Solved foreign IPs blocking to cope with UDP flood

July 25, 2013 at 18:34:43
Specs: Linux x86_64

We run a nonprofit online rol playing game that's being attacked with botnets (UDP flood). These botnet's zombies are distributed all over the world, mainly from Europe, Asia and the USA, and since 99.9% of the users in our game are players from within our country(Argentina) we were wondering how viable is to permanently block all packets coming from foreign IP addresses in order to mitigate the effects of these attacks. (Very few zombie's IPs were found to be Argentinean when checking the logs at the time of the attacks so having only them flooding the server will cause no harm).

Of course, we already discussed this with the company that hosts our server but they said they aren't able to "filter" packets that way (and didn't know much about it either). The thing is, they're a small, precarious company devoted mainly to small webpages hosting (is all we can afford).

When asking here "how viable" this option is, we just want to know if you think it's worth to keep looking for a company/datacenter that actually offers this "service"(because it's common practice or it's possible technically speaking or whatever the reason you think so), or we just need to forget about it and look for solutions somewhere else.

Needless to say, we can't afford large, expensive hosting companies equiped with DDoS mitigation devices at their datacenters.

Thanks in advance for your help.


See More: foreign IPs blocking to cope with UDP flood

Report •


✔ Best Answer
August 4, 2013 at 08:50:05
Best bet is to implement a router that has the capability to mitigate ddos attacks and automatically drops the packet(s). If you handle this at a server level, the packets are still being delivered through the current router/security appliance (if there is something there) and still establishing a connection which will eat at bandwidth and resources.

Its expensive to do this at an ISP level, much more cost-effective to do it with an adtran netvanta, Sonicwall, or cisco device. If roughly $1,000 one time cost is to much, then I would be looking for cheaper appliances that will block traffic by country like Wanderer mentioned.

Thanks for any input.



#1
July 26, 2013 at 07:40:54
Does your server have a built in firewall you could configure to filter any/all packets from the IP's that are attacking it?

What OS is your server running?

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

#2
July 29, 2013 at 15:46:34
Hi Curt, thanks for your prompt response and sorry for my delayed one.

The OS our server runs is Windows 2008.

About the built in firewall we don't have one but in our case it wouldn't be useful because of the traits of the attacks we're being victims of. Their intensity ranges between 1 and 2 gbps (sometimes reaching 3gbps) so it easily saturates the bandwidth asigned to our dedicated server. Besides that, they are not always the same IPs, this is to say, they seem to be using different botnets from time to time (although we did notice that in all cases the amount of Argentinean IP addresses is insignificant). Those are the reasons why we thought about something like blocking packets from every foreign IP but it needs to be done at a ISP or Datacenter level because doing it in our router/server would be impossible due to the enormous amount of traffic we're receiving.

Again thank you!


Report •

#3
July 29, 2013 at 20:03:22
You would be better off hosting your own game server and having your own router that can block ip by country. Problem with trying to get a hosting company to do it is they won't want to block any ips due to their other customers.

Answers are only as good as the information you provide.
How to properly post a question:
Sorry no tech support via PM's


Report •

Related Solutions

#4
July 30, 2013 at 07:28:02
I would definitely talk to your hosting company about this situation and ask if they can help or offer any advice on how to stop this. There's a good chance they're not aware of it and would take steps to stop it once they are since attacks on you can potentially affect other clients of theirs and their business.

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

#5
July 30, 2013 at 14:00:52
wanderer,

I get your point about datacenters not being able to block IPs that way because of customers that do need international traffic. But about hosting by ourselves: Isn't 2gbps too much traffic to be processed by a simple router? Think of every packet's IP being checked for 'foreign' OR 'national', I'm not sure but it sounds like it will get overflowed easily. I checked prices online for DDoS mitigation appliances capable of handling that amount of traffic. They cost over $50,000. I'm stating this without any solid knowledge, so maybe the proper router(with the propper set up) does solve our problem.

Curt,

Our hosting company is aware of the situation and can't do much about it. If they could I think they would because we hired a dedicated server to host our game(although is a cheap price compared to most hosting companies we are still paying their most expensive service). If they do not stand up for their 'most profitable' clients I assume they don't for anybody else. They just turned off our server when things got serious (maybe to keep other clients from getting affected by the attack).

thank you both.

message edited by PhilipBeau


Report •

#6
July 31, 2013 at 08:09:29
It is a fast and simple check of the header concerning the ip address. Our sonicwall is configured to not allow China, Africa, Central and South America plus Europe ips.

If stuck with the hosting company you could see about putting a firewall you control between your server and their network to block

Answers are only as good as the information you provide.
How to properly post a question:
Sorry no tech support via PM's


Report •

#7
July 31, 2013 at 08:54:55
Does windows server 2008 not have a built in firewall in it? I haven't played with 2008 so I don't know offhand.

Also, if it does, my next question would be is it capable of blocking by IP's and/or subnets? If it is, you could try it before spending money and buying an actual appliance (which would require rack space and therefore more $$$ out of your pocket for monthly rental for said rack space).

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

#8
July 31, 2013 at 10:26:35
My rather inexpensive tp link router allows me to set it to block UDP floods and DoS attacks etc??? Blocking specific IP's can be never ending task.

Report •

#9
July 31, 2013 at 12:05:20
Blocking specific IP's can be never ending task

Yep, that's why I included "and/or subnets" Maybe I should have said "networks" instead as "subnet" isn't really the correct term.

If you know a networks CIDR notation, you can easily block the entire network instead of one IP at a time.

If these are bot attacks then the choice of which way to block would depend on how many bots are hitting you from any one network. If it appears to be just one, stomping an entire /8 network is a bit of overkill. But on the other hand, if you have multiple attacks originating from one network, then killing the entire network is more time effective.

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***

message edited by Curt R


Report •

#10
August 4, 2013 at 08:50:05
✔ Best Answer
Best bet is to implement a router that has the capability to mitigate ddos attacks and automatically drops the packet(s). If you handle this at a server level, the packets are still being delivered through the current router/security appliance (if there is something there) and still establishing a connection which will eat at bandwidth and resources.

Its expensive to do this at an ISP level, much more cost-effective to do it with an adtran netvanta, Sonicwall, or cisco device. If roughly $1,000 one time cost is to much, then I would be looking for cheaper appliances that will block traffic by country like Wanderer mentioned.

Thanks for any input.


Report •

#11
August 10, 2013 at 02:47:36
But I checked some Netvanta routers and they can manage 30mbps, not 3gbps that's what we've being flooded with. Doesn't that mean that, in our case, those routers will be easily overflowed?

Report •

#12
August 10, 2013 at 08:04:47
How much bandwidth do you have? It's hard to believe there is a connection with that much bandwidth without some decent type of router to handle a connection of that size. Can you explain your current setup? What equipment is there right now? I am assuming you have dedicated external IP(s) & they you completely segmented on the network physically or by VLAN since its dedicated?

www.standby-it.com

message edited by jpag3074


Report •

Ask Question