The online racing simulator
DDoS Protection too strict?
(4 posts, started )
DDoS Protection too strict?
Hi, I'm getting quite considerable amount of these notifications while messing with my InSim app (on LFS hosting).
Quote from server activity :
Nov 10 09:28:53 [RC] : [DDoS Protection] Host network attack detected.
Nov 10 09:28:53 [RC] : [DDoS Protection] Lock-down mode is now enabled!


Is there a way to know what exactly triggers them?
Is there a debug log of some sorts for LFS-hosted servers?
(the reply is maybe a bit too detailed, but hey, now you'll know how it works Smile )

I have built a flood detection / protection mechanism that works in hardware on our switch. When a packet flood is detected, it will start dropping packets that exceed the rate limit, so the game server will never be overwhelmed. BUT, it also then adds all client IP addresses to a whitelist that has no rate limit, ensuring that connected clients can continue to play without any issue. Insim connections are however not included in this whitelist. Maybe I should.

Currently the policer rule is this:

policer gameserver-policer {
if-exceeding {
bandwidth-limit 5m;
burst-size-limit 25k;
}
then discard;
}

This is applied only to incoming traffic, so the 5mbit of incoming traffic is really never reached under normal circumstances.
The burst size is what's triggering the anti-ddos in your case, as probably you're sending a lot of packets to the game server in a very short time span.

As a test, I have raised the burst value to 50k. Please do your thing and let's see if your tests still trigger the protection. I'll be keeping an eye on this.
Ok so its just what I thought - its based on bandwidth and not specific/corrupt insim packets..
I'll try to record my inSim behavior - what packets are being sent at which rates (bytes/s). Maybe it will give a better understanding where is the bottleneck.
Thanks for explanation!
I found the culprit... it was... me! Big grin
It was a bug that sent delete command (BFN) for all unused buttons in each GUI refresh..
This is how the traffic looks like:
Quote from bandwidth report file :
Running for: 00:13:30.1300717
Sent packets:
ISP_ISI: 0.00 packets/s, 0.05 bytes/s
ISP_TINY: 0.04 packets/s, 0.15 bytes/s
ISP_MTC: 0.01 packets/s, 0.42 bytes/s
ISP_BTN: 3.31 packets/s, 261.51 bytes/s
ISP_BFN: 393.37 packets/s, 3146.97 bytes/s


P.S. After the policer adjustment ddos message did not appear again Smile I'll keep monitoring the bandwidth for the future

DDoS Protection too strict?
(4 posts, started )
FGED GREDG RDFGDR GSFDG