Server DDOS

[MrSpartan]

Hi,

A bit of background info: A CS:S server that I run was recently ddos'd (or dos) and was quite persistant. It seemed to be targetting only one of the IP's I hold, but eating up a lot of bandwidth for it. I tried adding some plugins such as the daf plugin, the querycache extension and also disabling the server service on the dedicated box but still no luck. Is there any way to perhaps prevent this in the future, or limiting the potential for this to happen? Maybe even get more infomation about the ddos as it is happening?

Thanks for any replies.

[IcEWoLF]

Contact NFo and ask for them to try to mitigate the attack.
Usually they should be able to do that by contacting Internap.

Usually this only has to be done if the attack persists for a long time and that keeps crashing your server/servers.

[MrSpartan]

Contact NFo and ask for them to try to mitigate the attack.
Usually they should be able to do that by contacting Internap.

Usually this only has to be done if the attack persists for a long time and that keeps crashing your server/servers.

I did contact them before making this thread. I was told to make a thread on the forum where I would get more information about the attacks. All the information about daf, querycache, etc, was found on this forum but I was assuming I was going to be told more

[TimeX]

Is this an unmanaged or managed machine? Also, which OS are you running on it?

[Edge100x]

MrSpartan has an unmanaged Windows dedicated server that I can't pull traffic from, which is why I asked him to post here. His attack was low-level, in the <10 Mbps range.

MrSpartan, please download either Wireshark or Windump (I prefer the latter myself, but it is command-line-based). The next time that there is an attack, run the utility and have it capture some some traffic. In that output, look for anything that stands out. For instance:

* Many connections from a single IP
* Packets that are all the same size
* Many ICMP messages
* Packets sent to an invalid port
* Anything that does not fit in with the normal game traffic flows

With an application-specific attack as you appear to be seeing, it does not usually require much traffic to take the target service down, typically because the attack exploits a weakness in the code that causes all CPU or memory resources to be exhausted (something that should also be visible through the task manager). Generally these types of attacks use specially-crafted identical packets that come either from a large set of spoofed IPs or from a single attacking IP.

[MrSpartan]

MrSpartan has an unmanaged Windows dedicated server that I can't pull traffic from, which is why I asked him to post here. His attack was low-level, in the <10 Mbps range.

MrSpartan, please download either Wireshark or Windump (I prefer the latter myself, but it is command-line-based). The next time that there is an attack, run the utility and have it capture some some traffic. In that output, look for anything that stands out. For instance:

* Many connections from a single IP
* Packets that are all the same size
* Many ICMP messages
* Packets sent to an invalid port
* Anything that does not fit in with the normal game traffic flows

With an application-specific attack as you appear to be seeing, it does not usually require much traffic to take the target service down, typically because the attack exploits a weakness in the code that causes all CPU or memory resources to be exhausted (something that should also be visible through the task manager). Generally these types of attacks use specially-crafted identical packets that come either from a large set of spoofed IPs or from a single attacking IP.

Thanks for the info. I actually used Wireshark a while back but was quite confused by it. I'll check back in on it when this happens to see if I can spot anything unusual, including what you stated to look for.

Thank you!