Hello everybody. I am running a small community private game server and in the last few days I got a ddos targeted at the application (tcp ports 10000,9958,5816) The problem is that I don't know how to figure out who is the attacker. My server application is made in c# and uses beginaccept for incoming connections and in the last few days the server was using 300-400 threads when normally it would use 25-30 at maximum. I made several captures using wireshark, I tired uploading them to cloudshark but the limit is few mbs and I have captures of bigger size. First (23mb): https://drive.google.com/file/d/0B_2B5b9OCNu6T3lnbEk4b1JHSGs/view?usp=sharing Second (26mb): https://drive.google.com/file/d/0B_2B5b9OCNu6YV9SRnJERnN2MlE/view?usp=sharing Third (529mb): https://drive.google.com/file/d/0B_2B5b9OCNu6RGQzX0VkMDJ2NU0/view?usp=sharing Fourth (859mb): https://drive.google.com/file/d/0B_2B5b9OCNu6UDFaM09NbTRHd1E/view?usp=sharing Fifth (8mb): https://drive.google.com/file/d/0B_2B5b9OCNu6dGxYT2dQVXNQMFU/view?usp=sharing I made my own filters at the application level (server) that took the last 10 connections from an ip and checked if the average frequency between connections is less than 5 seconds or the smallest frequency between to consequent connections is less than 1 second. This filter only works for connections that were already accepted because there is no way to get the IP before using the endaccept and retrieving the socket. This way I got to suspect some IPs (don't know if I got them right or they are spoofed or if it recorded anything at all, as if the connnections sent did not succeed the filter was in vain) IPs suspected: 49.145.41.222 77.28.218.85 49.145.26.220 180.191.82.192 180.191.84.55 If I could get any help on this issue of mine I would appreciate. Right now the server is hosted with leaseweb but they don't offer ddos protection or support, only hardware firewalls and I don't have one therefore I would like to move to ovh because they do offer ddos protection. Thanks in advance for any help or response received. Valentin asked 18 Oct '15, 05:33  Ryuchetval edited 18 Oct '15, 05:47 |
2 Answers:
Use this 192.168.I.I answered 19 Oct '15, 05:39  websunil007 |
It appears that some clients are driving the server to be super busy. Analyzed the 859mb pcap "Fourth" and found that there are a few clients that caused the server to send a huge number of TCP data packets. See the link for detail. Please let me know if this help you. answered 19 Oct '15, 10:21  pktUser1001 Thanks for your help, I appreciate it. Could you let me know how you sorted/filtered the incoming/ongoing packets based on the client and the amount of packets? It might be useful on the future to figure out attacks on my own. Thanks again. (20 Oct '15, 06:36) Ryuchetval Hi @Ryuchetval, here are some more info: http://pastebin.com/raw.php?i=zzWTyTLw Hope it helps. (20 Oct '15, 15:08) pktUser1001 |
I have my game server hosted on a dedicated server with leaseweb so I can't access the router as there is none attached. Right now I moved to ovh and I hope they will be able to sort things out for me