DDos Attack Prevention

[linkinparksf]

Ok so John transfered me here -.-, He told me he would advise me on how to determine the type of attack in order to be able to block it or to help us block it on my behalf. This will involve
troubleshooting it with utilities such as wireshark/windump, process monitor, or
the application and its logs itself.

[IcEWoLF]

Do you have a firewall installed on your server?

Question, do you plan on hosting websites or game servers on this machine?

Either way I am sure NFo/Internap has some type of security option that can help against DDOS attacks.

Generally speaking you can't really stop all DDOS attacks.

[linkinparksf]

i host a small, 2d pvp game run through a system by Byond.com called dream maker and hosted through dream daemon. Currently i have hackers ddosing my game and nfo cant do anything about it, because they have no clue about what is happening, The Hackers are flooding my game with thousands of fake players causing HUGE lag surges and blocking my players from playing my game. Im extremly pissed off about it and i have NO clue what the hell to do. I Have to stop them they are ruining my game

[linkinparksf]

if this keeps up the only thing i can think of is transfering servers or serer companys because no one can keep them out

[IcEWoLF]

This can happen to any providers.

I'd probably suggest looking for which ports they are spamming.

Also do you have any anti DDOS scripts installed?

[IcEWoLF]

I'd suggest giving this a try (if you are using windows):
http://wipfw.sourceforge.net/
http://wipfw.sourceforge.net/doc.html

[linkinparksf]

it doesnt work it wont let me install it

[IcEWoLF]

it doesnt work it wont let me install it

What server do you run?
Win 2003?

[linkinparksf]

2008 server

[linkinparksf]

and indows 7 on my laptop and it failed there too

[Edge100x]

To clarify, what is happening against linkinparksf is not a DDoS, but an application-specific/OS-specific DoS of some sort. It is not large enough to make a blip in bandwidth graphs and I have not been able to capture it on this end. This does not mean that it can't be filtered; likely, the opposite is true. But, linkinparksf, through his unmanaged single-core VDS, needs to collect further information on what is happening, for us to understand the attack and suggest a course of action. Fundamentally, this is a software question, and one that other customers can benefit from the answer to, which is why I advised him to post here.

The first step here will be to run Wireshark or windump while the attack is in progress, looking for anything that stands out. For instance:

* Many connections from a single IP
* Packets that are all the same size
* Many ICMP messages
* Packets sent to an invalid port
* Anything that does not fit in with the normal game traffic flows

With an application-specific attack, it does not usually require much traffic to take the target service down, typically because the attack exploits a weakness in the code that causes all CPU or memory resources to be exhausted (something that should also be visible through the task manager). Generally these types of attacks use specially-crafted identical packets that come either from a large set of spoofed IPs or from a single attacking IP.

[linkinparksf]

So John ive got further questions for you , There are black highlited items packets i guess you call them, what are they , their are several black ones all from the same ip

[Edge100x]

If those lines are labelled with things like "length", "source", and "dest", then those are the packets that you are looking for.

[linkinparksf]

yea i get that but normally when ppl log in its red these are black

[Edge100x]

I'm not very familiar with the color-coding in Wireshark, but that likely means that something about the properties on the packets is different.