I recently started a game hosting company and one of my boxes is being hit very hard by what i believe is a botnet(getting thousands of ip addresses sending traffic to a port where a game server is located.)
I managed to log onto the server and start capturing packets using wireshark.
In total there was 2,613,561 packets sent from 40,000+ different ip addresses(According to wireshark.) I rent boxes from OVH, their ddos mitigation appears to not have any affect on this attack as it went on for over two hours.
AFter inspecting the packets with wireshark the majority of them are directed at port 27115(where a game server is located) and contain “TSource Engine Query” in the data.
Image: https://gyazo.com/954be1929a5035469453b1a557e8281e
I can provide the wireshark capture file if needed, i managed to capture packets for most of the duration of the attack.
Thank you.
Answer
Can you move the game server to another ip, and if so does the attack follow it?
Does the attack come from any particular geographic area? You might be able to block that, assuming none of your customers are from that region.
What is the packet-per-second from any one of those IPs, and how does that compare to a normal client?
You could configure IPTables to drop packets containing that substring (https://stackoverflow.com/questions/825481/iptable-rule-to-drop-packet-with-a-specific-substring-in-payload) if there are no legitimate packets containing it.
You’d need to compile in the string-match kernel module, then:
iptables -A INPUT -m string --algo bm --string "test" -j DROP
I’m guessing your revenue isn’t high enough to warrant a DDoS scrubbing service such as https://www.neustar.biz/security/ddos-protection, otherwise that may be worth investigating.
Attribution
Source : Link , Question Author : Jack , Answer Author : Jason Martin
