• Devnull, DDos, COD4. Possible uh... fix.
    101 replies, posted
  • It's a 200megabit attack, obviously. A reflected denial of service attack from quake/cod servers. Wait it out.
  • [QUOTE=Ruzza;34468076] Anyone seen this yet? [url]http://rankgamehosting.ru/index.php?showtopic=1320[/url][/QUOTE] We should figure out a way to spread the word about this fix. If a large portion of the old CoD/Quake3 servers stop being vulnerable to this, the attacks will have much less strength.
  • [QUOTE=Neo Kabuto;34471271]We should figure out a way to spread the word about this fix. If a large portion of the old CoD/Quake3 servers stop being vulnerable to this, the attacks will have much less strength.[/QUOTE] Key word; IF.
  • [QUOTE=Sassharkey;34471106]It's a 200megabit attack, obviously. A reflected denial of service attack from quake/cod servers. Wait it out.[/QUOTE] [code]iptables -A INPUT -match --string "statusResponse" -j DROP[/code] The problem is he doesn't and can't have a firewall, not being able to filter a 200mbps attack when having a 1gbps line is just as useless as having a 100mbps line.
  • [QUOTE=slayer3032;34475600][code]iptables -A INPUT -match --string "statusResponse" -j DROP[/code] The problem is he doesn't and can't have a firewall, not being able to filter a 200mbps attack when having a 1gbps line is just as useless as having a 100mbps line.[/QUOTE] IPtables are for linux..
  • [QUOTE=SammySung;34475710]IPtables are for linux..[/QUOTE] Thus why he pointed out his problem was that the victim uses Windows.
  • Ill just leave this here. [thumb]http://dl.dropbox.com/u/10790421/img/httpflood.png[/thumb]
  • [QUOTE=thejjokerr;34475761]Thus why he pointed out his problem was that the victim uses Windows.[/QUOTE] There's no point posting a fix for linux when the majority of servers affected are windows based.
  • [QUOTE=thejjokerr;34475761]Thus why he pointed out his problem was that the victim uses Windows.[/QUOTE] He meant for CoD4 hosts, not gmod hosts. [QUOTE=thejjokerr;34475761]Thus why he pointed out his problem was that the victim uses Windows.[/QUOTE] Yes, but Gmod is so completely damn useless on Linux. And anyone arguing otherwise has never tried to run a popular server on linux, having 2-3 weeks downtime when garry forgets to test the linux libs is not fun...
  • [QUOTE=SammySung;34476032]There's no point posting a fix for linux when the majority of servers affected are windows based.[/QUOTE] you should monitor wireshark and check what the source ports say and block the range of the most used ones, using a firewall like [url]http://www.ntkernel.com/w&p.php?id=18[/url] is nice because you can see how many packets it blocks. works kinda good on windows and keeps the server available
  • [QUOTE=_Chewgum;34476113]you should monitor wireshark and check what the source ports say and block the range of the most used ones, using a firewall like [url]http://www.ntkernel.com/w&p.php?id=18[/url] is nice because you can see how many packets it blocks. works kinda good on windows and keeps the server available[/QUOTE] This does work, however you can just use the firewall in W2008 R2. It works just fine. I have a comprehensive port list to stop the majority of power behind DevNull. However if you do it software based and the guys pissed off enough at you he will just switch the attack type. Did someone say it was called 'DevNull Special' or some shit? Anyway, the upgraded hit is too big for a 1Gb port to handle.
  • Devnull was made by stan and thus you are able to pay stan to put you on the speical "list" so you aren't DDos any more.
  • [QUOTE=Combine911;35416986]Devnull was made by stan and thus you are able to pay stan to put you on the speical "list" so you aren't DDos any more.[/QUOTE] Welcome to ban. But in actual response that list mentioned by aftokinito would be great...
  • [QUOTE=Combine911;35416986]Devnull was made by stan and thus you are able to pay stan to put you on the speical "list" so you aren't DDos any more.[/QUOTE] Screw that... If you've access to a hardware firewall Charrax/Aftokinito send me a PM and I can provide you with some common port setups to block the majority of devnulls power. Don't PM me asking for non hardware solutions as I cba this week :)
  • [QUOTE=Combine911;35416986]Devnull was made by stan and thus you are able to pay stan to put you on the speical "list" so you aren't DDos any more.[/QUOTE] Well that's fucking stupid... Another GSP in our datacenter did that, didn't stop devnull attacking other servers in the same rack as them, causing them to go down too..
  • [QUOTE=Combine911;35416986]Devnull was made by stan and thus you are able to pay stan to put you on the speical "list" so you aren't DDos any more.[/QUOTE] Aww look, he thinks he's the eMafia
  • I don't support Stan at all, When I was at IG we had the same problem and had to pay Stan $200 for it to stop. I was just suggesting a last chiose.
  • There's no real definate fix for DevNull, You can block a majority of traffic by blocking the COD4/Quake ports but that would have to be done at a high enough network level where the pipe can handle it, it would be very costly to do it as a server level. To totally protect yourself you would need to get a Dedicated Firewall and At least a 5Gbps pipe.
  • [QUOTE=Combine911;35428131]I don't support Stan at all, When I was at IG we had the same problem and had to pay Stan $200 for it to stop. I was just suggesting a last chiose.[/QUOTE] what is 'IG'?
  • [QUOTE=_Chewgum;35429227]what is 'IG'?[/QUOTE] Integral Gaming to my knowledge, could be horribly wrong though.
  • [QUOTE=Dorkslayz;35429482]Integral Gaming to my knowledge, could be horribly wrong though.[/QUOTE] if it is, Combine911 is a dumb 12 year old kid who pulls large quantities of shit outta his asshole.
  • [QUOTE=_Chewgum;35429940]if it is, Combine911 is a dumb 12 year old kid who pulls large quantities of shit outta his asshole.[/QUOTE] It probably does then.
  • [QUOTE=Dorkslayz;35428217]There's no real definate fix for DevNull, You can block a majority of traffic by blocking the COD4/Quake ports but that would have to be done at a high enough network level where the pipe can handle it, it would be very costly to do it as a server level. To totally protect yourself you would need to get a Dedicated Firewall and At least a 5Gbps pipe.[/QUOTE] sadistic posted the fix already [editline]4th April 2012[/editline] do you even know what you're talking about dork
  • [QUOTE=Banana Lord.;35430096]sadistic posted the fix already [editline]4th April 2012[/editline] do you even know what you're talking about dork[/QUOTE] Ok?
  • [QUOTE=Dorkslayz;35428217]There's no real definate fix for DevNull, You can block a majority of traffic by blocking the COD4/Quake ports but that would have to be done at a high enough network level where the pipe can handle it, it would be very costly to do it as a server level. To totally protect yourself you would need to get a Dedicated Firewall and At least a 5Gbps pipe.[/QUOTE] There be a US host that blocks this at a high enough level and is cheap, with multiple US locations. As for EU like I've said a lot it's a bitch...
  • [QUOTE=Pantho;35430672]There be a US host that blocks this at a high enough level and is cheap, with multiple US locations. As for EU like I've said a lot it's a bitch...[/QUOTE] Whats the name for the US Host?
  • I have an idea on how we might be able to overcome these attacks. We could create a TOR style network for GMod, only with fewer nodes. When the first node is dead, we'll have enough time to relocate the server IP. The idea is kinda childish though..
  • My server is still regularly being taken offline by huge DDoS attacks, that upon Wireshark inspection, are clearly from Devnull. All the packets come for CoD4 servers. Sad times :( Does anyone have mirrors for the Peerblock lists? Thanks
  • If you would've read the thread you'd know that peerblock won't do shit - it's the hardware and connection that won't be able to keep up with processing gigabits of useless packets.