Server being attacked

[dawnofviolence]

hi i run about 5 css servers off my vds and i keep getting attacked by some form of ddos. What can i do to get these peoples ips to take more drastic measures? any programs to pull ips off the console or anything?

[Edge100x]

If this is an unmanaged VDS, you could use Wireshark or http://www.winpcap.org/windump to take a look at the inbound traffic and see what IPs are attacking you. You could then ban these IPs in-game, if it is an application-specific (and not overall machine) DoS.

If this is an Orangebox server, you might also find the plugins mentioned here to be helpful: http://wiki.alliedmods.net/SRCDS_Hardening

[rlm850]

That's a long list of unneeded stuff

You can use the following

1) DAF (DoS Attack Fix): Stops a majority of attacks. Runs as it's own plugin with a vdf
http://www.sourceop.com/modules.php?nam ... tit&lid=38

2) zBlock (4.5): One of the anticheat tools just about every match server is required to have. Stops a numerous amount of attacks, including DoS. Runs as it's own plugin with a vdf
http://zblock.mgamez.eu/

and last but not least...
3) rcon_lock or Ironwall: Both basically the same thing, but ironwall is a little more packed with features. This will disable the use of attacks through console. They are also logged with ironwall. With rcon_lock, this locks your rcon password, and if a hacker tries to change it, it will change itself back. Runs as an addon for eventscripts
http://addons.eventscripts.com/addons/view/ironwall
http://addons.eventscripts.com/addons/view/rcon_lock

[Detox]

DoS attack fixer will not fix a DDoS attack, all DoS attack fixer does is block packets with curtain extension from entering srcds port and causing a crash. The point of DDoS is not to attack srcds its self but the server itself. If it is a DDoS and not a DoS it is close to impossible to trace the ip back to the source of the attack, but it is possible and quite easy to get the ips attacking and block them threw a firewall using like John said wire shark or commviewer. Hope that helps you out .

[dawnofviolence]

ok but what makes this server different from my buddies he goes threw a different company and his servers cant be ddosed dosed or anything of that nature. Is that just a company thing? he has a dedicated box so would that be the difference.

[Edge100x]

ok but what makes this server different from my buddies he goes threw a different company and his servers cant be ddosed dosed or anything of that nature.

That's not the case. Some providers have very large pipes and expensive anti-DDoS equipment that can filter specific types attacks, but there are other types of attacks that simply can't be filtered.

What sort of data did Wireshark / tcpdump provide you? I mentioned this before because it is an important step in nailing down what will need to be done to block the attacks.

[dawnofviolence]

its a bot net sending packets to my game servers ip causing it to lag up and then crash once the packet amount is raised. Its about 500+ ips

[Edge100x]

If it's not overloading our line, you might be able to filter those on your end according to some shared criteria, such as packet length or source port. If it's overloading our line, or you can't find any criteria to use, you'd need to contact us directly about this to talk about it further.

[dawnofviolence]

k when i get off work ill be sure to give you guys an email with what is happening