How do I stop a DDOS attack?

Belhassen

Belhassen

ʙᴇʟʜᴀssᴇɴ
Jul 29, 2016
59
16
83
How Do I Protect My TeamSpeak Server From DDoS Attacks?
I'm getting attacked by DDOS on my TS3 server.
My server version is 3.0.13.6 on Linux
Do you have any general advices how can i deal with DDOS attacks? I use ubuntu 16.04, aws amazon
 
root012

root012

Member
Oct 26, 2015
22
0
43
Hello, The only way is to buy a vps having DDoS protection. If you have a vps without DDoS protection is not possible to protect without any additional hardware.
Try, www.digital-hosting.biz Have good ddos protection for ts3 OVH GAME cheap vps :) good luck
 
Belhassen

Belhassen

ʙᴇʟʜᴀssᴇɴ
Jul 29, 2016
59
16
83
root012 said:
Hello, The only way is to buy a vps having DDoS protection. If you have a vps without DDoS protection is not possible to protect without any additional hardware.
Try, www.digital-hosting.biz Have good ddos protection for ts3 OVH GAME cheap vps :) good luck
Click to expand...



Thank you for your reply, but I want to know is what there is an average to know who ddos me?
 
MwZ

MwZ

Active Member
Dec 27, 2016
47
6
83
Belhassen said:
How Do I Protect My TeamSpeak Server From DDoS Attacks?
I'm getting attacked by DDOS on my TS3 server.
My server version is 3.0.13.6 on Linux
Do you have any general advices how can i deal with DDOS attacks? I use ubuntu 16.04, aws amazon
Click to expand...

It depends how much you want to pay, because you cannot stop a DDoS Attack by yourself, it requires special DDoS Mitigation gear to "mitigate" or in other words, "reduce the impact" of this attack as much as possible to keep your stuff working at minimum impact/issues. Cheap solutions will help, but they aren't the final solution, unless you really want to pay for a better/serious company, providing you with better technologies or support services...

Back to the subject, you can stop small DoS attacks, with iptables or CSF, but this is also not a final solution...
 
root012

root012

Member
Oct 26, 2015
22
0
43
Hmm, If you have Vrack You can create your own firewall with aditional server :D It is quite expensive.But if you have no money, the solution is OVH game.
 
I

ikfes

Member
Apr 15, 2016
62
8
55
run a tcpdump during attack and save it as pcap file and open it with wireshark.
From there you can investigate which port is being attacked, who is attacking, and what kind of attack it is.
Easiest (and most CPU intensive) way is to block the attack by hex if the packets are all same..

For example one of my rules:

iptables -A PREROUTING -t raw -p udp --dport 9987 -m string --hex-string '|fa163eb402096ac8|' --algo kmp -j DROP

You can see that I had no other choice to block by hex since the attack is coming to port 9987. If it was coming to the port 5555 for example, I could just drop all traffic related to that port and not worry about the hex filtering taking up my CPU core to 80%. Even better way is to block the attack on network level using control panel of your hosting provider.
 
FarisDev

FarisDev

L oryh brx
Contributor
Jun 9, 2016
277
111
107
@ikfes Can you please make a tutorial how to run TCP dump? , And save it as pcap? I do not know. I search on google, no results
 
MwZ

MwZ

Active Member
Dec 27, 2016
47
6
83
ikfes said:
run a tcpdump during attack and save it as pcap file and open it with wireshark.
From there you can investigate which port is being attacked, who is attacking, and what kind of attack it is.
Easiest (and most CPU intensive) way is to block the attack by hex if the packets are all same..

For example one of my rules:

iptables -A PREROUTING -t raw -p udp --dport 9987 -m string --hex-string '|fa163eb402096ac8|' --algo kmp -j DROP

You can see that I had no other choice to block by hex since the attack is coming to port 9987. If it was coming to the port 5555 for example, I could just drop all traffic related to that port and not worry about the hex filtering taking up my CPU core to 80%. Even better way is to block the attack on network level using control panel of your hosting provider.
Click to expand...

This is not necessary to be done with modern protection systems...
 
I

ikfes

Member
Apr 15, 2016
62
8
55
MwZ said:
This is not necessary to be done with modern protection systems...
Click to expand...

Correct, if you have OVH game for example, there are only few attacks that bypass the anti-ddos and make it to your network interface card.
So if you have extraVM or c38.host for example, you don't even need iptables for the most part.
 
I

ikfes

Member
Apr 15, 2016
62
8
55
SpeciaL said:
@ikfes Can you please make a tutorial how to run TCP dump? , And save it as pcap? I do not know. I search on google, no results
Click to expand...

tcpdump -s 0 -i eth0 -w dump.pcap

Then open dump.pcap with wireshark on your local computer to see whats in there.

You might want to correct your network interface card above. run ifconfig to find the exact name and replace eth0 with that. It could be something like venet0:0 for example if you have OpenVZ server.
 
hellmind

hellmind

Active Member
Jul 13, 2015
18
3
78
The solution for me is having many ips , so you can blackhole the current being ddosed. You must force the client to use the doman to connect. then having mnay ip there just a few users that cant join, they just retry to get another working ip.
 
MwZ

MwZ

Active Member
Dec 27, 2016
47
6
83
hellmind said:
The solution for me is having many ips , so you can blackhole the current being ddosed. You must force the client to use the doman to connect. then having mnay ip there just a few users that cant join, they just retry to get another working ip.
Click to expand...

You can simply write a script to attack all the IPs at once... :/
 
hellmind

hellmind

Active Member
Jul 13, 2015
18
3
78
MwZ said:
You can simply write a script to attack all the IPs at once... :/
Click to expand...
Yes but, you must discover all the ip first. He can't know how many I got.
its like another step that the attacker must do.
 
hellmind

hellmind

Active Member
Jul 13, 2015
18
3
78
tsdns got nothing to do, because I point to a hostname with many A records, the dns answer with up to 10 ip.
I know it can be ddosed, but at least you get protected against script kiddies using a paid botnet
There is no protection 100% effective.
 
MwZ

MwZ

Active Member
Dec 27, 2016
47
6
83
hellmind said:
tsdns got nothing to do, because I point to a hostname with many A records, the dns answer with up to 10 ip.
I know it can be ddosed, but at least you get protected against script kiddies using a paid botnet
There is no protection 100% effective.
Click to expand...

This is even easier, because you can simply list all IPs of your A entry with a simple command and then write a script in less than a minute to knock all these IPs. And no, a paid botnet is not necessary, but just a simple VPS. And well, maybe there aren't ways to get 100% protection, but you can get close to it using better companies that doesn't require you to take any sort of action in your end, mainly when speaking about TeamSpeak 3, But this is not going to be cheap anyways...
 
hellmind

hellmind

Active Member
Jul 13, 2015
18
3
78
Well for me having many ip, and choose to switch fast the ddosed ones save me many times.
Also is very useful when there are not good and cheap anti ddos providers.
I think the best for canada is OVH
USA nfoservers ?
South america (maybe in brazil?)
EUROPE dont know( ovh isnt working great for me there)
 
You must log in or register to reply here.
Top