DDoS attacks

[TheLaughingMan]

So at least one person has the audacity to tell me they are ddos'ing me and I notice it at times. Is there a good program to monitor traffic so I can see where it is coming from and block it via the firewall? I want something that can monitor constantly even when I am away.

[kraze]

Wireshark would probably be your best bet, You would be able to analyse traffic and block it via the firewall on your VDS.

Alternatively using the firewall option we provide in the control panel might be a better bet, it allows for easier rule making and managing.

[TheLaughingMan]

Know of a way to show it graphically? Like see which connections are using the most bandwidth?

[kraze]

Wire shark may have a way of determining that but in most cases, no. Most attacks are also DDoS's so they are using 100's of different IP's and it's not possible to look at which IP is sending the most as their all probably sending a good bit.

If you are seeing just a normal DoS then you can block that single IP which should be enough.

I would suggest taking a look at the firewall tab in your VDS. We include some good information on that page that can help get you going. You can also ask any additional questions here in this thread.

[TheLaughingMan]

Well it isnt a VDS so there is no firewall tab. Do you think I should just find a way to stop all connections that dont go to RPD or my gameservers?

[kraze]

Well it isnt a VDS so there is no firewall tab. Do you think I should just find a way to stop all connections that dont go to RPD or my gameservers?

In theory that is easy but when it comes time to actually do it, it's not so easy. With a full server there will be a lot of connections going back and fourth not to mention background programs and programs you may be completely unaware of that are communicating.

Your best bet would be to first identify that you are being attacked.

[TheLaughingMan]

Ill have wireshark run when I am away to log traffic and go from there.

[TheLaughingMan]

It seems like something is still going on. I used over 100GB of BW in a day which seems high for 2 dayz servers. Wireshark fails because it cant handle the load. Any other ideas on software, even if it is paidware? Also it seems I was hit again:

[soja]

Your best bet is to catch it when it happens, unfortunately I don't think there is any program that will do what you want. I suggested something that will do a tcpdump (linux) when bandwidth goes over a threshold, but nothing like that exists yet. I've had to deal with these for months and in my experience if you can't catch it when it happens, you're out of luck.

Also, that small spike likely wasn't enough to cause much of the 100GB you saw in a day. The graph you showed logs all traffic to and from your server, so its a good bet your servers did push that much bandwdith. I get suprised on my dedi all the time, i think we're averaging around 213GB/day

[TheLaughingMan]

Yeah I know the spike didnt cause it, but it does cause connection issues.

[soja]

Does the CPU usage on the server go up? From the thread contents I gather you're on an unmanaged vds, so this will be hard to check. 200Mbit typically isn't enough to cause a brute force connection drop. Are there any known dayz attacks that you can block? (I don't have much experience with dayz, but I have seen "tools" to crash servers)

[Edge100x]

That graph suggests that you started to be hit by an attack but our automated system saw the spike in traffic traffic and filtered it for you.

100 GB a day sounds about right for a couple of busy servers. That would be ~3000 GB a month, so well under the amount included with a dedi.

[.=QUACK=.Major.Pain]

We also had issues with one of our dedi dayz servers.
The datacenter terminated our server claiming our server was causing issues with a Shaw customer by downloading something from them for a long period of time.

Told them they were nuts and that there were only dayz server running.
No one is downloading anything.

Been also reading that hackers are injecting new files into Wasteland servers which is another variation of Operation Arrowhead. Watch your files for anything new.