Community discussions

MikroTik App
 
tefots
just joined
Topic Author
Posts: 14
Joined: Wed Jun 23, 2021 3:33 pm

Under flood attack, how resolve this ?

Wed Jun 23, 2021 3:53 pm

Hi all
i'm under UDP flood attack, I have been trying to solve it for several weeks, but I can't

i have a game server (hosted in my home) using several tcp/udp ports (8807,8808...), and someone it's attacking doing udp flood from multiple and diferent ip's.
if i change the tcp/udp ports., atacker atack the new port.
it's possible catch the author ?

I have anti-ddos rules configured, but do no't nothing.., players can't connect to my the server, and server lost conectivity and sometimes pppoe client broke the conection.
and same problem if droping all packets from the port under the attack not solve the problem (add action=drop chain=detect-ddos connection-state="" disabled=no dst-port=8807 protocol=udp).

i'm using a mtk-tb760igs ( hex s )

Example, conections under the attack.
Image

may be need other router - firewall ?
any can help me ?, may be need some addicional firewall rules?
thats my rules

#used list
/ip firewall address-list
add address=192.168.1.2-192.168.1.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
add list=ddos-attackers
add list=ddos-target

#add ddos protection
/ip firewall filter
add action=jump chain=forward connection-state=new jump-target=detect-ddos
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddos-target address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddos-attackers address-list-timeout=10m chain=detect-ddos
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/5s protocol=tcp tcp-flags=syn,ack
/ip firewall raw
add action=drop chain=prerouting dst-address-list=ddos-target src-address-list=ddos-attackers
/ip/settings/set tcp-syncookies=yes


#other rules (drop invalid, icmp, not nat, not_internet,etc)
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related
add action=accept chain=forward comment="Established, Related" connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface=bridge1 log=yes log-prefix=!public_from_LAN out-interface=!bridge1
add action=drop chain=forward comment="Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp protocol=icmp
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=ether1 log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface=bridge1 log=yes log-prefix=LAN_!LAN src-address=!192.168.1.0/24
add action=drop chain=icmp comment="deny icmp"

 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2975
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Under flood attack, how resolve this ?

Wed Jun 23, 2021 5:30 pm

Check SOCKS port and close/block SOCKS to strangers ... terrible things happen when you do not care of it.
I left it opened once by mistake and please do not ask what happend :)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21893
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Under flood attack, how resolve this ?

Wed Jun 23, 2021 5:32 pm

Do you have a list of the people using your gaming server?
If this is for a business then suggest an edge router and talking to your ISP for better protection before stuff hits your router.

If this is for home then, make an IP list of people allowed to game.
A. they provide you with a WANIP if static/fixed
B. they provide you with a dyndns domain name if WANIP is fixed. there are plenty of free DYNDNS providers out there so no excuses.

Drop all the extra crap rules in your firewall and add to your destination rule for the applicable list of ports
source-address=list=allowed_gamers


What is Socks port?
I have a Sock drawer and a Drawer for my drawers..........;-P

Yes, I have never used a socks port setting on any router so not aware of its uses.........
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2975
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Under flood attack, how resolve this ?

Wed Jun 23, 2021 6:05 pm

Some use socks, some use SOCKS, some use both types but some do not use them at all.

https://letmegooglethat.com/?q=socks+protocol+port
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21893
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Under flood attack, how resolve this ?

Wed Jun 23, 2021 6:07 pm

Of course, it was my way of really asking why did you suspect that the OP is using socks protocol, I dont see any evidence, and thus it appeared to be a random thought??
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Under flood attack, how resolve this ?

Wed Jun 23, 2021 6:19 pm

@tefots are you reading this?
I do not want lost time if you do not read anymore the forum.


i do not like syncookies because sometime broken perfectly valid services:

/ip/settings/set tcp-syncookies=yes
-> no



Remove this to save the CPU:

/ip firewall address-list
add list=ddos-target

/ip firewall filter
add action=add-dst-to-address-list address-list=ddos-target address-list-timeout=10m chain=detect-ddos



On RAW drop directly, do not lose time and CPU:

/ip firewall raw
add action=drop chain=prerouting src-address-list=ddos-attackers
removed: dst-address-list=ddos-target



But your "ddos protection" protect only from TCP, not UDP:

#add ddos protection
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/5s protocol=tcp tcp-flags=syn,ack


How do you identify legitimate UDP traffic on your game server?
Is the SOURCE port determined?
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2975
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Under flood attack, how resolve this ?

Wed Jun 23, 2021 6:39 pm

@anav ... No, it's not a random thought ... I faced such a problem. I share my experience and try to help.
@rextended ... please do not start unneccessary conversation.

Once I left SOCKS enabled and my router started to be a "trampoline" for so many open connections that I was blacklisted.
Small mistake and then HUGE problems
socks.PNG
You do not have the required permissions to view the files attached to this post.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Under flood attack, how resolve this ?

Wed Jun 23, 2021 6:58 pm

useless conversation?
this is new,
and what would be the useless conversation?

and since when is trying to help useless?

You are 100000% sure the problem is SOCKS and no other person can have is own idea.
Great.
 
tefots
just joined
Topic Author
Posts: 14
Joined: Wed Jun 23, 2021 3:33 pm

Re: Under flood attack, how resolve this ?

Wed Jun 23, 2021 7:24 pm

@tefots are you reading this?
I do not want lost time if you do not read anymore the forum.
yes, i'm reading and getting a lot of information, but sometimes it's fragmented and confused.
i do not like syncookies because sometime broken perfectly valid services:
/ip/settings/set tcp-syncookies=yes
-> no
Remove this to save the CPU:
/ip firewall address-list
add list=ddos-target
removed.
/ip firewall filter
add action=add-dst-to-address-list address-list=ddos-target address-list-timeout=10m chain=detect-ddos
On RAW drop directly, do not lose time and CPU:
/ip firewall raw
add action=drop chain=prerouting src-address-list=ddos-attackers
removed: dst-address-list=ddos-target
i agree, removed ddos-target.
all my configuration t's from mikrotik https://help.mikrotik.com/docs/pages/vi ... d=28606504
But your "ddos protection" protect only from TCP, not UDP:
#add ddos protection
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/5s protocol=tcp tcp-flags=syn,ack
How do you identify legitimate UDP traffic on your game server?
Is the SOURCE port determined?
I know.., how to protect UDP flood from multiple ips using filter rule?, tried some diferent rules widhout result.
only destination port (88xx) it's determined..
i don't know how legitimate that UDP traffic it's for game server..

Server it`s a public server, and knowing players ip it's not the solución.
if i drop all trafic of attacked port
-> add action=drop chain=detect-ddos connection-state="" disabled=no dst-port=8807 protocol=udp
not solves the problem.., connection continues saturated and server it's innaccesible from public. and wan connection it's 1gbit.
 
tefots
just joined
Topic Author
Posts: 14
Joined: Wed Jun 23, 2021 3:33 pm

Re: Under flood attack, how resolve this ?

Wed Jun 23, 2021 7:27 pm

Do you have a list of the people using your gaming server?
If this is for a business then suggest an edge router and talking to your ISP for better protection before stuff hits your router.

If this is for home then, make an IP list of people allowed to game.
A. they provide you with a WANIP if static/fixed
B. they provide you with a dyndns domain name if WANIP is fixed. there are plenty of free DYNDNS providers out there so no excuses.

Drop all the extra crap rules in your firewall and add to your destination rule for the applicable list of ports
source-address=list=allowed_gamers
What is Socks port?
I have a Sock drawer and a Drawer for my drawers..........;-P
Yes, I have never used a socks port setting on any router so not aware of its uses.........
Having a player public IP List it's not possible for a lot of reasons.
Can i solve the problem using a ubiquiti edge router ? like this https://eu.store.ui.com/collections/ope ... AkQAvD_BwE ? or this https://eu.store.ui.com/collections/ope ... ucQAvD_BwE
Last edited by tefots on Wed Jun 23, 2021 7:32 pm, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Under flood attack, how resolve this ?

Wed Jun 23, 2021 7:29 pm

You have check if SOCKS is active or not?
Last edited by rextended on Thu Jun 24, 2021 3:53 pm, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Under flood attack, how resolve this ?

Wed Jun 23, 2021 7:31 pm

>error, duplicated<
Last edited by rextended on Wed Jun 23, 2021 7:36 pm, edited 2 times in total.
 
tefots
just joined
Topic Author
Posts: 14
Joined: Wed Jun 23, 2021 3:33 pm

Re: Under flood attack, how resolve this ?

Wed Jun 23, 2021 7:32 pm

You have check if SOCKS is active or not?
That may be the only problem, BartoszP decided and he is perfect.
socks it's not actived
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Under flood attack, how resolve this ?

Wed Jun 23, 2021 7:33 pm

The problem is simple: casual IP, casual port = undistinguished UDP traffic...
Last edited by rextended on Thu Jun 24, 2021 3:54 pm, edited 2 times in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Under flood attack, how resolve this ?

Wed Jun 23, 2021 7:36 pm

One solution can be some check if "return connection" is made from server after valid connections to user and put that address on whitelist, blacklist all the others...
Last edited by rextended on Thu Jun 24, 2021 3:54 pm, edited 3 times in total.
 
tefots
just joined
Topic Author
Posts: 14
Joined: Wed Jun 23, 2021 3:33 pm

Re: Under flood attack, how resolve this ?

Wed Jun 23, 2021 7:42 pm

The problem is simple: casual IP, casual port = undistinguished UDP traffic...
One solution can be some check if "return connection" is made from server after valid connections to user and put that address on whitelist, blacklist all the others...
At this point I would have written something to help you, but sorry, I just lost the desire.
Is horrible to be treated as idiot, when you invest own time and knowledge to help the others.
This is the last time I help on forum, you can read my signature for why,
have a nice day.
i don't understand why you say this.., but no problem, I really appreciate a lot your help or anyone who gives their advice to avoid this attack problem.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21893
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Under flood attack, how resolve this ?

Wed Jun 23, 2021 7:46 pm

Having a player public IP List it's not possible for a lot of reasons.
Sorry thats the only idea I have, but you have not answered the question.
WHY is it impossible??
I clearly stated that anyone can get a free domain name dyndns and that they can give to you if they want to play.
If this is a business then pay your ISP for a business account and get the DDOS protection the ISP should provide.
Also invest in a much more secure access method to the game server using a radius server or other stable more robust method.

If this is just casual then use the IP method I described, if its a business then spend the money to do it right and dont waste your time trying to do it as you have been attempting.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21893
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Under flood attack, how resolve this ?

Wed Jun 23, 2021 7:46 pm

The problem is simple: casual IP, casual port = undistinguished UDP traffic...
One solution can be some check if "return connection" is made from server after valid connections to user and put that address on whitelist, blacklist all the others...
At this point I would have written something to help you, but sorry, I just lost the desire.
Is horrible to be treated as idiot, when you invest own time and knowledge to help the others.
This is the last time I help on forum, you can read my signature for why,
have a nice day.
i don't understand why you say this.., but no problem, I really appreciate a lot your help or anyone who gives their advice to avoid this attack problem.
His thoughts were not directed at you tefots, not to worry.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Under flood attack, how resolve this ?

Wed Jun 23, 2021 7:49 pm

i don't understand why you say this.., but no problem, I really appreciate a lot your help or anyone who gives their advice to avoid this attack problem.
sorry but I'm sad about that,
but you have nothing to do with it.
Last edited by rextended on Thu Jun 24, 2021 3:12 pm, edited 1 time in total.
 
ste
Forum Guru
Forum Guru
Posts: 1932
Joined: Sun Feb 13, 2005 11:21 pm

Re: Under flood attack, how resolve this ?

Wed Jun 23, 2021 8:04 pm

i don't understand why you say this.., but no problem, I really appreciate a lot your help or anyone who gives their advice to avoid this attack problem.
you can read my signature for why,
sorry but I'm sad about that,
but you have nothing to do with it.
You need a thicker skin ;-). I guess this forum is quite cute compared to other places. Just ignore ...
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Under flood attack, how resolve this ?

Wed Jun 23, 2021 8:06 pm

It is difficult when the problem is a Moderator rather than a simple user like me...
 
tefots
just joined
Topic Author
Posts: 14
Joined: Wed Jun 23, 2021 3:33 pm

Re: Under flood attack, how resolve this ?

Wed Jun 23, 2021 8:18 pm

Having a player public IP List it's not possible for a lot of reasons.
Sorry thats the only idea I have, but you have not answered the question.
WHY is it impossible??
I clearly stated that anyone can get a free domain name dyndns and that they can give to you if they want to play.
If this is a business then pay your ISP for a business account and get the DDOS protection the ISP should provide.
Also invest in a much more secure access method to the game server using a radius server or other stable more robust method.

If this is just casual then use the IP method I described, if its a business then spend the money to do it right and dont waste your time trying to do it as you have been attempting.
becouse players are casuals.., and if they have to contact with me, give me her ip or dyndns, (not all ppl know how do that), and then I add the that ip to the list-rule, players goes to other public server to play that haven't that problem.
and even blocking all attacked ports the attacker continues saturating the conection server.
 
ste
Forum Guru
Forum Guru
Posts: 1932
Joined: Sun Feb 13, 2005 11:21 pm

Re: Under flood attack, how resolve this ?

Wed Jun 23, 2021 8:24 pm

Having a player public IP List it's not possible for a lot of reasons.
Sorry thats the only idea I have, but you have not answered the question.
WHY is it impossible??
I clearly stated that anyone can get a free domain name dyndns and that they can give to you if they want to play.
If this is a business then pay your ISP for a business account and get the DDOS protection the ISP should provide.
Also invest in a much more secure access method to the game server using a radius server or other stable more robust method.

If this is just casual then use the IP method I described, if its a business then spend the money to do it right and dont waste your time trying to do it as you have been attempting.
And even this might not help. Seen DDOS-Flood into our network which caused an upstream to block our announcement as his lines were killed. Last resort is to use someone with a *really* big pipe who can eat the traffic and mitigate the problem within his network (cloudflare, ...). Cheaper is to blackhole the Gameserver-Address but then the gameserver is dead anyhow.

Another way is to go the official way. DDOS is a *crime*. So test your gouvernment and call the police. I tested this in germany and learned that we realy have a division which is responsible ... but cant help as they have nothin established to interfere traffic at DECIX. May be your gouvernment is better.
 
ste
Forum Guru
Forum Guru
Posts: 1932
Joined: Sun Feb 13, 2005 11:21 pm

Re: Under flood attack, how resolve this ?

Wed Jun 23, 2021 8:26 pm

It is difficult when the problem is a Moderator rather than a simple user like me...
I am green ;-). How can I help ...
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Under flood attack, how resolve this ?

Wed Jun 23, 2021 8:29 pm

The problem is the moderator BartoszP

viewtopic.php?f=2&t=176315#p864067

for example:

>>>@rextended ... please do not start unneccessary conversation.<<<

I don't have to write anything because for him the problem was SOCKS and it couldn't be anything else ...
(but instead... no, it had nothing to do with it, as confirmed by the user tefots)

How can one moderator (BartoszP) be so presumptuous and disrespectful of others who try to help by making their time and experience available for free ...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21893
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Under flood attack, how resolve this ?

Wed Jun 23, 2021 8:38 pm

Well the answer is tighten up access By IP or radius server or something) or continue to enjoy a useless server and perhaps losing your internet because the ISP considers you a risk!
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Under flood attack, how resolve this ?

Wed Jun 23, 2021 8:44 pm

If he created the game, you can at least assume that the source port is FIXED or contracted FIRST through a TLS connection that at least there is a certificate in between.

If the game was created by third parties, ask them something like this ...

In this way, all unsolicited traffic can be filtered by the Internet provider.

This is why setting up a game server costs a lot, it can't be done on an amateur level.
Last edited by rextended on Thu Jun 24, 2021 3:56 pm, edited 1 time in total.
 
ste
Forum Guru
Forum Guru
Posts: 1932
Joined: Sun Feb 13, 2005 11:21 pm

Re: Under flood attack, how resolve this ?

Wed Jun 23, 2021 8:45 pm

The problem is the moderator BartoszP

viewtopic.php?f=2&t=176315#p864067

for example:

>>>@rextended ... please do not start unneccessary conversation.<<<

I don't have to write anything because for him the problem was SOCKS and it couldn't be anything else ...
(but instead... no, it had nothing to do with it, as confirmed by the user tefots)

How can one moderator (BartoszP) be so presumptuous and disrespectful of others who try to help by making their time and experience available for free ...
Moderators are quite normal users. As long as he does not delete your post he acts like a normal user. So just ignore that he is a moderator and tell him (while respecting the netiquette) he is wrong. Or just ignore his posts. May be he just had a bad day ;-).

So no reason to not help others ...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21893
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Under flood attack, how resolve this ?

Wed Jun 23, 2021 8:45 pm

Exactly and why serious gamers dont join random game server by amateurs but use STEAM or other platforms to engage.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Under flood attack, how resolve this ?

Wed Jun 23, 2021 8:47 pm

So no reason to not help others ...
Ok, really is hard to stop..... ;)

(❁´◡`❁)
 
tefots
just joined
Topic Author
Posts: 14
Joined: Wed Jun 23, 2021 3:33 pm

Re: Under flood attack, how resolve this ?

Wed Jun 23, 2021 10:46 pm

the attaker continues..
now , with tcp connections to the server port.., just hang the router and router restart..
my ddos rules don't affect to this...

Image

how to stop that ?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Under flood attack, how resolve this ?

Wed Jun 23, 2021 10:48 pm

The game require both udp ant tcp?
Last edited by rextended on Wed Jun 23, 2021 10:56 pm, edited 2 times in total.
 
tefots
just joined
Topic Author
Posts: 14
Joined: Wed Jun 23, 2021 3:33 pm

Re: Under flood attack, how resolve this ?

Wed Jun 23, 2021 10:54 pm

The game require both udp ant tcp?
yes..., 3 diferent ports, udp and tcp each
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Under flood attack, how resolve this ?

Wed Jun 23, 2021 10:56 pm

Seriously, you can not have any help from us.

Why: you can block all on RAW,
but if you do not contact abuse@sfr.fr or abuse@gaoland.net or who provide your connection,
you do not resolve anything because the traffic use all your bandwidth,
if you block it or not after reach the routerboard, nothig change.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2975
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Under flood attack, how resolve this ?

Wed Jun 23, 2021 11:40 pm

The problem is the moderator BartoszP

viewtopic.php?f=2&t=176315#p864067

for example:

>>>@rextended ... please do not start unneccessary conversation.<<<

I don't have to write anything because for him the problem was SOCKS and it couldn't be anything else ...
(but instead... no, it had nothing to do with it, as confirmed by the user tefots)

How can one moderator (BartoszP) be so presumptuous and disrespectful of others who try to help by making their time and experience available for free ...
@rextended

Let me explain it to you step by step however it's totally offtopic there but you put comments with no background for readers of this thread.

Backgroud: I asked rextended in other topics to stop fullquouting quoted posts as it makes hard to read them .... check my footer for exapmples why I do it from time to time ... and I suspect that he feels being plagued by me.


A. English is not may native language. I COULD make mistakes and use it wrong as you but I DO NOT point it as the explanation to misunderstanding what I write or read. I'm trying to improve my English and therefore use I dictonaries or translators to understand it better.

B. Some native speakers/writers use some language expressions which are understendable only to particular nations or people knowing particular culture. Some jokes, funny wording or "vocabulary-twisters" (parallel to tongue-twisters) are hard to understand even to native speakrs SO THERE COULD BE SOME COMUNNICATION probles in conversations. Especially if some users do it intentionally and assume that all other readers are aware of such language jokes.

C. Please do not point all the that you spend your valuable time for free trying help. I think that all of us do it for free just to fullfil our internal needs to not be useless and share our experience helping others in our "poor tech-life" :-).

D. Before posting please check what you comment and do not throw UNNECESSARY comments. UNNECESSARY does not mean UNNEDDED or USELESS. It means something that you could avoid if you want. Why ? Look at point E

D. Before I accepted this topic and posted my post I got rid of 100+ spam posts to make the forum clean & tidy and to let others to read only valuable posts. I do clean forum not only for myself but for all of us.

E. Why I wrote "unnecessary" ... when the OP started the topic at 14:53 and you answered 4 hours later
@tefots are you reading this?
I do not want lost time if you do not read anymore the forum.
then ask yourself if you expect anyone to answer to your question starting with "please do not waste my valuable time if you do not read it ..."
It is totally wrong, rude and UNNECESSARY start of the conversation. You do not even know (I do not know) If the OP is in the same timezone. Maybe the OP went sleep and would start reading the forum only the next day.

F. I just answered to OP problem that SOCKS service could be a problem. I didn't say that it was THE ONLY solution. It COULD BE a cause. You also speculated about TLS, mentioned DOOM server ... you where throwing free thouhts about possible solutions. Same way as I did.

G. Anav commented it with his a-little-bit-twisted-sense-of-humor. I like it as it improves my English but as moderator I'm not pleased as it could be treated as a little bit rude answer ... you have to read more anav's posts to understand what I write about ... but I answered trying to be also quite whimsical.

H. You was the next with your post and next started complain part of this topic
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21893
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Under flood attack, how resolve this ?

Wed Jun 23, 2021 11:50 pm

Thanks to both for hijacking the thread!
But thanks on point D.
Hint: Go the step further and recommend better access to the forum filtering to prevent spam posting to Normis and Co. will make your job much easier too.
Now both of you more folding of socks and less war!! and back to helping the OP.

@Op, we cannot help much further as the remedy is at the ISP level or you have to decide to take better control of who is allowed access to the servers.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2975
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Under flood attack, how resolve this ?

Thu Jun 24, 2021 12:06 am

I think I should say ... "The pot calling the kettle black"
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Under flood attack, how resolve this ?

Thu Jun 24, 2021 12:14 am

No comment (no problem) on other points, but:

C: dozen of users (read what anav ask...) post only one time and disappear. At start is the first post for OP user tefots...

D: the post are full of hints, do not contain only one questionable comment (see my reply on point C).

E: I know perfectly the timezione of the user (France) and are on same timezone of Italy.
Sometime for solve problem must be some near direct interaction, and see again my reply on point C.

F: >>>@rextended ... please do not start unneccessary conversation.<<<
writing on this way, really is understandable, regardless of nation, >>>"it was THE ONLY solution"<<<, do not write anything else, is unneccessary

H: i do not understand this, literally, what mean?

I only know if you avoided to write >>>@rextended ... please do not start unneccessary conversation.<<<
Probably nothing else would have been written about this.

And about "Backgroud" probably you do not read what have write to you, for your respect.
searched for you, if you do not have already readed it:
viewtopic.php?f=2&t=176116&p=863321#p863321
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2975
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Under flood attack, how resolve this ?

Thu Jun 24, 2021 12:30 am

I give up ... please just rethink this part of (E): ask yourself if you expect anyone to answer to your question starting with "please do not waste my valuable time if you do not read it ..."

BTW. Some readers report your post to moderation.
r1.PNG
You do not have the required permissions to view the files attached to this post.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Under flood attack, how resolve this ?

Thu Jun 24, 2021 12:40 am

I have Understand.
It's also reported as unhelpful the post of "ste" Moderator?
My first post are one reply on what he write.

And after this last post, I don't want to go back to this again.

I hope you forget all this, caused by the misunderstanding of what you wrote.
I don't know what to do to say "sorry" and forget this.

For me it all ends here, hoping that in the future you won't blame me for something from the past.

FRIENDS?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Under flood attack, how resolve this ?

Thu Jun 24, 2021 12:54 am

I think I should say ... "The pot calling the kettle black"
On Italy "The ox says to the donkey: Horned! (cuckold) "
(Il bue dice all'asino "cornuto!")
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Under flood attack, how resolve this ?

Thu Jun 24, 2021 1:43 am

(BartoszP thanks for the IP)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21893
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Under flood attack, how resolve this ?

Thu Jun 24, 2021 2:15 am

It takes two donkeys to dance LOL. I just haven't figured out which one to pay for the entertainment, let alone who is leading and who is following ....
Now kiss and make up!!
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2975
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Under flood attack, how resolve this ?

Thu Jun 24, 2021 9:35 am

It takes two donkeys to dance LOL.
Anav ... PLEASE ... try to avoid such comments .. they are TOTALLY UNNECESSARY direct personal attacks.
I will not moderate it as I shouldn't do it being part of such abuse but they are REALLY against forum rules and netiquette and you deserve at last public warning: PLEASE STOP lowering discussion style to such stupid level as you presented.

If you write comments just for writing, increasing post counter and LOLing yourself then start your own one-man-show forum or just separate topic.
 
DarkNate
Forum Guru
Forum Guru
Posts: 1065
Joined: Fri Jun 26, 2020 4:37 pm

Re: Under flood attack, how resolve this ?

Thu Jun 24, 2021 10:05 am

What do socks have to do with UDP flooding which is low as $5 from so-called "stressors"? DDoS for hire? @BartoszP

@tefots

The DDoS rules found here: https://help.mikrotik.com/docs/pages/vi ... d=28606504

It can work for UDP as well, your rule order makes no sense

It should be like:
/ip firewall address-list
add list=ddos-attackers
add list=ddos-target

add action=jump chain=forward comment="Jump to DDoS detection" connection-state=new in-interface-list=WAN jump-target=detect-ddos
add action=return chain=detect-ddos dst-limit=50,50,src-and-dst-addresses/10s
add action=return chain=detect-ddos dst-limit=50,50,src-and-dst-addresses/10s protocol=tcp tcp-flags=syn,ack
add action=add-dst-to-address-list address-list=ddos-targets address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddos-attackers address-list-timeout=10m chain=detect-ddos

#And finally RAW drop#
ip/firewall/raw/add chain=prerouting action=drop src-address-list=ddos-attackers dst-address-list=dddos-targets
But you're missing out all crucial firewall files such as accept established/related on input and forward among other things.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: Under flood attack, how resolve this ?

Thu Jun 24, 2021 11:19 am

i don't understand why you say this.., but no problem, I really appreciate a lot your help or anyone who gives their advice to avoid this attack problem.
you can read my signature for why,
sorry but I'm sad about that,
but you have nothing to do with it.
I think it is time that you stop reacting the way you did in this topic and in many others.
It is not contributing in any way to this forum. Being Italian is no excuse for that.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: Under flood attack, how resolve this ?

Thu Jun 24, 2021 11:25 am

Now back to the original topic:
You must first determine if the flood of UDP packets is filling your entire line capacity, or if it is only overwhelming your server or router.
When it is filling your line, there is nothing you can do! You will have to solve the problem at the other end of the line, i.e. at the ISP, and it is unlikely you can do that.

The issue starts with "i have a game server (hosted in my home)" and unfortunately you are not the only one with that problem.
The gaming community has many childish elements, that seem to like to destroy other people's fun or -work.
When you want to be part of that community, it seems you need to have a thick skin and/or invest heavily e.g. in a server in a datacenter instead of at home, and with proper link capacity to withstand such childish behavior.
That is not something you can fix with a firewall rule here or there, because these people will make sure that the DDoS traffic is not easily separated from the real traffic.
(when the game uses another port number than 8807 you could simply drop all traffic to 8807, but I assume 8807 is the port used by the game as well)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21893
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Under flood attack, how resolve this ?

Thu Jun 24, 2021 1:34 pm

It takes two donkeys to dance LOL.
Anav ... PLEASE ... try to avoid such comments .. they are TOTALLY UNNECESSARY direct personal attacks.
I will not moderate it as I shouldn't do it being part of such abuse but they are REALLY against forum rules and netiquette and you deserve at last public warning: PLEASE STOP lowering discussion to such stupid level as you presented.

If you write comments just for writing, increasing post counter and LOLing yourself then start your own one-man-show forum or just separate topic.
Suggest you get real, get a sense of humour (aka stop taking yourself too seriously) and do your job and prevent viagra posts and stop intimidating and threatening others.
Sure you can block my posts or ban me from the forums, go ahead, I will have tons of free time to do other work.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2975
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Under flood attack, how resolve this ?

Thu Jun 24, 2021 2:06 pm

....I will have tons of free time to do other work.
So let off the hook and focus on these activities. Nonobvious sense of humor is not an excuse of savoir vivre.
 
R1CH
Forum Guru
Forum Guru
Posts: 1108
Joined: Sun Oct 01, 2006 11:44 pm

Re: Under flood attack, how resolve this ?

Thu Jun 24, 2021 3:35 pm

Get rid of any complicated anti DDoS rules, you want your router to forward the packets as fast as possible to your much more powerful PC that ignores them. Sounds like the real DoS condition is your router CPU being overwhelmed by too many rules, or it's a simple bandwidth exhaustion attack (in which case you can do nothing - traffic already entered your network and hit saturation).
 
tefots
just joined
Topic Author
Posts: 14
Joined: Wed Jun 23, 2021 3:33 pm

Re: Under flood attack, how resolve this ?

Fri Jun 25, 2021 12:47 am

Probably with other powerful router can catch the problem?. i'm going to buya mikroTik RB4011iGS, do you think that it's enough ?, any recomendation ?

The attaker continues, using udp flood, and tcp flood, in 10 secons, 200.000 tcp conections fron diferent sources, router hang, and restart., he scan all my opened ports, and it's attacking all ports.
this time, i captured with router sniffer some ud packets to see the content, and try to block it with the content, all packets have 'pizzaseo.com' inside...., another intereseant data it's source port 53.
can block all from port 53 from wan?

Image
Image
 
tefots
just joined
Topic Author
Posts: 14
Joined: Wed Jun 23, 2021 3:33 pm

Re: Under flood attack, how resolve this ?

Fri Jun 25, 2021 1:26 am

another..
it's changing ports.., type of attack.. , pack size.. etc.

Image
 
Cablenut9
Long time Member
Long time Member
Posts: 542
Joined: Fri Jan 08, 2021 5:30 am

Re: Under flood attack, how resolve this ?

Fri Jun 25, 2021 3:03 am

Get the RB4011, and maybe you can add a firewall rule in the Raw section that just blocks all UDP except for DNS and QUIC.
 
User avatar
jvanhambelgium
Forum Guru
Forum Guru
Posts: 1114
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Under flood attack, how resolve this ?

Fri Jun 25, 2021 8:44 am

Get the RB4011, and maybe you can add a firewall rule in the Raw section that just blocks all UDP except for DNS and QUIC.
Or just block all TCP/UDP/53 incoming from WAN from now, except from 8.8.8.8 and 1.1.1.1 and temporary use Google/Cloudflare for upstream resolving?
This looks like some DNS amplification attack.

If you line is saturated you cannot "fix" it yourself and need to call "upstream" help. If its only your router crashing/running out of resources you might try indeed to block and see what happens.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2975
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Under flood attack, how resolve this ?

Fri Jun 25, 2021 11:17 am

A. Temporary solution: In tracking do shorten the TCP session Timout to let a router close connections after e.g. 3 hours not 24.

B. Longterm solution: Call your ISP and change public IP of your router.
 
ivicask
Member
Member
Posts: 438
Joined: Tue Jul 07, 2015 2:40 pm
Location: Croatia, Zagreb

Re: Under flood attack, how resolve this ?

Fri Jun 25, 2021 11:20 am

Get the RB4011, and maybe you can add a firewall rule in the Raw section that just blocks all UDP except for DNS and QUIC.
Or just block all TCP/UDP/53 incoming from WAN from now, except from 8.8.8.8 and 1.1.1.1 and temporary use Google/Cloudflare for upstream resolving?
This looks like some DNS amplification attack.

If you line is saturated you cannot "fix" it yourself and need to call "upstream" help. If its only your router crashing/running out of resources you might try indeed to block and see what happens.
I did quick scan of hes ip seams all is already closed up properly, so doing extra rule wont help much i guess, maybe if he drops incoming 53 on wan side in RAW filter it may release some CPU load? But it wont help much in general.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: Under flood attack, how resolve this ?

Fri Jun 25, 2021 11:42 am

B. Longterm solution: Call your ISP and change public IP of your router.
I don't think that will be a longterm solution. As soon as the boys that want to shutdown his gaming server discover that the address has changed, they will change the target address of their attacks.
A longterm solution would be to stop the gaming server. That is what they want him to do.
Of course it can be questioned whether giving in to such pressure is a good thing, but at least it solves the problem.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Under flood attack, how resolve this ?

Fri Jun 25, 2021 11:54 am

All this is perfectly useless,
for a very simple reason:
On a >>>game server hosted in my home<<<. if you can't distinguish between real and fake traffic, and your bandwidth is limited,
you lose:
GAME OVER
 
msatter
Forum Guru
Forum Guru
Posts: 2941
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Under flood attack, how resolve this ?

Fri Jun 25, 2021 12:05 pm

If you can switch your DNS to DoT (TCP/853) or DoH (TCP/443) you can close all traffic incoming with source port 53 (TCP/UDP).

Then if that working for you then you could ask upstream to temporary block all traffic with source port 53 because you swichted the protocol for DNS.

General remark. As with VOIP you can use alternative ports if your ISP block the usual ports. An DNS server answers with source port 53. When the an DNS server is listening on a wide range of ports and always answer on the dst port used bij the client you have a working DNS.
Oeps, that will work counter productive.
Putting your DNS requests in a VPN allows you also close traffic with sourceport 53 on the input or earlier in RAW on prerouting.
Last edited by msatter on Fri Jun 25, 2021 12:27 pm, edited 2 times in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Under flood attack, how resolve this ?

Fri Jun 25, 2021 12:18 pm

useless, you do not read from start
 
ivicask
Member
Member
Posts: 438
Joined: Tue Jul 07, 2015 2:40 pm
Location: Croatia, Zagreb

Re: Under flood attack, how resolve this ?

Fri Jun 25, 2021 12:21 pm

If you can switch your DNS to DoT (TCP/853) or DoH (TCP/443) you can close all traffic incoming with source port 53 (TCP/UDP).

Then if that working for you then you could ask upstream to temporary block all traffic with source port 53 because you swichted the protocol for DNS.

General remark. As with VOIP you can use alternative ports if your ISP block the usual ports. An DNS server answers with source port 53. When the an DNS server is listening on a wide range of ports and always answer on the dst port used bij the client you have a working DNS.
Putting your DNS requests in a VPN allows you also close traffic with sourceport 53 on the input or earlier in RAW on prerouting.
How will closing already closed DNS port help with anything when hes getting TCP attacks on other port?
 
msatter
Forum Guru
Forum Guru
Posts: 2941
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Under flood attack, how resolve this ?

Fri Jun 25, 2021 12:26 pm

If you can switch your DNS to DoT (TCP/853) or DoH (TCP/443) you can close all traffic incoming with source port 53 (TCP/UDP).

Then if that working for you then you could ask upstream to temporary block all traffic with source port 53 because you swichted the protocol for DNS.

General remark. As with VOIP you can use alternative ports if your ISP block the usual ports. An DNS server answers with source port 53. When the an DNS server is listening on a wide range of ports and always answer on the dst port used bij the client you have a working DNS.
Putting your DNS requests in a VPN allows you also close traffic with sourceport 53 on the input or earlier in RAW on prerouting.
How will closing already closed DNS port help with anything when hes getting TCP attacks on other port?
Strike the general remark on about different port because that would make it worse.

You are writing about the destination port and that are many here. I am talking about the source port and that is one port (TCP/UDP)

BTW an ISP won't like it when you open Port 53 to the internet because of the DNS amplification danger. My providers will cut you off, often without an warning if you open port 53 to the internet.
Last edited by msatter on Fri Jun 25, 2021 12:34 pm, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Under flood attack, how resolve this ?

Fri Jun 25, 2021 12:32 pm

again: useless, you do not read from start


@msatter edit your previous post and remove useless quotes, please
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Under flood attack, how resolve this ?

Fri Jun 25, 2021 12:54 pm

@msatter Please remove all quotes from your previous post and use "post reply" instead of using "quote" button if just reply to last post.

...an ISP won't like it when you open Port 53 to the internet...
Is not an ISP if for default do not close port 53 from CPE to Internet...
 
tefots
just joined
Topic Author
Posts: 14
Joined: Wed Jun 23, 2021 3:33 pm

Re: Under flood attack, how resolve this ?

Fri Jun 25, 2021 1:17 pm

it's attaking in diferent ways.., sending udp flood, tcp flood, tcp syn.. etc..
yes i can block souce dns port 53, but continues attacking.
Current router can't handle it, just goes iressponsive, unable to connect in my local lan with my server., i expect get today a more powerfull router.

only my the first raw rule it's blocking all atack tcp or udp traffic , but router goes irresponsive..

this is tcp attack., im blocking all packets in range ports widh specific packet size., but sometimes the attacker change the packet size and then hang the router.., im' fucked

Image
 
msatter
Forum Guru
Forum Guru
Posts: 2941
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Under flood attack, how resolve this ?

Fri Jun 25, 2021 1:43 pm

Is there a common thing that the attacker have except for the targetted port?

I have a longtime problem with rented servers, scanning by router to look for attack vectors. Multiple severs but often in the same multiple /24 range.

So the router adds any source IP that scan on a inacctive dst port. A second script looks at the collected IP addresses and when three collected addresses are from the same /24 range they then get blocked.
Eac collected addresses has a lifetime of a few hours so scans have to be in a limited timeframe. The list grows and grows and sometimes I can't reach a website that is hosted in blocked range. Then I add that server to the DO-NOT-BLOCK address list and I now visit that specific site.

There are many blocklists available but not one covers all and you have geographical differences. That why do it myself also.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2975
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Under flood attack, how resolve this ?

Fri Jun 25, 2021 2:46 pm

My way ... set your own port list and watch if it helps or not
/interface list
add name=WAN_LIST
/interface list member
add interface=ETH1 list=WAN_LIST
/ip firewall raw
add action=accept chain=prerouting src-address=9.9.9.9
add action=accept chain=prerouting src-address=1.1.1.1
add action=accept chain=prerouting src-address=8.8.8.8
add action=drop chain=prerouting in-interface-list=WAN_LIST log-prefix=RAWATTACK src-address-list=RAWATTACK
add action=add-src-to-address-list address-list=RAWATTACK address-list-timeout=1h7m chain=prerouting dst-port=\
    22,23,2000,7547,11211,135,137-139,548,80,8080,81,37215 in-interface-list=WAN_LIST protocol=tcp
add action=add-src-to-address-list address-list=RAWATTACK address-list-timeout=1h7m chain=prerouting dst-port=\
    22,23,2000,7547,11211,135,137-139,548,80,8080,81,37215 in-interface-list=WAN_LIST protocol=udp
add action=drop chain=prerouting in-interface-list=WAN_LIST log-prefix=RAWATTACK src-address-list=RAWATTACK
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Under flood attack, how resolve this ?

Fri Jun 25, 2021 2:50 pm

I suggest to remove any form of logging (log-prefix=RAWATTACK).
When under attack, only increase CPU load...
I'm writing on general, not only on this script where log-prefix is only a residue of when the log option are enabled.
 
tefots
just joined
Topic Author
Posts: 14
Joined: Wed Jun 23, 2021 3:33 pm

Re: Under flood attack, how resolve this ?

Fri Jun 25, 2021 3:38 pm

My way ... set your own port list and watch if it helps or not
/interface list
add name=WAN_LIST
/interface list member
add interface=ETH1 list=WAN_LIST
/ip firewall raw
add action=accept chain=prerouting src-address=9.9.9.9
add action=accept chain=prerouting src-address=1.1.1.1
add action=accept chain=prerouting src-address=8.8.8.8
add action=drop chain=prerouting in-interface-list=WAN_LIST log-prefix=RAWATTACK src-address-list=RAWATTACK
add action=add-src-to-address-list address-list=RAWATTACK address-list-timeout=1h7m chain=prerouting dst-port=\
    22,23,2000,7547,11211,135,137-139,548,80,8080,81,37215 in-interface-list=WAN_LIST protocol=tcp
add action=add-src-to-address-list address-list=RAWATTACK address-list-timeout=1h7m chain=prerouting dst-port=\
    22,23,2000,7547,11211,135,137-139,548,80,8080,81,37215 in-interface-list=WAN_LIST protocol=udp
add action=drop chain=prerouting in-interface-list=WAN_LIST log-prefix=RAWATTACK src-address-list=RAWATTACK
thanks for that rules.
now, attacking with udp., diferent paket sizes, ip's and source ports.
only way handle it it's blocking que port..

Image
Last edited by tefots on Fri Jun 25, 2021 4:00 pm, edited 1 time in total.
 
Cablenut9
Long time Member
Long time Member
Posts: 542
Joined: Fri Jan 08, 2021 5:30 am

Re: Under flood attack, how resolve this ?

Fri Jun 25, 2021 3:59 pm

Did you get the RB4011?
 
msatter
Forum Guru
Forum Guru
Posts: 2941
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Under flood attack, how resolve this ?

Fri Jun 25, 2021 4:56 pm

I post here my current perm24Blocklist and I you use first try it with a pass-through and watch if the counter is increasing fast or not. If not my list does not catch your attackers.

You should save the file "perm24Block.rsc" and in the top of the script you can read how you can import it. Save it in files on the router that experiences the attacks.
Then point a new line in RAW with the mention pass-trough as action and put this line at high up in RAW to see if it works for you. It is not a big list but it's covers a huge range of addresses and I think that there are some ranges in the list that is larger than /16. It covers much and there could be false positives in there because I just block ranges.

list removed by me
The line RAW I use to block them:
add action=drop chain=prerouting comment="perm24Block /24+ range blocker" in-interface-list=WAN src-address-list=perm24Block
Last edited by msatter on Sat Jun 26, 2021 2:07 am, edited 3 times in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Under flood attack, how resolve this ?

Fri Jun 25, 2021 5:12 pm

no.... again on-hOrror...
do={ ...
       } on-error={:log warning "IP already exists: $1"}} 
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2975
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Under flood attack, how resolve this ?

Fri Jun 25, 2021 5:20 pm

Maybe these could help finding/preparing list of addresses to apply to block rules

viewtopic.php?f=9&t=166293&p=821782#p821782
viewtopic.php?f=23&t=148187&p=729368#p729368
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Under flood attack, how resolve this ?

Fri Jun 25, 2021 5:36 pm

 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21893
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Under flood attack, how resolve this ?

Fri Jun 25, 2021 5:51 pm

Sweet tool, but for the price of a couple of cups of coffee I recommend the OP try this service if looking for WORRY FREE already integrated list blocking!
What I am suggesting is give the 10 day FREE trial, a go to see if it does the job!!
If not, nothing lost.

https://itexpertoncall.com/additional_info/moabpre.html
https://itexpertoncall.com/promotional/moab.html#prime

If was not already using this service also has a free trial (business expense write-off) I would be using mOAB which is 4x cheaper!
https://mum.mikrotik.com/presentations/ ... 964806.pdf
 
User avatar
jvanhambelgium
Forum Guru
Forum Guru
Posts: 1114
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Under flood attack, how resolve this ?

Fri Jun 25, 2021 6:06 pm

Suppose you block EVERYTHING coming in (in RAW chain to consume least amount of resources) => Does your router remain responsive ?? If not then all of this is simply waste of time and you should look for a somewhat more capable/powerful router to start with...or none of this will do any good.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Under flood attack, how resolve this ?

Fri Jun 25, 2021 6:11 pm

Again, TO ALL:

All this is perfectly useless,
for a very simple reason:
if the game server is hosted in his house, is impossible to distinguish between real and fake traffic, and the bandwidth is limited,
you lose:
GAME OVER
Last edited by rextended on Fri Jun 25, 2021 6:18 pm, edited 3 times in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Under flood attack, how resolve this ?

Fri Jun 25, 2021 6:13 pm

I post here my current perm24Blocklist ....
Use this as start to emprove the script:
/ip firewall address-list
remove [find where list=perm24Block]
:local i do={ :local xparse ([[:parse ":return $1"]])
              :if ([:typeof $xparse] ~ "ip") do={
                  :if ([:len [find where address=$xparse and list="perm24Block"]] = 0) do={
                      add address=$xparse list="perm24Block"
                  }
              }
            }

$i 1.12.0.0/14
$i 2.57.122.0/24
$i 5.63.151.0/24
$i 5.178.86.0/24
$i 5.181.80.0/24
$i 5.188.119.0/24
$i 5.188.158.0/24
$i 5.188.206.0/24
$i 8.128.0.0/11
$i 23.90.145.0/24
$i 23.90.160.0/24
$i 23.148.145.0/24
$i 23.173.112.0/24
$i 23.251.102.0/24
$i 27.71.84.0/24
$i 27.115.124.0/24
$i 27.222.42.0/24
$i 31.133.0.0/24
$i 31.210.20.0/23
$i 34.77.162.0/24
$i 34.86.35.0/24
$i 34.96.130.0/24
$i 36.155.117.0/24
$i 37.49.224.0/21
$i 38.94.109.0/24
$i 39.129.96.0/24
$i 42.192.83.0/24
$i 42.192.91.0/24
$i 42.192.104.0/24
$i 42.192.146.0/24
$i 42.192.161.0/24
$i 42.192.229.0/24
$i 42.192.249.0/24
$i 42.224.0.0/12
$i 43.226.48.0/22
$i 45.33.0.0/17
$i 45.55.0.0/16
$i 45.79.0.0/16
$i 45.83.64.0/22
$i 45.85.90.0/24
$i 45.89.27.0/24
$i 45.93.201.0/24
$i 45.123.119.0/24
$i 45.133.1.0/24
$i 45.134.144.0/24
$i 45.134.225.0/24
$i 45.138.208.0/24
$i 45.143.200.0/24
$i 45.143.203.0/24
$i 45.144.225.0/24
$i 45.146.164.0/23
$i 45.148.10.0/24
$i 45.155.205.0/24
$i 45.177.244.0/24
$i 45.179.165.0/24
$i 45.186.145.0/24
$i 45.195.14.0/24
$i 45.229.54.0/23
$i 45.248.0.0/22
$i 45.248.20.0/23
$i 45.248.156.0/23
$i 45.248.160.0/24
$i 45.248.163.0/24
$i 46.101.0.0/17
$i 46.105.132.0/24
$i 46.148.233.0/24
$i 46.174.191.0/24
$i 46.249.32.0/24
$i 47.100.0.0/14
$i 49.51.0.0/16
$i 49.232.151.0/24
$i 51.15.0.0/16
$i 51.83.177.0/24
$i 51.89.39.0/24
$i 51.89.52.0/24
$i 51.159.7.0/24
$i 51.159.57.0/24
$i 51.159.78.0/24
$i 51.159.80.0/24
$i 51.161.41.0/24
$i 51.195.166.0/24
$i 51.222.199.0/24
$i 54.39.194.0/24
$i 60.2.87.0/24
$i 62.4.22.0/24
$i 62.210.128.0/17
$i 64.23.128.0/17
$i 64.62.197.0/24
$i 64.225.0.0/17
$i 64.226.64.0/18
$i 64.227.0.0/17
$i 64.227.128.0/18
$i 65.49.20.0/24
$i 66.240.192.0/24
$i 66.240.205.0/24
$i 66.240.219.0/24
$i 66.240.236.0/24
$i 67.205.128.0/18
$i 67.207.64.0/19
$i 68.183.0.0/16
$i 71.6.128.0/17
$i 72.217.158.0/24
$i 72.221.232.0/24
$i 72.241.3.0/24
$i 72.241.16.0/24
$i 72.241.90.0/24
$i 72.241.172.0/24
$i 72.241.203.0/24
$i 72.241.223.0/24
$i 74.82.47.0/24
$i 74.120.14.0/24
$i 74.201.28.0/24
$i 77.247.108.0/24
$i 78.108.177.0/24
$i 78.128.113.0/24
$i 79.124.59.0/24
$i 79.124.62.0/24
$i 80.82.77.0/24
$i 80.94.93.0/24
$i 80.240.128.0/20
$i 80.246.81.0/24
$i 81.70.40.0/24
$i 81.70.163.0/24
$i 81.70.176.0/24
$i 81.70.211.0/24
$i 81.71.138.0/24
$i 81.91.190.0/24
$i 81.161.63.0/24
$i 82.196.0.0/20
$i 84.53.198.0/24
$i 85.119.151.0/24
$i 87.251.70.0/24
$i 88.202.190.0/24
$i 88.214.24.0/24
$i 89.190.156.0/24
$i 89.248.165.0/24
$i 89.248.168.0/23
$i 89.248.172.0/24
$i 89.248.174.0/24
$i 91.132.58.0/24
$i 91.151.89.0/24
$i 91.191.209.0/24
$i 92.55.66.0/24
$i 92.63.196.0/23
$i 92.118.160.0/23
$i 94.102.49.0/24
$i 94.232.45.0/24
$i 94.232.46.0/24
$i 95.85.0.0/18
$i 101.200.72.0/24
$i 101.200.82.0/24
$i 101.200.90.0/24
$i 101.200.170.0/24
$i 101.200.177.0/24
$i 101.200.183.0/24
$i 101.200.221.0/24
$i 103.52.217.0/24
$i 103.66.78.0/24
$i 103.77.37.0/24
$i 103.114.104.0/24
$i 103.145.13.0/24
$i 103.198.10.0/24
$i 103.203.57.0/24
$i 103.219.152.0/24
$i 103.232.53.0/24
$i 104.131.0.0/16
$i 104.140.0.0/16
$i 104.206.128.0/24
$i 104.236.0.0/16
$i 104.248.0.0/16
$i 106.0.0.0/10
$i 106.75.0.0/16
$i 106.112.153.0/24
$i 107.151.182.0/24
$i 107.170.0.0/16
$i 107.189.29.0/24
$i 107.189.30.0/23
$i 109.123.117.0/24
$i 109.234.153.0/24
$i 110.80.136.0/24
$i 111.7.96.0/24
$i 111.206.170.0/24
$i 111.229.35.0/24
$i 111.229.63.0/24
$i 111.229.92.0/24
$i 111.229.109.0/24
$i 111.229.122.0/24
$i 111.229.211.0/24
$i 111.229.231.0/24
$i 112.46.87.0/24
$i 112.49.47.0/24
$i 112.121.189.0/24
$i 115.231.83.0/24
$i 116.62.0.0/16
$i 117.50.23.0/24
$i 117.50.63.0/24
$i 117.50.65.0/24
$i 117.50.100.0/23
$i 117.50.104.0/24
$i 118.193.31.0/24
$i 119.28.61.0/24
$i 119.29.52.0/24
$i 119.29.81.0/24
$i 119.29.155.0/24
$i 119.29.168.0/24
$i 119.188.125.0/24
$i 120.70.100.0/24
$i 120.85.238.0/24
$i 120.92.109.0/24
$i 120.131.6.0/24
$i 120.222.197.0/24
$i 121.4.80.0/24
$i 121.4.82.0/24
$i 121.4.88.0/24
$i 121.4.164.0/24
$i 121.4.168.0/24
$i 121.4.182.0/24
$i 121.5.3.0/24
$i 121.5.107.0/24
$i 121.5.155.0/24
$i 121.5.188.0/24
$i 121.5.237.0/24
$i 121.5.243.0/24
$i 121.5.250.0/23
$i 121.136.234.0/24
$i 121.196.0.0/14
$i 122.254.100.0/24
$i 123.56.24.0/24
$i 123.56.62.0/24
$i 123.56.64.0/24
$i 123.56.85.0/24
$i 123.56.93.0/24
$i 123.56.100.0/24
$i 123.56.147.0/24
$i 123.56.158.0/24
$i 123.56.239.0/24
$i 123.160.221.0/24
$i 124.88.69.0/24
$i 124.156.50.0/23
$i 124.156.54.0/23
$i 124.156.62.0/24
$i 124.156.200.0/24
$i 124.156.210.0/24
$i 124.156.245.0/24
$i 125.64.94.0/24
$i 128.1.91.0/24
$i 128.1.248.0/24
$i 128.14.128.0/24
$i 128.14.137.0/24
$i 128.14.141.0/24
$i 128.14.152.0/24
$i 128.14.209.0/24
$i 128.14.211.0/24
$i 128.199.0.0/16
$i 129.227.129.0/24
$i 134.122.0.0/17
$i 134.209.0.0/16
$i 134.228.0.0/16
$i 136.144.41.0/24
$i 137.184.0.0/16
$i 138.68.0.0/16
$i 138.197.0.0/16
$i 139.59.0.0/16
$i 139.60.162.0/24
$i 139.162.0.0/16
$i 139.177.193.0/24
$i 141.98.10.0/24
$i 141.212.123.0/24
$i 142.93.0.0/16
$i 143.110.128.0/17
$i 143.198.0.0/16
$i 143.244.128.0/17
$i 144.126.192.0/18
$i 146.185.25.0/24
$i 147.182.128.0/17
$i 150.109.160.0/19
$i 151.106.35.0/24
$i 151.106.41.0/24
$i 152.42.128.0/17
$i 152.136.22.0/24
$i 152.136.34.0/24
$i 152.136.96.0/24
$i 152.136.100.0/24
$i 152.136.129.0/24
$i 152.136.237.0/24
$i 156.96.155.0/24
$i 157.230.0.0/16
$i 157.245.0.0/16
$i 159.65.0.0/16
$i 159.89.0.0/16
$i 159.203.0.0/16
$i 159.223.0.0/16
$i 161.35.0.0/16
$i 162.62.26.0/24
$i 162.142.125.0/24
$i 162.221.192.0/24
$i 162.243.0.0/16
$i 163.172.16.0/24
$i 164.52.24.0/24
$i 164.90.128.0/17
$i 164.92.64.0/18
$i 164.92.128.0/17
$i 165.22.0.0/16
$i 165.227.0.0/16
$i 165.232.32.0/19
$i 165.232.64.0/18
$i 165.232.128.0/18
$i 167.71.0.0/16
$i 167.99.0.0/16
$i 167.172.0.0/16
$i 167.248.133.0/24
$i 168.144.0.0/16
$i 170.130.187.0/24
$i 172.104.0.0/15
$i 173.0.59.0/24
$i 174.138.0.0/17
$i 175.6.158.0/24
$i 175.24.125.0/24
$i 178.18.242.0/24
$i 178.62.0.0/17
$i 178.72.68.0/22
$i 178.72.75.0/24
$i 178.72.76.0/23
$i 178.72.78.0/24
$i 178.128.0.0/16
$i 178.175.0.0/18
$i 179.43.157.0/24
$i 179.43.175.0/24
$i 179.43.176.0/24
$i 179.43.187.0/24
$i 180.76.0.0/16
$i 180.149.126.0/24
$i 180.163.220.0/24
$i 180.182.245.0/24
$i 183.80.89.0/24
$i 183.89.0.0/16
$i 183.136.225.0/24
$i 184.105.139.0/24
$i 184.105.247.0/24
$i 184.179.216.0/24
$i 185.14.184.0/23
$i 185.14.186.0/24
$i 185.36.81.0/24
$i 185.53.90.0/24
$i 185.56.80.0/24
$i 185.101.107.0/24
$i 185.142.53.0/24
$i 185.142.236.0/24
$i 185.142.239.0/24
$i 185.153.196.0/24
$i 185.153.198.0/23
$i 185.156.73.0/24
$i 185.167.97.0/24
$i 185.173.35.0/24
$i 185.180.143.0/24
$i 185.191.34.0/24
$i 185.200.118.0/24
$i 185.216.140.0/24
$i 185.220.205.0/24
$i 185.236.11.0/24
$i 186.33.107.0/24
$i 186.33.110.0/24
$i 186.33.127.0/24
$i 186.179.100.0/24
$i 188.68.204.0/24
$i 188.124.36.0/24
$i 188.124.54.0/24
$i 188.166.0.0/17
$i 188.166.240.0/20
$i 190.180.154.0/24
$i 191.102.120.0/24
$i 192.34.56.0/21
$i 192.35.168.0/24
$i 192.81.208.0/20
$i 192.241.128.0/17
$i 193.3.53.0/24
$i 193.27.228.0/23
$i 193.46.255.0/24
$i 193.107.216.0/24
$i 193.118.51.0/24
$i 193.118.53.0/24
$i 193.118.55.0/24
$i 193.142.146.0/24
$i 193.163.125.0/24
$i 193.169.255.0/24
$i 193.242.145.0/24
$i 194.61.25.0/24
$i 194.62.6.0/24
$i 194.147.140.0/24
$i 194.165.16.0/24
$i 195.24.207.0/24
$i 195.133.40.0/24
$i 195.230.103.0/24
$i 196.189.91.0/24
$i 198.16.43.0/24
$i 198.98.48.0/24
$i 198.98.51.0/24
$i 198.98.54.0/23
$i 198.98.59.0/24
$i 198.98.62.0/24
$i 198.199.64.0/18
$i 198.211.96.0/19
$i 198.232.147.0/24
$i 199.4.223.0/24
$i 199.19.225.0/24
$i 199.195.254.0/24
$i 202.44.240.0/24
$i 202.44.247.0/24
$i 202.44.251.0/24
$i 202.164.139.0/24
$i 203.159.80.0/24
$i 204.16.0.0/24
$i 204.48.16.0/20
$i 205.185.113.0/24
$i 205.185.114.0/24
$i 205.185.117.0/24
$i 205.185.119.0/24
$i 205.185.120.0/24
$i 205.185.123.0/24
$i 205.185.124.0/23
$i 205.185.127.0/24
$i 206.81.0.0/19
$i 206.185.0.0/16
$i 206.189.0.0/16
$i 207.154.192.0/18
$i 208.68.36.0/22
$i 208.103.169.0/24
$i 209.17.96.0/24
$i 209.97.128.0/18
$i 209.141.32.0/19
$i 211.23.160.0/24
$i 212.192.241.0/24
$i 216.189.52.0/24
$i 216.218.206.0/24
$i 220.178.67.0/24
$i 223.252.6.0/24
 
User avatar
jvanhambelgium
Forum Guru
Forum Guru
Posts: 1114
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Under flood attack, how resolve this ?

Fri Jun 25, 2021 6:21 pm

I'm glad we have some Arbor Networks technologies (now Netscout) deployed in the core/edges of our networks.
We see quite a lot of attacks, and the "average" volumetric ones are about 250Gbits/sec these days.
Not that long ago we (auto) mitigated one of 400Gbits/sec ;-) Keep 'm coming ;-)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21893
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Under flood attack, how resolve this ?

Fri Jun 25, 2021 6:24 pm

Exactly so instead of endlessly playing with his config and chasing everyone's favourite piece of script, I am begging the op, DONT WASTE YOUR TIME,
try one of the free trials by a service that does all the legwork for you (keeps it up to date from multiple sources). This will demonstrate to you whether blocking works or not.
Then consider your options.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Under flood attack, how resolve this ?

Fri Jun 25, 2021 6:25 pm

EDIT: Without using "reply with quote" this happen often and I not receive any warning about new post...


added by EDIT:

...We see quite a lot of attacks, and the "average" volumetric ones are about 250Gbits/sec these days...

If I can ask, what is the target?
Bank? Industry? etc.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Under flood attack, how resolve this ?

Fri Jun 25, 2021 6:34 pm

The line RAW I use to block them:
add action=drop chain=prerouting comment="perm24Block /24+ range blocker" in-interface-list=WAN src-address-list=perm24Block
I suggest you to remove any useless CPU actions when drop on RAW, for example, no log and NO INTERFACE LIST,
simply drop:
add action=drop chain=prerouting comment="perm24Block /24+ range blocker" src-address-list=perm24Block
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Under flood attack, how resolve this ?

Fri Jun 25, 2021 6:51 pm

...instead of endlessly playing with his config and chasing everyone's favourite piece of script...
@anav, you are f-a-n-t-a-s-t-i-c
Nothing to say...
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2975
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Under flood attack, how resolve this ?

Fri Jun 25, 2021 7:04 pm

Again, TO ALL:

All this is perfectly useless, for a very simple reason:
if the game server is hosted in his house, is impossible to distinguish between real and fake traffic, and the bandwidth is limited,
...
Some "No matter" facts as a comment

A. No matter where the server is located if only it's IP is known the attack starts to kill the server.
B. No matter where the server is located the bandwith is limited.
C. No matter the bandwith you order a dedicated attack always makes your line saturated. Zombies never sleep :)
D. No matter how you block unwanted addresses there is no way to distingiush real and fake connections if your free-open-to-the-world service is active and you do not limit access to it.

The only real solution:

Registration.

Players HAVE TO declare the IP or DNS name used for connection.
All connections to your service HAVE TO be dropped if they do not originate from allowed IPs.

Then ... after some time ... DDoS network will forget you as there won't be an active service opened to connect to.

The main problem is that OPEN SERVICE attracts all and if you allow all connections there is NO POSSIBILITY to control it.
 
User avatar
jvanhambelgium
Forum Guru
Forum Guru
Posts: 1114
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Under flood attack, how resolve this ?

Fri Jun 25, 2021 7:06 pm

Targets are often indeed large customers/institutions or even ourselves. But that is normal when you run a lot of infrastructure.
Needless to say that high-end protection (like Arbor or F5 and others) does not come cheap...but keeping your platforms available 24/7/365 is really a necessity these days.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Under flood attack, how resolve this ?

Fri Jun 25, 2021 7:10 pm

@BartoszP:
I hadn't thought of some points.
Thank you.

***
ALL:

Try leaving port UDP 53 of DNS open for two minutes... and your connection won't work for days (even if you closed port 53), if you don't change IP.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Under flood attack, how resolve this ?

Fri Jun 25, 2021 7:15 pm

...Targets are often indeed large customers/institutions or even ourselves...
We have recently a problem with one Bank, a very hell.
But our connection is cheap and the Bank do not want pay the extra service.
We stop provide the connection to the Bank, and I do not want any Bank anymore....
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21893
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Under flood attack, how resolve this ?

Fri Jun 25, 2021 7:44 pm

@BartoszP:
I hadn't thought of some points.
Thank you.

***
ALL:

Try leaving port UDP 53 of DNS open for two minutes... and your connection won't work for days (even if you closed port 53), if you don't change IP.
Now you are being excessively kind (we call it kissing ass), due to the reality they are not original and you did read these things already......
Remember, my posts above.......
Having a player public IP List it's not possible for a lot of reasons.
Sorry thats the only idea I have, but you have not answered the question.
WHY is it impossible??
I clearly stated that anyone can get a free domain name dyndns and that they can give to you if they want to play.
If this is a business then pay your ISP for a business account and get the DDOS protection the ISP should provide.
Also invest in a much more secure access method to the game server using a radius server or other stable more robust method.

If this is just casual then use the IP method I described, if its a business then spend the money to do it right and dont waste your time trying to do it as you have been attempting.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Under flood attack, how resolve this ?

Fri Jun 25, 2021 7:53 pm

POINT, not the rest...

A. No matter where ...
The problem is also the IP which, even if changed, is published on the IP of the online game ...

C. No matter the bandwith ...
In effect on dark web you can PAY for an attack...


Now you are being excessively kind
Uhm... is like you are jealous ;)))
Last edited by rextended on Fri Jun 25, 2021 7:58 pm, edited 1 time in total.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2975
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Under flood attack, how resolve this ?

Fri Jun 25, 2021 7:56 pm

BTW ... I wonder what drives tefots to keep this server open if it is a source of so many problems?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Under flood attack, how resolve this ?

Fri Jun 25, 2021 7:59 pm

Probably passion...

I sometime host some Battelzone, Quake and Doom server, but I requre all the player must be registered first on TeamSpeak server...
 
msatter
Forum Guru
Forum Guru
Posts: 2941
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Under flood attack, how resolve this ?

Fri Jun 25, 2021 8:19 pm

Exactly so instead of endlessly playing with his config and chasing everyone's favourite piece of script, I am begging the op, DONT WASTE YOUR TIME,
try one of the free trials by a service that does all the legwork for you (keeps it up to date from multiple sources). This will demonstrate to you whether blocking works or not.
Then consider your options.
My list is the list which I build-up in several months and it the result of scans I had on my router. ayou can use it as an kind of kick-start your own dynamicly build list and if does not do that then remove it. It does not block one address at a time but when three scans have occured in a set time-frame the whole range get blocked. This is a nuclear option but these are rare times that you hsve to use it. Being attacked..then you are already to late to implement a building a list or buying a list.

I have busy with this for years and there is no one list that will save your arse so you have be dynamic and search for the combination that will help you to control attacks to not have a impact on your services.

I have chosen to only allow 4 countries an to the rest I am sorry to exclude them. In front of that I have the attack collector described above. I went nuclear and when the radiation kills connections I don't want to be killed they get a radiation suit in the form a place on the do-not-block list.

It are desperate times and I can afford myself, desperate measurements as you also can see in my signature.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Under flood attack, how resolve this ?

Fri Jun 25, 2021 8:31 pm

If you see post #78, I have aggregate the list with:
https://tehnoblog.org/ip-tools/ip-address-aggregator/
Less address-list entry

I took the liberty of suggesting changes to the script to handle it,
but your list is very valuable, thanks for sharing!
 
tefots
just joined
Topic Author
Posts: 14
Joined: Wed Jun 23, 2021 3:33 pm

Re: Under flood attack, how resolve this ?

Fri Jun 25, 2021 9:44 pm

BTW ... I wonder what drives tefots to keep this server open if it is a source of so many problems?
it's a hobbie, xd
it's a ark server game with 10 maps in cluster, we are 3 years online, with 1500 members aprox registred in discord (with phone validation) and 100players very active.,, but impossible to know who is doing the attack.., may be some server competitor or an angry player, i have my conspiranoic theories ..
 
tefots
just joined
Topic Author
Posts: 14
Joined: Wed Jun 23, 2021 3:33 pm

Re: Under flood attack, how resolve this ?

Fri Jun 25, 2021 9:56 pm

Again, TO ALL:

All this is perfectly useless, for a very simple reason:
if the game server is hosted in his house, is impossible to distinguish between real and fake traffic, and the bandwidth is limited,
...
Some "No matter" facts as a comment

A. No matter where the server is located if only it's IP is known the attack starts to kill the server.
B. No matter where the server is located the bandwith is limited.
C. No matter the bandwith you order a dedicated attack always makes your line saturated. Zombies never sleep :)
D. No matter how you block unwanted addresses there is no way to distingiush real and fake connections if your free-open-to-the-world service is active and you do not limit access to it.

The only real solution:

Registration.

Players HAVE TO declare the IP or DNS name used for connection.
All connections to your service HAVE TO be dropped if they do not originate from allowed IPs.

Then ... after some time ... DDoS network will forget you as there won't be an active service opened to connect to.

The main problem is that OPEN SERVICE attracts all and if you allow all connections there is NO POSSIBILITY to control it.
But this not solve the attack or the problem.. becouse don't know the ip of the attacker, it's using fake ips.., by otherwise player's don't connect directly to the server ip.., i think that all the server connection it's encapsulated with steam platform.
the other option it's close the server temporarily, until attacker forgotten.
server continues opened, there are a lot of players playing at most 2 years long, it's a great comunity.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21893
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Under flood attack, how resolve this ?

Fri Jun 25, 2021 9:59 pm

Why are you still posting, give either of the two services (MOAB or AXIOM) with a free trial a go and then let us know if either of them stop the attacks.
 
Cablenut9
Long time Member
Long time Member
Posts: 542
Joined: Fri Jan 08, 2021 5:30 am

Re: Under flood attack, how resolve this ?

Fri Jun 25, 2021 10:01 pm

What's your native language?
 
msatter
Forum Guru
Forum Guru
Posts: 2941
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Under flood attack, how resolve this ?

Sat Jun 26, 2021 12:20 am

So the attacker is using spoofed source and source ports. The only way to stop that is to find it's ISP or it's ISP should limit the source addresses to be used to be the source adresses belonging to that IP address.

The ISP is clearly not doing that and then you are left powerless.
 
User avatar
Paternot
Forum Guru
Forum Guru
Posts: 1056
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: Under flood attack, how resolve this ?

Sat Jun 26, 2021 4:14 am

it's a hobbie, xd
it's a ark server game with 10 maps in cluster, we are 3 years online, with 1500 members aprox registred in discord (with phone validation) and 100players very active.,, but impossible to know who is doing the attack.., may be some server competitor or an angry player, i have my conspiranoic theories ..
Would it be this game?
https://ark.fandom.com/wiki/Dedicated_s ... d_Firewall

If so, You don't need TCP ports - just UDP. Well, there is ONE TCP port (RCON) - but I wouldn't open it to the internet, not even with hot irons on my feet. Ok, ok. Maybe with hot irons.

Now, about the DDoS. I doubt this guy has all these hosts under control: they must be just bad configured/vulnerable hosts on the internet. This means he probably doesn't have control over them - he's just using them. Why does it matter? Because if it's true, these hosts will honor ICMP messages - such as "host prohibited", "host unreachable" and so on.

One time someone DDoSed my game servers too. I was lucky, and he used a simple NTP amplification attack. My router CPU (an hEX) could cope with the load - but not the network. The solution was quite ugly, but worked: instead of dropping the DDoS, I rejected it with "host unreachable". Again, I was very lucky: the bandwidth usage was low enough for me to do it, the router's CPU could cope with the load, and he was using only about 300 or so hosts. Otherwise, I would be done for it.

When the attack started, everything would grind to a halt. About 30 of 40 seconds later, things would start to improve: the machines used on the attack learned that I was unreachable (not a botnet, remember? Just an opportunity attack), and stopped sending packages.

Yes, the load was still sky high. About 40% CPU load, and something like 30Mbps up AND down. But worked well enough, so the servers could continue and I could use the internet (my connection was 90/90 at the time). About one week later he gave up. :D

But what about your case? Well. Does this game has something like metamod/sourcemod? Because there is a chance You could create a small addon that would see failed game logins - with the IPs. After that You could just use the Mikrotik's api to add these IPs to a block list. With a little bit of luck that would solve your problem. :D
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: Under flood attack, how resolve this ?

Sat Jun 26, 2021 10:47 am

Now, about the DDoS. I doubt this guy has all these hosts under control: they must be just bad configured/vulnerable hosts on the internet. This means he probably doesn't have control over them - he's just using them. Why does it matter? Because if it's true, these hosts will honor ICMP messages - such as "host prohibited", "host unreachable" and so on.

One time someone DDoSed my game servers too. I was lucky, and he used a simple NTP amplification attack. My router CPU (an hEX) could cope with the load - but not the network. The solution was quite ugly, but worked: instead of dropping the DDoS, I rejected it with "host unreachable". Again, I was very lucky: the bandwidth usage was low enough for me to do it, the router's CPU could cope with the load, and he was using only about 300 or so hosts. Otherwise, I would be done for it.

When the attack started, everything would grind to a halt. About 30 of 40 seconds later, things would start to improve: the machines used on the attack learned that I was unreachable (not a botnet, remember? Just an opportunity attack), and stopped sending packages.
It is very unlikely that this actually works. ICMP "host unreachable" messages are normally sent back only to the application that sent the packet, and it must
be specially programmed to see these messages and stop sending new traffic. The usual program does not include such handling so these messages are simply
ignored. There is no generally available handling in operating systems that centrally registers such "host unreachable" messages and somehow blocks the
programs running on that machine from sending more traffic to that host (or network).

So I guess you were just lucky because you got a good and considerate programmer for the DDoS software. In general you can say, however, that sending back
replies to DDoS traffic is a waste of your own bandwidth and often a waste of someone else's bandwidth too: the source address of DDoS traffic is often not
the address of the machine actually sending the traffic (spoofed source address) and in that case your ICMP "host unreachable" messages go to a completely
innocent victim who did not send the traffic and can do nothing to stop it.

So please do not do it that way.
 
User avatar
Paternot
Forum Guru
Forum Guru
Posts: 1056
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: Under flood attack, how resolve this ?

Sat Jun 26, 2021 2:36 pm

Now, about the DDoS. I doubt this guy has all these hosts under control: they must be just bad configured/vulnerable hosts on the internet. This means he probably doesn't have control over them - he's just using them. Why does it matter? Because if it's true, these hosts will honor ICMP messages - such as "host prohibited", "host unreachable" and so on.

One time someone DDoSed my game servers too. I was lucky, and he used a simple NTP amplification attack. My router CPU (an hEX) could cope with the load - but not the network. The solution was quite ugly, but worked: instead of dropping the DDoS, I rejected it with "host unreachable". Again, I was very lucky: the bandwidth usage was low enough for me to do it, the router's CPU could cope with the load, and he was using only about 300 or so hosts. Otherwise, I would be done for it.

When the attack started, everything would grind to a halt. About 30 of 40 seconds later, things would start to improve: the machines used on the attack learned that I was unreachable (not a botnet, remember? Just an opportunity attack), and stopped sending packages.
It is very unlikely that this actually works. ICMP "host unreachable" messages are normally sent back only to the application that sent the packet, and it must
be specially programmed to see these messages and stop sending new traffic. The usual program does not include such handling so these messages are simply
ignored. There is no generally available handling in operating systems that centrally registers such "host unreachable" messages and somehow blocks the
programs running on that machine from sending more traffic to that host (or network).

So I guess you were just lucky because you got a good and considerate programmer for the DDoS software. In general you can say, however, that sending back
replies to DDoS traffic is a waste of your own bandwidth and often a waste of someone else's bandwidth too: the source address of DDoS traffic is often not
the address of the machine actually sending the traffic (spoofed source address) and in that case your ICMP "host unreachable" messages go to a completely
innocent victim who did not send the traffic and can do nothing to stop it.

So please do not do it that way.
You got it wrong: In MY case was an amplifying NTP DDoS that used an online list of open servers. The guy was using misconfigured NTP servers to do it. This is why I said he had no control over. It's the same principle behind "don't expose Your Mikrotik 53 port to the Internet". One could get an army of misconfigured - and uncompromised - routers scanning this port.

And all of them would honor ICMP.

Now. I agree that this depends upon luck: the attack MUST be done using innocent and uncompromised machines. If this is done by a compromised botnet, then there isn't much that can be done by him.

Personally? I don't think it's a professional botnet. This is a hobby server: there isn't money to be made, there isn't bragging cracker rights from attacking a big company. I think this should be the same case as mine: some troll or whatnot, using an oline list of open/misconfigured machines. And, if I'm right, this ICMP "host unreachable" could help. Providing he has enough bandwidth and CPU to withstand the onslaught.

Of course, You may be right: this may be a professional botnet. If this is true, the ICMP trick would be a waste indeed. But it's worth a try, given he is a very small target and offer no financial incentive to the attack. Why would someone waste money with him?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: Under flood attack, how resolve this ?

Sat Jun 26, 2021 2:42 pm

You got it wrong: In MY case was an amplifying NTP DDoS that used an online list of open servers. The guy was using misconfigured NTP servers to do it. This is why I said he had no control over. It's the same principle behind "don't expose Your Mikrotik 53 port to the Internet". One could get an army of misconfigured - and uncompromised - routers scanning this port.

And all of them would honor ICMP.
Really? That is interesting... I will try experimenting and/or looking in the code to see what they do with ICMP "host unreachable".
Well, the "ntpd" NTP daemon also implements stuff like a server-reply that says "don't bother me anymore" but almost no client takes notice of that, even worse: they often see it as an invalid reply and re-ask the same question even quicker than they would if there was no reply at all...
Personally? I don't think it's a professional botnet. This is a hobby server: there isn't money to be made, there isn't bragging cracker rights from attacking a big company. I think this should be the same case as mine: some troll or whatnot, using an oline list of open/misconfigured machines. And, if I'm right, this ICMP "host unreachable" could help. Providing he has enough bandwidth and CPU to withstand the onslaught.
Remember there are sites that offer "DDoS as a service" where you just pay some money and specify the target, and the DDoS service will attack your target.
One could call that "professional" even when the guilty people (those who place the request) are not professional.
These services in turn use compromised PCs (and routers, including MikroTik!) to send the DDoS traffic from addresses and via bandwidth they do not own.
 
User avatar
Paternot
Forum Guru
Forum Guru
Posts: 1056
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: Under flood attack, how resolve this ?  [SOLVED]

Sat Jun 26, 2021 6:00 pm

Remember there are sites that offer "DDoS as a service" where you just pay some money and specify the target, and the DDoS service will attack your target.
One could call that "professional" even when the guilty people (those who place the request) are not professional.
These services in turn use compromised PCs (and routers, including MikroTik!) to send the DDoS traffic from addresses and via bandwidth they do not own.
Yes. If they are using a professional service like these, then the ICMP trick would do nothing. I'm betting they aren't - just because I don't think this is a serious effort. I believe it's just a troll having his kicks.

Well, I say "professional", but You are right: a better term would be "for hire". The difference I want to make is:
troll = using openproxies, or something similar, found on some site list
professional = have a botnet of compromised machines (not just bad configured), and charge money to inflict DDoS on the victims.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2975
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Under flood attack, how resolve this ?

Sat Jun 26, 2021 8:32 pm

@Paternot

To equaly treat all users:
please read my footer and do not quote whole long posts without need viewtopic.php?p=864499#p864499
 
User avatar
Paternot
Forum Guru
Forum Guru
Posts: 1056
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: Under flood attack, how resolve this ?

Sat Jun 26, 2021 9:26 pm

@Paternot

To equaly treat all users:
please read my footer and do not quote whole long posts without need viewtopic.php?p=864499#p864499
Really? Long posts? How about not hijacking someone else's thread?
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2975
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Under flood attack, how resolve this ?

Sat Jun 26, 2021 9:34 pm

once more ... please do not overquote ... visit the link in my signature.

No hijacking if only users wouldn't start unneeded offtopics trying to be "funny guys".
 
msatter
Forum Guru
Forum Guru
Posts: 2941
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Under flood attack, how resolve this ?

Sun Jun 27, 2021 1:51 am

I have the rule when answering directly underneath I don't qoute. When many posts are made before I reply then like to quote.

In the POTN forum you can press a button/link to the posting teplied to. Having three option: tread reply, posting reply and quote posting.

The quote Paternot made was partly quote to show to which part the reply was made. In my eyes it was selective and not over quoting. Then it could be written without using a quote.
 
rodolfo
Long time Member
Long time Member
Posts: 553
Joined: Sat Jul 05, 2008 11:50 am

Re: Under flood attack, how resolve this ?

Sat Jul 03, 2021 6:46 pm

Any kind of DDOS attack, can be solved using router firewall rules only if you have unlimited bandwidth and cpu.
On the other hand, if you have either limited, the problem can only be solved by your upstreamer (as suggested by pe1chl).
Never forget that if for example you have a 1Gbit download, and the attacker sends you 1Gbit of udp packets, on the router you can do whatever you want, but you will still have the line in ddos.

Who is online

Users browsing this forum: mukkelek and 32 guests