This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Detect DDoS at application level

0

Hello everybody.

I am running a small community private game server and in the last few days I got a ddos targeted at the application (tcp ports 10000,9958,5816)

The problem is that I don't know how to figure out who is the attacker.

My server application is made in c# and uses beginaccept for incoming connections and in the last few days the server was using 300-400 threads when normally it would use 25-30 at maximum.

I made several captures using wireshark, I tired uploading them to cloudshark but the limit is few mbs and I have captures of bigger size.

First (23mb): https://drive.google.com/file/d/0B_2B5b9OCNu6T3lnbEk4b1JHSGs/view?usp=sharing

Second (26mb): https://drive.google.com/file/d/0B_2B5b9OCNu6YV9SRnJERnN2MlE/view?usp=sharing

Third (529mb): https://drive.google.com/file/d/0B_2B5b9OCNu6RGQzX0VkMDJ2NU0/view?usp=sharing

Fourth (859mb): https://drive.google.com/file/d/0B_2B5b9OCNu6UDFaM09NbTRHd1E/view?usp=sharing

Fifth (8mb): https://drive.google.com/file/d/0B_2B5b9OCNu6dGxYT2dQVXNQMFU/view?usp=sharing

I made my own filters at the application level (server) that took the last 10 connections from an ip and checked if the average frequency between connections is less than 5 seconds or the smallest frequency between to consequent connections is less than 1 second.

This filter only works for connections that were already accepted because there is no way to get the IP before using the endaccept and retrieving the socket.

This way I got to suspect some IPs (don't know if I got them right or they are spoofed or if it recorded anything at all, as if the connnections sent did not succeed the filter was in vain)

IPs suspected:

49.145.41.222

77.28.218.85

49.145.26.220

180.191.82.192

180.191.84.55

If I could get any help on this issue of mine I would appreciate.

Right now the server is hosted with leaseweb but they don't offer ddos protection or support, only hardware firewalls and I don't have one therefore I would like to move to ovh because they do offer ddos protection.

Thanks in advance for any help or response received.

Valentin

asked 18 Oct '15, 05:33

Ryuchetval's gravatar image

Ryuchetval
6113
accept rate: 0%

edited 18 Oct '15, 05:47

I have my game server hosted on a dedicated server with leaseweb so I can't access the router as there is none attached. Right now I moved to ovh and I hope they will be able to sort things out for me

(19 Oct '15, 07:04) Ryuchetval

2 Answers:

0

Use this 192.168.I.I

answered 19 Oct '15, 05:39

websunil007's gravatar image

websunil007
61
accept rate: 0%

0

It appears that some clients are driving the server to be super busy.

Analyzed the 859mb pcap "Fourth" and found that there are a few clients that caused the server to send a huge number of TCP data packets. See the link for detail.

Please let me know if this help you.

answered 19 Oct '15, 10:21

pktUser1001's gravatar image

pktUser1001
201495054
accept rate: 12%

Thanks for your help, I appreciate it.

Could you let me know how you sorted/filtered the incoming/ongoing packets based on the client and the amount of packets? It might be useful on the future to figure out attacks on my own.

Thanks again.

(20 Oct '15, 06:36) Ryuchetval

Hi @Ryuchetval, here are some more info: http://pastebin.com/raw.php?i=zzWTyTLw Hope it helps.

(20 Oct '15, 15:08) pktUser1001