OVH my game server being disconnected by ddos?

[Graymanflo]

Hey there!

I am a customer at OVH and I am struggling a lot with protecting my UDP based game servers from ddos attacks; permanent mitigation mode is enabled and firewall rules are in place but yet the attacks comes straight through and only takes down the specific game server being targeted while leaving rest of my game servers and services running smoothly.

My main concern is that I wish to locate the source of the attacks (protocol/IPs) and of course filter them out. I am running on Windows Server 2016 Standard (my applications runs best with this OS) and I am clueless on how I can filter this out as per say OVH isn't detecting these attacks even though everyone gets intensive packet loss and eventually disconnects.

Thanks.

 

[TheBeastMC]

Sounds like you have OVH PRO protection which cannot filter game specific UDP attacks. It will drop the UDP port that gets attacked which means that only the targeted service will be unavailable while the rest of your server is up (as you described it).
You should try out OVH GAME protection: https://www.ovh.com/world/dedicated-servers/game/

 

[Graymanflo]

Hey the @TheBeastMC.

I failed to mention that I do indeed have OVH Game protection, the permanent mitigation is on and rules for the UDP service exists. The issue seems to be the nature of this attack, the firewall fails to detect it and my question would be how I would go about snooping up such attack and blocking it if OVH's firewall can't detect it?

I closely inspected the network activity in Resource Monitor and from the last attacks I was able to pin point the regular traffic size and the one during a attack (~70 players):

Expected traffic:
[sending ]~232000 B/sec
[receiving]~117202 B/sec

During a attack:
[sending ]~1200000 B/sec
[receiving]~320000 B/sec

Any suggestions?

 

[TheBeastMC]

When you already have OVH GAME, how is your GAME firewall configured? Can you send screenshots or info about it, please?
And what gameserver do you run there?
What is your setup? Is it a dedicated server with or without failover IPs or just a VPS from a reseller?

 

[denka]

"Irony can be pretty ironic sometimes."
Yup I agree with your phrase the fact that you still think that these days nothing can down OVH Game. Il just tell you how much in euros you need to down any OVH server 1 Week - about 150€-200€ and you can cry all you want to ovh there won't be any solution

 

[TheBeastMC]

the fact that you still think that these days nothing can down OVH Game

@denka Where did I say this the last 30 days?
I have more than 10 scripts here that go through OVH GAME.

Il just tell you how much in euros you need to down any OVH server 1 Week - about 150€-200€ and you can cry all you want to ovh there won't be any solution

I just got 2 new attacks last week that went through and caused lag for some seconds. I managed to filter both within 10 minutes by myself + got their dumps here so I can replicate the attack on any other server
If you want to down my server for 1 week, please go ahead I will thank everyone for free scripts that go through OVH GAME

 

[Graymanflo]

Hey again!

@TheBeastMC, I have a i7-8700K game dedicated server with the following configuration in my firewall (permanent mitigation mode):

The game servers are listening on:

x.x.x.x:25200 (game) / x.x.x.x:47200 (rcon).
x.x.x.x:25250 (game) / x.x.x.x:47250 (rcon).

The clients connects from various ports, is this configuration correct?

 

[TheBeastMC]

The clients connects from various ports, is this configuration correct?

@Graymanflo When you say, that clients connect from various ports (which is pretty much with any application the case), why do you only allow traffic from source port 25200 (port of the client) to server 25200 (dest port)? (same for the other 3 rules)

In short, the firewall config is completely wrong (for at least that what you want to achieve with it).

And please send all firewall rules, not only the first 4.

 

[Graymanflo]

Hey @TheBeastMC.

Thanks for letting me know, I added these rules instead:

This is currently all the rules I have, are these more appealing or still wrong? I understand that setting no source/destination port will cover all the ports, is that correct?

 

[TheBeastMC]

I understand that setting no source/destination port will cover all the ports, is that correct?

@Graymanflo That's correct.

However, if you allow all UDP ports + all TCP ports + all ICMP packets (as in your screenshot), you could allow pretty much every traffic to your server (empty firewall).
I think you have not understood the purpose of a firewall, yet.

As far as I know, the purpose of a firewall is it (correct me if I'm wrong here) to only allow traffic through that you want to go through and block the rest. So you should only open the ports you require.

Can you try to do that and send a screenshot again?

 

[Graymanflo]

I understand @TheBeastMC.

Although what I am looking for is a way of filtering out the malicious traffic; the attack doesn't congest my bandwidth as the total rate never exceeds more than 2 mb/s but even then it's able to give all my players packet loss until everyone disconnects without affecting any other services or the other game servers on the computer. This is a graph of the server's network activity from yesterday:

I usually have two game servers running but at times one is empty like yesterday while the other is blooming the entire day with players. The only spikes in this graph are the periods when players reconnects (18:30/18:35/20:40 & 07.00 is a scheduled reboot), the server is mostly full (50-64 players) and players usually reconnects exponentially.

Here's the symptoms I've been able to pin point:

• After a attack the affected IP : Port seems to be unreachable over UDP for a certain amount of time (1 - 20 minutes at times if the game server isn't rebooted manually, although networking for the rest of the system works fine).
• The attack doesn't leave any significant bandwidth spikes (check the post #3).

I hope this description gives you guys a idea of the issue, is there anything I could try to do?

 

[TheBeastMC]

@Graymanflo What is your CPU usage during the attack? And without the attack? Are there any spikes?

 

[Graymanflo]

Thanks for the tip @TheBeastMC, I investigated it and I can't see any anomalies in neither the ram or CPU usage. Perhaps there is a different approach to this?

 

[TheBeastMC]

@Graymanflo I still don't know what type of game server you run there on it. So what game is it? (e.g. CS:GO, Garry's Mod ...)

Btw. do you have any iptables rules?

After a attack the affected IP : Port seems to be unreachable over UDP for a certain amount of time (1 - 20 minutes at times

Is the IP : port only down from outside or is it still reachable from the internal ovh network?

When there are no bandwidth or cpu spikes during the attack and your server only comes back after a manual restart, it could be a crash or exploit for the server.

Might be helpful if you could provide a tcpdump of normal traffic and one during the attack / when the attack begins.

Edit: Added examples to better understand that I don't mean the dedicated ovh server, but the game server he runs on that.

 

[walross99]

So what game server is it?

I have a i7-8700K game dedicated server

 

[Bluscream]

He was asking for the game. Minecraft csgo hello kitty online etc.

 

[walross99]

Well, that sentence wasn't there before (+_+) Nevermind then ^_^

 

[walross99]

Today it is possible to down ovh game server,
contact me pm

Nobody actually asked for this. It has already been mentioned in the posts above.

 

[Graymanflo]

Thanks for all the input guys.

@Graymanflo I still don't know what type of game server you run there on it. So what game is it? (e.g. CS:GO, Garry's Mod ...)

Btw. do you have any iptables rules?


Is the IP : port only down from outside or is it still reachable from the internal ovh network?

When there are no bandwidth or cpu spikes during the attack and your server only comes back after a manual restart, it could be a crash or exploit for the server.

Might be helpful if you could provide a tcpdump of normal traffic and one during the attack / when the attack begins.

Edit: Added examples to better understand that I don't mean the dedicated ovh server, but the game server he runs on that.

I got Windows Server 2016 which I am running Battlefield game servers on, it only has portforwarding rules in Windows Defender since there are no iptables in Windows. No, the game server (IP : Port) being targeted goes down and you can only communicate with the rcon port on the game server, the port for joining the server becomes inaccessible after a attack, strangely enough. The game server itself uses UDP protocol for networking and we have 64 players on the server regularly, there's pretty much thousands of packets going in and out. Also, the OS installation is clean, there's only minimal software installed (.NET 3.5/C++ 2012u4 runtime) for launching the game servers.

Is there any effective way of finding out what's going on or at least filtering out it? Like I mentioned above there is a small spike in traffic when the attack occurs (post #3).

 

[Graymanflo]

Bump, anyone has any good software for filtering malicious game traffic?