Deleted

edited June 2021 in Technical

This problem has been solved. Deleted in order to no bash the hosting provider.

Comments

  • First hosting attempt was ExtraVM but the DDoS went straight through the filters apparently.

    Perhaps it's an attack from internal network?

  • It is not sadly.

    According to tcpdumps there numerous and numerous of IPs from various ranges all over ipv4 network. Its spoofed UDP.

  • You need a hardware firewall to block attack traffic.
    It initially blocks all IP.

    Then, have the players register on your website.
    IP of registered players are added to the firewall allowlist via NETCONF API.

    ServerFactory aff best VPS; HostBrr aff best storage.

  • YmpkerYmpker OGContent Writer

    Now, I am in no way an expert regarding this, but wouldn't perhaps running the gameservers on one of the popular gameserver hosts (Nitrado, G-Portal, Gameservers.com, ZAP-Hosting..) be an option, too? Perhaps even cheaper than a dedi depending on how many concurrent players are needed (CS 1.6 5v5, so 10 slots per server?). Aren't these Gameserver companies (at least the "good ones" quite experienced in providing an infrastructure resilient to the likes of DDoS and other attacks on gameservers?).

  • edited June 2021

    Were trying OVH game VPS again with EvolutionHosting. This time I'll make sure that this dude has correct firewall profile enabled.

    Their support has approved this attempt, so we'll see.

    Thanked by (1)Ympker
  • YmpkerYmpker OGContent Writer

    @stefeman said:
    Were trying OVH game VPS again with EvolutionHosting. This time I'll make sure that this dude has correct firewall profile enabled.

    Their support has approved this attempt, so we'll see.

    Keep us updated. Good luck!

  • @stefeman said:
    It is not sadly.

    According to tcpdumps there numerous and numerous of IPs from various ranges all over ipv4 network. Its spoofed UDP.

    iirc OVH internal traffic bypasses their firewall. Could be wrong tho

  • sanvit said:

    stefeman said:
    It is not sadly.

    According to tcpdumps there numerous and numerous of IPs from various ranges all over ipv4 network. Its spoofed UDP.

    iirc OVH internal traffic bypasses their firewall. Could be wrong tho

    According to OVH website, it's probably true. Not sure if game anti-ddos works differently though.

    The Network Firewall is not taken into account within the OVH network, so the rules set up do not affect the connections in this internal network.

  • I use and recommend nfoservers.com for this, although I have never had to deal with serious attacks.

  • Everything works great and all, only if Evolution-Host would close SSH port from OVH IP Firewall rules.. It would be foolproof.

    Unfortunately what they did was:

    Apply goldsrc filter on UDP 27015 and 27016 - all good
    Block other UDP ports - all good

    Sadly enough, it seems to be impossible to get the support block TCP ports from OVH IP Firewall.

    They finally responded and blocked all TCP ports.. Except SSH 22 which was left wide open, and of course the attacker abused it entire sunday xD

    Other than that, OVH Game filter for Goldsrc is the solution. Seems like this person Im helping had HL2: Source profile on ExtraVM and thats why all attacks went through back then.

    Thanked by (1)mikho
  • edited June 2021

    He has nothing else to try on, so hes attacking the SSH port like the world is ending before it gets blocked.

    I really pity the customers of EvolutionHost.. Don't get me wrong.. Its a great host, but this dude launched full on 1Gbps attack into the VPS that lasted for most of the sunday and entire sunday - monday night and still continues, and we have 2 or 3 tickets about this issue now asking him to block the SSH port from OVH IP Firewall, but no.. theres no response from the host due to weekend, and the attack continues even now and the VPS is happily eating everything, cause the port remains open despite our requests to close it down on network level.

    Now, I can only imagine how laggy it is for every other person in that USA OVH Game Node cause of this. I'm sure the host has at least 30 tickets cause of that ongoing attack from other customers.

    Now only thing we miss is that the dude takes his anger out of us, and suspends the CS 1.6 server "cause we're getting too much attacks that affects other customers", when in fact everything can be prevented by just closing/restricting the SSH port lol.

  • mikhomikho AdministratorOG

    @stefeman said:
    He has nothing else to try on, so hes attacking the SSH port like the world is ending before it gets blocked.

    I really pity the customers of EvolutionHost.. Don't get me wrong.. Its a great host, but this dude launched full on 1Gbps attack into the VPS that lasted for most of the sunday and entire sunday - monday night and still continues, and we have 2 or 3 tickets about this issue now asking him to block the SSH port from OVH IP Firewall, but no.. theres no response from the host due to weekend, and the attack continues even now and the VPS is happily eating everything, cause the port remains open despite our requests to close it down on network level.

    Now, I can only imagine how laggy it is for every other person in that USA OVH Game Node cause of this. I'm sure the host has at least 30 tickets cause of that ongoing attack from other customers.

    Now only thing we miss is that the dude takes his anger out of us, and suspends the CS 1.6 server "cause we're getting too much attacks that affects other customers", when in fact everything can be prevented by just closing/restricting the SSH port lol.

    iptables and only allow specific IPs on port 22 is not an option?
    if you Drop from every other IP, perhaps the attacker thinks you blocked the ssh port as well on the OVH firewall?

    “Technology is best when it brings people together.” – Matt Mullenweg

  • edited June 2021

    @mikho said:

    @stefeman said:
    He has nothing else to try on, so hes attacking the SSH port like the world is ending before it gets blocked.

    I really pity the customers of EvolutionHost.. Don't get me wrong.. Its a great host, but this dude launched full on 1Gbps attack into the VPS that lasted for most of the sunday and entire sunday - monday night and still continues, and we have 2 or 3 tickets about this issue now asking him to block the SSH port from OVH IP Firewall, but no.. theres no response from the host due to weekend, and the attack continues even now and the VPS is happily eating everything, cause the port remains open despite our requests to close it down on network level.

    Now, I can only imagine how laggy it is for every other person in that USA OVH Game Node cause of this. I'm sure the host has at least 30 tickets cause of that ongoing attack from other customers.

    Now only thing we miss is that the dude takes his anger out of us, and suspends the CS 1.6 server "cause we're getting too much attacks that affects other customers", when in fact everything can be prevented by just closing/restricting the SSH port lol.

    iptables and only allow specific IPs on port 22 is not an option?
    if you Drop from every other IP, perhaps the attacker thinks you blocked the ssh port as well on the OVH firewall?

    No. the damage is already done if it reaches the server even if there is no service running as its the only TCP port that actually reaches the server. They also finally closed that TCP 22 port from the network as well, and the VPS and the server is now fine.

    Thanked by (1)mikho
Sign In or Register to comment.