How do you stop a botnet DDOS?

Cupra said:
Who have you annoyed?
Click to expand...


It's not me in particular and I don't think I'm at liberty to speak about other peoples' business. Just trying to help someone out. Anywho, the feedback was appreciated, even the light-hearted, fun ones. Seems like a bit out of our league to handle.
 
Last edited:
You stop advertising your ranges and re-advertise through someone like Prolexic. You will have set up a baseline beforehand.

This sounds like IRC war games though? :p
 
Malevolence said:
You need to re-route the sensor array before the crystal causes the auxiliary ripples to boost. Vaporising the special matter stream causes fluctuations at the temporal hyperspace-flux window though, so you'll probably need to reboot the temporal plasma conduit feed next to the delta connector.
Click to expand...

Makes sense to me :cool:
 
What you need to to is:

  • Find their IP
  • Trace it - find what ISP it belongs to (if there's an ISP with more IPs then use that.)
  • Contact its ISP's abuse department with details of what's happening (any evidence, screenshots etc.)

I contacted an abuse dept a while back for someone spamming one of my email scripts from a few dozen IPs and they acted pretty quick. I'm sure they'll treat this with a higher priority.
 
Last edited:
First of all blocking UDP for Minecraft will mean no one will be able to play on it.

Theres not really a sure way of stopping a DDOS, being prepared for it in the event is an idea, such as proper networking equipment with anti ICMP support, maybe set up a honeypot trap and with a separate device if its that serious.

Also what asim has said get there IP, unless they are spoofing it and contact the ISP it is owned by.
 
Last edited:
matthab said:
Some good firewalls can mitigate against it.
Click to expand...
Please describe these mythical devices - all the ISPs will be amazed these exist.
What you need to to is:

Find their IP
Trace it - find what ISP it belongs to (if there's an ISP with more IPs then use that.)
Contact its ISP's abuse department with details of what's happening (any evidence, screenshots etc.)
Click to expand...
Let's assume you gain their IP from someplace - how are you proving they are related to the DDOS, or the C&C server? The packets will likely have fake src as it is, it's unlikely you'd tie anything together would you?
 
yes I guess you are talking about a real DDOS attack and not a kiddie running an attack from half a dozen different source IP's.

If its the latter then you can do something about this. A proper DDOS attack will come from a huge number of source IP's and will take down an Internet facing service regardless what you put in front of it (firewall/IPS/IDS)
 
asim18 said:
What you need to to is:

  • Find their IP
  • Trace it - find what ISP it belongs to (if there's an ISP with more IPs then use that.)
  • Contact its ISP's abuse department with details of what's happening (any evidence, screenshots etc.)

I contacted an abuse dept a while back for someone spamming one of my email scripts from a few dozen IPs and they acted pretty quick. I'm sure they'll treat this with a higher priority.
Click to expand...

The D in "DDOS" stands for "Distributed". There is no one single IP, there are hundreds or thousands and none of them will/should be the IP of the person(s) actually conducting the attack.
 
You can't stop a ddos only mitigate it by trying to drop all non-pertinant traffic and growing your hosting capacity beyond whats left. Depending how big the botnet, it's entirely possible that even your firewalls can't keep up with dropping every single packet and you'll need to discuss those sorts of problems with the carrier. More realistically you'll be a single unimportant customer for the ISP and they'll focus on making sure your problems don't hurt other customers.

For a game server in particular, growing the service isn't going to work. You could try a whitelist and drop everything who's not supposed to be playing, or at least just segregate by location, but it all sounds like a lot of trouble for a server you commonly use and you probably won't get a lot of help with this from your providor. Also this should totally be in networks, they should know more about it than myself or most of GD.
 
Last edited:
aln said:
You can't stop a ddos only mitigate it by trying to drop all non-pertinant traffic and growing your hosting capacity beyond whats left. Depending how big the botnet, it's entirely possible that even your firewalls can't keep up with dropping every single packet and you'll need to discuss those sorts of problems with the carrier. More realistically you'll be a single unimportant customer for the ISP and they'll focus on making sure your problems don't hurt other customers.

For a game server in particular, growing the service isn't going to work. You could try a whitelist and drop everything who's not supposed to be playing, or at least just segregate by location, but it all sounds like a lot of trouble for a server you commonly use and you probably won't get a lot of help with this from your providor. Also this should totally be in networks, they should know more about it than myself or most of GD.
Click to expand...

The problem with a white list is that processing power is required to validate the source IP's, once the CPU gets maxed out on that device then the DOS is successful. Your best bet is to get you IP changed and only hand out the server details to your close circle of players.
 
PGdude said:
The attacker is known. The owner of the server can't do much but keep the server hidden/non-public for now, it's working but it was obviously intended to be public. I don't know many details about it further than that and I don't want to say much more about it really. I figure it's just a "wait for the authorities to do their thing again" scenario. Owner of the server does not know a great deal about all the tech stuff behind the attacks.
Click to expand...

Which GSP are they using?
 
You must log in or register to reply here.
Back
Top Bottom