Battle Server Outage - Currently Online

andrboot

Hi,

So this morning I recieved multiple emails from my upstream host and my monitoring system informing things were offline.
It appears that the Battle Server has been attacked in a targeted DDOS multiple times, not sure if it still going on but at this stage my upstream host appears to have blocked all traffic to the box.. (either that or it has bsod).
For now, while I am investigating this issue it probably will remain offline however I will attempt to get it up as soon as possible.

I have noticed a large amount of gmod restarts as of late aka server crashing, I have hoped that folks would start to actually not crash the server but this will be also investigated.

Feel free to post comments etc, asking for IP's / attackers information will not be provided, as "ddossing" them is futile and simple stoops to their level.

***************EDIT***************
Added an Additional address & set it to the primary address. aka new ip address, not sure when host wil decide to allow traffic again for orig ip.. "178.63.177.25"
***********************************

---

Update

---

So, again last night (my time) the server was ddosd awesomely again.. this time it was double the traffic as last "yay", appears that they may have targeted the build server as well, however this time I won't be changing the server to another IP Address at this stage.

I will be contacting the providers of the IP's that attacked and hopefully getting them pulled / looked into and chasing up with my upstream on what the story is / how to reduce the damage.

Once again, asking for IP's / attackers information will not be provided, as "ddossing" them is futile and simple stoops to their level.

---

---

2nd Update

---

Working on things now to help "mitigate" the problem, should be up within a few hours hopefully..

So, those that like traffic stats, the 1st attack which was when the server was running on 178.63.177.22 (the normal ip) with a ddoss of around 200-250Mbit/sec it did around 398GB inbound traffic before my host null'd the address.
The 2nd attack, which was 200-400Mbit/sec did around 730GB inbound traffic before my host null'd the address.. (178.63.177.25)
Needless to say my jaw is currently wtf.. - I do have plenty of bandwidth to spare but damn that is a chunk of traffic

---

---

3rd Update

---

To many updates -_-
After the changes last night and so forth ,we did get hit again server was a little choppy but recovered, I believe the attack lasted about 4 hours, and chewed through around 167.490GB in bandwidth..
Will be updating this post if it happens again with time/bandwidth chunks, though I locked down a trove of IP's that Paperclip provided myself which he did an amazing job on.

---

---

4th Update

---

It has been a interesting last couple of hours and stuff..
We got ddos'd again -_- - they were hitting with more traffic and stuff...
For the bandwidth stats they did "2,496.597GB" in around 10-12 hours.

---

Thanks;

Clakattack

Lambda217

So is this just someone buggering about with DevNull or something more...sinister?

andrboot

Well,

Considering it it literally is targeting the server's orig IP then I would say its aimed at knocking Diaspora gmod community offline.. so sinister yea.. Still it is somewhat looked at nub move and a "I cant do anything better but flood your connection because i feel like it"

Clakattack

Steeveeo

Well...that's irritating.

Perhaps the same reason why the forums were unresponsive for a few minutes a bit ago? Or perhaps that was something else.

EDIT: Considering that there are 43 guests currently online, maybe.

Paper Clip

The forum was under a DDoS attack from around 50 unique ips. It looks like the attack has been going on pretty ineffectively since at least yesterday. Looks like it is a small botnet designed to just refresh on a single page - amateurs. The server cpu load is back to normal after I black-listed the ips. I will keep an eye on it over the next couple days to monitor and add new ips as they become involved in the attack.

Steeveeo

Paper Clip wrote:

The forum was under a DDoS attack from around 50 unique ips. It looks like the attack has been going on pretty ineffectively since at least yesterday. Looks like it is a small botnet designed to just refresh on a single page - amateurs. The server cpu load is back to normal after I black-listed the ips. I will keep an eye on it over the next couple days to monitor and add new ips as they become involved in the attack.

Cool, and good to know that the forums can withstand a bit of punishment. However, I am curious about how earlier today it peaked at 190 users, different IPs on those?

Paper Clip

Well, I blocked all the effective ones. I have a count of 315 unique ips that hit the specific page that was being dosed at least once, but only 79 of them requested it more than 25 times. I banned all the ones that accessed it more than 25 times, and left the rest unbanned since they are ineffective DoSers, or could be a real person checking on the server status a lot.

Lambda217

Paper Clip wrote:

Well, I blocked all the effective ones. I have a count of 315 unique ips that hit the specific page that was being dosed at least once, but only 79 of them requested it more than 25 times. I banned all the ones that accessed it more than 25 times, and left the rest unbanned since they are ineffective DoSers, or could be a real person checking on the server status a lot.

Not only does Paper Clip still exist, but he's as efficient as ever!

Trekintosh

Is the build server also offline now? I can't seem to connect to it. And are there any recommendations for alternative servers while it's down? Gotta get my spacebuild fix somehow!

andrboot

Just Updated the primary post

Steeveeo

I threw out a support ticket to Art Of War for the Build server, perhaps they can do something a bit more to combat this than I can, since they have direct access to the server box. Will update as information comes in.

Trekintosh

Build server seems to be up now, but it's so out of date I think I'll just play singleplayer.

andrboot

Updated Primary Post again with some pretty stats

andrboot

Server is backup and hopefully solid/stable

Trekintosh

I'm glad it's up, but does anyone have any idea who? Or why?

andrboot

Trek,
We have our suspicions, there is only "so many" things you can do in regards to ddos, and those that do ddos will be eventually caught and d/c or at least there stuff from the net that ddos.


Thanks;

Andrew

Lambda217

the caldari have gone too far this time

Trekintosh

Lambda217 wrote:

the caldari have gone too far this time

CALDARI?! It was the Gallente SCUM who were trying to bring down our corporation that went to far! How DARE you blame the innocents!

LtBrandon

Trekintosh wrote:

Lambda217 wrote:

the caldari have gone too far this time

CALDARI?! It was the Gallente SCUM who were trying to bring down our corporation that went to far! How DARE you blame the innocents!

Eh, Jove thinks you all fail so.. off topic go away?

Trekintosh

LtBrandon wrote:

Trekintosh wrote:

Lambda217 wrote:

the caldari have gone too far this time

CALDARI?! It was the Gallente SCUM who were trying to bring down our corporation that went to far! How DARE you blame the innocents!

Eh, Jove thinks you all fail so.. off topic go away?

andrboot

Updated the primary post with more stats

Trekintosh

Am I going crazy or does that thing say 2 and a half terabytes? Who hates us that much?

LtBrandon

Trekintosh wrote:

Am I going crazy or does that thing say 2 and a half terabytes? Who hates us that much?

That's what we want to know too :shock:

Steeveeo

An average internet speed 200 times over is still a lot of traffic.