Stopping flood attacks

[jlv]

I run a game server and for the past few weeks I've been getting what I believe is a flood attack every Thursday night during a special event that's run that night. Every few minutes, the incoming bandwidth goes from about 150 kb/s to 12,000 kb/s for about 5 seconds. This completely disrupts the game as the players lag out for 5 seconds at a time.

My question is what filtering is available upstream to stop this? Would it be possible to filter out packets that are above a certain size? Can you filter by source address or is that certain to be forged?

I was caught flat footed when I finally suspected foul play and didn't get anything logged. I'm running the following tcpdump command now. If I should be doing anything else, please let me know.

tcpdump -w in -C 10 -W 10 -s96 dst host 173.214.174.226

 

[Quags]

This is a game server that uses UDP/TCP on its own port, or is it webbased?

Webbased can be blocked with cloudflare easily. If it runs on its own port it can be hardder. Software firewalls are generally very good at dos protection in a lot of cases. I have found PF on freebsd/openbsd the best, but most servers do not run it.

If it is a linux system with iptables, there is csf firewall that can be installed that can enable synflood protection.

 

[jlv]

The game uses UDP on its own port. How would a software firewall help when it's downstream of the 100 mbps link that's getting flooded? The server itself is running fine during the flood, but the network interface is completely used up.

 

[jlv]

So I finally got a log of an attack. I'm no expert but I think it's a DNS amplification attack. Would it be possible to block any packets over 600 bytes in length before it gets to my server? My legit UDP packets are always smaller than that.

Here are some lines from the tcpdump of the attack:

21:31:51.302834 IP (tos 0x0, ttl 34, id 1110, offset 0, flags [+], proto: UDP (17), length: 1500) 211.223.208.4.53 > 173.214.174.226.4444: 57985| q: ANY? cpsc.gov. 20/0/1 cpsc.gov. MX hormel.cpsc.gov. 5, cpsc.gov.[|domain]
21:31:51.302955 IP (tos 0x0, ttl 45, id 28420, offset 0, flags [+], proto: UDP (17), length: 1476) 41.162.49.146.53 > 173.214.174.226.4444: 40196| q: ANY? cpsc.gov. 22/0/0 cpsc.gov. Type48[|domain]
21:31:51.302962 IP (tos 0x0, ttl 47, id 23634, offset 2912, flags [none], proto: UDP (17), length: 1211) 89.45.97.40 > 173.214.174.226: udp
21:31:51.303181 IP (tos 0x0, ttl 48, id 55853, offset 0, flags [+], proto: UDP (17), length: 1500) 168.121.89.10.53 > 173.214.174.226.4444: 45276| q: ANY? cpsc.gov. 20/0/1 cpsc.gov. Type46[|domain]
21:31:51.303303 IP (tos 0x0, ttl 48, id 55853, offset 1480, flags [+], proto: UDP (17), length: 1500) 168.121.89.10 > 173.214.174.226: udp
21:31:51.303427 IP (tos 0x0, ttl 52, id 21189, offset 0, flags [+], proto: UDP (17), length: 1500) 213.124.2.46.53 > 173.214.174.226.4444: 40196| q: ANY? cpsc.gov. 20/0/1 cpsc.gov. MX hormel.cpsc.gov. 5, cpsc.gov.[|domain]

 

[Quags]

This blocking is best done on a hardware firewall before it gets to the router. For if it can be done on the hostnode, before it gets to your VPS I am unsure yet. I have a request in to look further into it.