connected to a 1Gbps Backbone will the bandwidth be able to handle any such attack if it does happen?

Depends.

If a DoS attack is simply trying to max your connection, then 1Gbps may not be enough, depending on who you piss off, how good your providers solution is (without knowing what they have setup, thats unanswerable), how many uplinks they have, what size they are and how well they communicate with their upstream providers. There have been DDoS attacks in the range of hundreds of Gbps this year.

If a DoS attack is more targeted (i.e. intelligent), and not simply about brute force maxing your connection, then it again depends on what your provider has in place and what sort of attack it is. There are many "attacks" that will simply look like normal traffic, but result in tying up resources so that your server can't respond to legitimate requests - but leave your connection at a relatively low level of usage.

If you're looking for advice, unless you're going to loose money, don't worry about it - there are more important things in life.

Thanks for the help TAA I will take it all into consideration, my second question is does LFS Dedi support listening on ipv6 addresses? If so I can see that making it a little more difficult for them to send an attack, AFAIK all LFS servers use ipv4 I will also be using non default ports for both insim and the actual server itself so they will need to dig a bit further. Making many obstacles may just deter the hackers

LFS is IPv6 unaware at this point. On a Linux server you'll want to make sure that SYN cookies are enabled and maybe increase the backlog size a bit. Some clever iptables rules allow you to limit new connections rate from one IP which might help against less sophisticated DoS attacks. However, it all comes down to how big a gun the attacker brings...

Quote from hayward :

so i cant afford for my servers to be going down due to idiocy.

Forget it, its not going to work. Only one company has a properly working anti ddos infrastructure at the moment and that is OVH. Everything else is a fail. (Sadly). Kids have too many options to f* around. If you don't believe me continue, you will discover.

Speedtest is unimpressive by the way. Anti ddos is not by having more bandwidth, it's about having mitigation bandwidth.

.

Quote from cargame.nl :

Forget it, its not going to work. Only one company has a properly working anti ddos infrastructure at the moment and that is OVH. Everything else is a fail. (Sadly). Kids have too many options to f* around. If you don't believe me continue, you will discover.

Speedtest is unimpressive by the way. Anti ddos is not by having more bandwidth, it's about having mitigation bandwidth.

.

Thanks for the heads up

Well you can explain it like that yes

I'm a little bit saying it in this way because I spoke to people last weeks who do not believe me or still doing it 'their own way' .. Without success. If you don't listen to good advice then it's OK but then don't complain also is my logic

Anyway, good luck with the new project.

Quote from cargame.nl :

Well you can explain it like that yes

I'm a little bit saying it in this way because I spoke to people last weeks who do not believe me or still doing it 'their own way' .. Without success. If you don't listen to good advice then it's OK but then don't complain also is my logic

Anyway, good luck with the new project.

I understand your frustration and tbh I've heard good things about the ddos protection that OVH provide, I would use them but the provider I'm using currently is owned by a family member and I pretty much pay next to nothing for space in his rack that's why I've tried tackling the problem myself. But thanks for the advice

Hi,

I cannot advise you how to stop DDOS attacks, as this seems to be an ongoing subject and at an ISP level, I am not qualified enough, but at local LAN/WAN level, I have some good experience and knowledge.

Never EVER use speed test that you used for a "as true" reflection of your actual speed. Because your using a website, that depends on Java, and Flash and etc etc so processor power, memory etc etc comes in to it, use the below. This is public domain, but not a lot of people this to check or google for BT Wholesale , but I work for a company that works with an ISP and this is what we use to determine what speed they get. You can only get a real true reflection of your speed with a BT/Openreach engineer with his laptop directly plugged in your line.

http://speedtest.btwholesale.com/

Fordie

Quote from Fordman :

Hi,

I cannot advise you how to stop DDOS attacks, as this seems to be an ongoing subject and at an ISP level, I am not qualified enough, but at local LAN/WAN level, I have some good experience and knowledge.

Never EVER use speed test that you used for a "as true" reflection of your actual speed. Because your using a website, that depends on Java, and Flash and etc etc so processor power, memory etc etc comes in to it, use the below. This is public domain, but not a lot of people this to check or google for BT Wholesale , but I work for a company that works with an ISP and this is what we use to determine what speed they get. You can only get a real true reflection of your speed with a BT/Openreach engineer with his laptop directly plugged in your line.

http://speedtest.btwholesale.com/

Fordie

Good Link , Thanks for the info

Quote from Chriship :

Good Link , Thanks for the info

NP Chris

I have loads of them, that unless you know what your Goggling for, you won't know how to find them....I love having a BT Engineer as a friend.....as they say...Every Little Helps

Another tip......from a BT Line, plug in a phone, no filter if you have Broadband and ring 17070

This will give you the Engineer's menu, tell you the line number ( if the box does not have a number on it, like I have seen ) and also get some line tests done without the need to ring the 0800 number and go through to Option 1, 2, 3, 15, 27, etc etc and end up speak to a somebody in another Country.

Regards

Fordie

Quote from hayward :

I will also be using non default ports for both insim and the actual server itself so they will need to dig a bit further.

Hmm. Surely you will be blocking the insim ports in your firewall though? So which ports you run the insim applications on won't really matter.

Unless the insim applications are connecting remotely. But then you'd probably want to white list the remote IPs so it still wont matter.

Indeed but depending on the skill level of these so called "hackers" an IP can sort of be spoofed in which case port blocking is still kinda effective in a way of adding an extra obstacle.

You can't really spoof an IP effectively because if you do, http responses will go to that IP rather than yours. As such, it'd probably not be the best use of your time. (They can be fake, but they can't receive the intended data.)

This is a risk still as it's a well established way of conducting DDoS (Distributed Denial of Service) attacks.

Actually, that's how one of the attacks are executed. By sending forged packets to servers with much larger capacities (misconfigured DNS servers) that proceed to flood a target with packets. It ends up meaning a person with not a lot of bandwidth can amplify and create a much larger attack on a server.

It's fun times!

It's as fun as beeing raped and stabbed.

Quote from The Very End :

It's as fun as beeing raped and stabbed.

Depends what you're into baby. :camera:

Indeed. I'd take a strap-on up my arse any day while taking a knife to my balls afterwards for great pleasure.

If possible I'm going to be detecting multiple connections if more than 2 you will be IP banned, if you want more then 2 people to play in our servers from the same IP then you will have to request to be added to the whitelist

Okay just spent the last hour trying to bring down my own server with 0% luck, all I will say is null routing at ISP level is the solution to it

Quote from MadCatX :

SYN cookies are enabled

If you missed it, there was an interesting post on the full-disclosure mailing list a few days ago about exploiting syn cookies for blind tcp connections (http://www.jakoblell.com/blog/ ... poofing-with-syn-cookies/). If it could be combined with something like the ack-get (which I believe is still do-able - http://www.thice.nl/creating-ack-get-packets-with-scapy/) you've got a powerful combination if you have an exploitable service that's locked down

Edit: To anyone misunderstanding - I'm not poo-poo-ing the idea of syn cookies - it's a very good idea to enable that feature if your OS supports it it's a sensible guard again flooding, but just be aware like all things it's not a magic bullet

I've enabled syn cookies already

Are your servers public now ?

Fordie

Remember a DDos attack can come on both bandwidth (which you've got covered it seems) but also on CPU etc - you can send malformed packets that require very little network traffic which will eat the CPU when it tries to process them.

Quote from Jakg :

Remember a DDos attack can come on both bandwidth (which you've got covered it seems) but also on CPU etc - you can send malformed packets that require very little network traffic which will eat the CPU when it tries to process them.

Well ive put as much security mesaures into place as i can lets just hope it keeps them out .

BTW i noticed your in East Anglia , whereabouts? I Live in Lowestoft