DDOS attacks HELP!!!
 

News:

29 December 2022 - PtokaX 0.5.3.0 (20th anniversary edition) released...
11 April 2017 - PtokaX 0.5.2.2 released...
8 April 2015 Anti child and anti pedo pr0n scripts are not allowed anymore on this board!
28 September 2015 - PtokaX 0.5.2.1 for Windows 10 IoT released...
3 September 2015 - PtokaX 0.5.2.1 released...
16 August 2015 - PtokaX 0.5.2.0 released...
1 August 2015 - Crowdfunding for ADC protocol support in PtokaX ended. Clearly nobody want ADC support...
30 June 2015 - PtokaX 0.5.1.0 released...
30 April 2015 Crowdfunding for ADC protocol support in PtokaX
26 April 2015 New support hub!
20 February 2015 - PtokaX 0.5.0.3 released...
13 April 2014 - PtokaX 0.5.0.2 released...
23 March 2014 - PtokaX testing version 0.5.0.1 build 454 is available.
04 March 2014 - PtokaX.org sites were temporary down because of DDOS attacks and issues with hosting service provider.

Main Menu

DDOS attacks HELP!!!

Started by Nada@WTB, 21 October, 2006, 04:43:25

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Nada@WTB

My hub has recently been getting ddos'd on the hub port.

Added: SuspendAccepts(iTime) to lua for suspending listening sockets when hub is attacked

that above did stop the connects from showing in the hubsoft accpts and parts total but does not stop them from getting in the hubsoft, if you check the CMDs box you can still see the connect requests and the hub becomes bogged down, effectively killing the hub.
(the attacks show as hundreds of connect requests per second from different random ips directed toward the hub port)

Is there anything that can be done to fight this kind of attack?
I have had to change my hub port, stop registering my hub on the various hublists and have closed the hub to regs only, this seems to be working for the moment, but this hurts my hub as we are just a small independent hub that was started in 1999.

Please if anyone has any ideas, I am willing to try just about anything that is feasable.
Welcome Thieving Bastards
PtokaX 0.4.1.1
Leviathan v.4.1
ApexDC++ 1.2.1
Windows 7 Ultimate

Stormbringer

Well, if it's realy a ddos attack you have just to install a decent firewall...

PPK

Maybe you set SuspendAccepts to very low time, try higher value  ::)
"Most of you are familiar with the virtues of a programmer. There are three, of course: laziness, impatience, and hubris." - Larry Wall

Nada@WTB

Quote from: PPK on 21 October, 2006, 13:39:13
Maybe you set SuspendAccepts to very low time, try higher value  ::)

How do I set SuspendAccepts?



Quote from: Stormbringer on 21 October, 2006, 11:54:49
Well, if it's realy a ddos attack you have just to install a decent firewall...


Firewall my hub port would stop it, but it would also stop the hub. ;D
Welcome Thieving Bastards
PtokaX 0.4.1.1
Leviathan v.4.1
ApexDC++ 1.2.1
Windows 7 Ultimate

Stormbringer

QuoteFirewall my hub port would stop it, but it would also stop the hub.

Yeah, realy? Don't think so, all owner that I know use a firewall (uffffffffff), and we all own a hub without problem.
Learn how to configure him and you will see that it's not a problem, and you will solve your problem by the same way ;-)


Nada@WTB

Quote from: Stormbringer on 22 October, 2006, 02:19:14
Yeah, realy? Don't think so, all owner that I know use a firewall (uffffffffff), and we all own a hub without problem.
Learn how to configure him and you will see that it's not a problem, and you will solve your problem by the same way ;-)



First, I said nothing against using a firewall, but I do not know of any settings in a firewall that can protect your hub from an attack like this. They target your ip or no-ip address and your hub port, and the attacks are coming from thousands of different random ips(you can not block them all) directed at the tcp port of your hub.(block the port of your hub and no one gets in anyway) Maybe I am mistaken calling it a ddos attack, or maybe I am just ignorant and do not know what I am talking about. What firewall would you suggest? What settings should I look to set to block the attack without blocking my users?
Welcome Thieving Bastards
PtokaX 0.4.1.1
Leviathan v.4.1
ApexDC++ 1.2.1
Windows 7 Ultimate

bastya_elvtars

Quote from: Nada@WTB on 22 October, 2006, 04:29:11
First, I said nothing against using a firewall, but I do not know of any settings in a firewall that can protect your hub from an attack like this. They target your ip or no-ip address and your hub port, and the attacks are coming from thousands of different random ips(you can not block them all) directed at the tcp port of your hub.(block the port of your hub and no one gets in anyway) Maybe I am mistaken calling it a ddos attack, or maybe I am just ignorant and do not know what I am talking about. What firewall would you suggest? What settings should I look to set to block the attack without blocking my users?

Well, there is no cure, because even if you ban the IPs with e. g. Outpost, the attacks still come and your bandwidth will be eaten up anyway.
Everything could have been anything else and it would have just as much meaning.

Nada@WTB

#7
Quote from: bastya_elvtars on 22 October, 2006, 13:29:48
Well, there is no cure, because even if you ban the IPs with e. g. Outpost, the attacks still come and your bandwidth will be eaten up anyway.


You are correct, I spoke with the head IT guy for a large company and he said basically the same thing. Oh well, I hope I have taken the target off our backs for the moment by going private and staying off updated hublists. Thank you guys for your input.
Welcome Thieving Bastards
PtokaX 0.4.1.1
Leviathan v.4.1
ApexDC++ 1.2.1
Windows 7 Ultimate

Naithif

Hi

Doesn't routers have an option to defend against DoS? And anyone knows how this protection works?

QuoteDoS protection
You can setup this item if you want to enable DoS protection.

Enabled    Disabled

bastya_elvtars

Quote from: Naithif on 22 October, 2006, 19:34:35
Hi

Doesn't routers have an option to defend against DoS? And anyone knows how this protection works?


It would still choke his connection. The only remedy would be if packets were stopped earlier, e. g. at the ISP's router.
Everything could have been anything else and it would have just as much meaning.

PPK

Quote from: Nada@WTB on 21 October, 2006, 21:57:44
How do I set SuspendAccepts?
SuspendAccepts have only one parameter, time in seconds. PtokaX close listening sockets (attacker will get connection refused, and not take your badwith) and start them again after time given in SuspendAccepts  ::)
"Most of you are familiar with the virtues of a programmer. There are three, of course: laziness, impatience, and hubris." - Larry Wall

pHaTTy

if it DDoS then it doesnt matter if they get time out or not, your bandwidth will decrease until eventually your connection drops .... technically, even if you close your hub, if they know what they are doing, you will still go down..... your best defence against this is to find the attackers real ip, block it in your router/firewall, and then hope they are dumb enough to think your connection is down... g'luck

-/ p_HaTTy
Resistance is futile!

PPK

When you block attacker IP in firewall then get same connection refused as if you suspendaccepts  ::)
"Most of you are familiar with the virtues of a programmer. There are three, of course: laziness, impatience, and hubris." - Larry Wall

pHaTTy

#13
Quote from: PPK on 23 October, 2006, 17:55:01
When you block attacker IP in firewall then get same connection refused as if you suspendaccepts  ::)

but as i said, if they know enough, they can check still if u are online... via another port... 23 for example, and suspendaccept will block access for other users, eventually allowing connections again, therfore attacker connects again, knows u r up, then attacks again, if he is always unable to connect, that is a different story ....
Resistance is futile!

PPK

Quote from: pH?tt? on 23 October, 2006, 18:37:29
they can check still if u are online
They don't need to check... connection refused = machine running but not accepting connections on this port ;D
"Most of you are familiar with the virtues of a programmer. There are three, of course: laziness, impatience, and hubris." - Larry Wall

pHaTTy

ye true, but if firewall set correct, it wont say connection refused, it would be timeout.
Resistance is futile!

bastya_elvtars

Quote from: pH?tt? on 23 October, 2006, 20:43:09
ye true, but if firewall set correct, it wont say connection refused, it would be timeout.

It's just a matter of block policy indeed. But also the machine shouldn't response ICMP echo requests (ping) and any other stuff, it needs to be stealthed. Outpost can do such stuff, but if I ran a hub, I'd protect it with a hardware firewall that I build. :-)
(I know pf 3.7+ has max-src-conn-rate, don't know about IPFW and iptables having this, but I bet they do have such stuff).
Everything could have been anything else and it would have just as much meaning.

GeceBekcisi

Quote from: Naithif on 22 October, 2006, 19:34:35
Hi

Doesn't routers have an option to defend against DoS? And anyone knows how this protection works?


AFAIK mostly used protection method is IP cookies; firewall keeps tracks of connections and when an attack has started it only allows connections requests from IPs connected before.

Like if the attack has started at 10:00:00, firewall only allows the IPs that were already connected at 09:59:00 to reconnect or etc.
Do you need an advanced user handling script? Download UserBekcisi today (Latest Edit)
Features: User + ISP + GeoIP database, user info + share checking and many more...

Naithif

This seems to be a crude way to stop DoS  ;D
Thanks for the info

GeceBekcisi

I can recommend using Visnetic Server Firewall because efficiency is tested here ;)

But a note; Visnetic might be hard to set-up properly and would be a bad decision if you're running clientside applications more than serverside applications on the installed system.
Do you need an advanced user handling script? Download UserBekcisi today (Latest Edit)
Features: User + ISP + GeoIP database, user info + share checking and many more...

Naithif

For the first sight it offers the same key features as a router (at least a good router :D :D)

Block Ping
SPI
DoS protection (of what you've said it works the same on that firewall as on a router)
Port Scan Detection
IP Address Ban List
MAC Address Filtering
HTTP Filtering

SMF spam blocked by CleanTalk