DDoS Server protection

Discussion in 'Bukkit Help' started by mactown21, May 3, 2014.

Thread Status:
Not open for further replies.
  1. Offline

    mactown21

    Im currently hosting a server, and its running really great. The bad thing is that im scared if someone DDoS my minecraft server. Ive DDoS my own server and it only took 10 seconds before it shut of instantly. Is there anything that i can use to protect my server from DDoS attacks?

    I was thinking is it possible to have a vpn domain. Where if you ping the domain it gives you a ip address of the vpn and not your actual server. But when you use the domain with Minecraft you can connect. I don't think its possible but i have no clue whether it is or not. Do anyone have any ideas on what i can use to protect my server from DDoS attacks. I want to protect ports 25565, 80, and 90

    But mainly minecraft. Thanks for the help
     
  2. Offline

    TryB4

    mactown21
    Plugins cannot do this.
    Some server providers such as OVH provide free ddos protection/mitigation, so you can try them out if this concerns you.
     
  3. Offline

    IHasKojemby

    This is for plugin request not for server help..
     
  4. Offline

    RRServer

    If you are interested in self-managed, dedicated server's with the best DDoS protection, OVH.

    If you are interested in easy-to-use, Multicraft-paneled server's with DDoS protection, Intrepidd or a hosting company that rents machines from OVH.

    No plugin can possibly protect from DDoS attacks.
     
  5. Offline

    MikeSheen

    I've been through all the DDoS mitigation options you could ever imagine. I've been running Minecraft servers for almost 4 years and have been through the wringer.

    I tried renting VPS's to act as a proxy, and have them forward packets using IPTables rules - which worked, but the downside was everyone who joined the server had the IP of the proxy - and so player management was an issue. Plus the bandwidth used was doubled on the proxies. It did shield the "real" server from attacks, tho. In my case I only did this as a temporary measure - VPS's with lots of bandwidth are expensive where I am (Australia) and the providers all prohibit gaming traffic (because of the DDoS risk) - so my VPS's were promptly shut down by the Australian providers (I did have some USA based ones for about a week, but the latency was awful for Australian players).

    I ended up going with a dedicated server hosted by someone with DDoS protection. Now - be careful about who claims to have "DDoS protection" - if they don't BGP route with known DDoS mitigation services like BlackLotus or Prolexic, then their claims of DDoS protection are probably overstated.

    The way BGP DDoS mitigation that works is like this : Your host peers with a known DDoS scrubber or mitigation service. When your provider detects DDoS traffic (which is easy enough to detect), it announces a new BGP route and that route is to go via the DDoS mitigation service. So, when a DDoS starts, some initial traffic may get through in the first few seconds, but after that the new route is announced and anyone trying to reach your server is routed via the mitigation service - and they filter out all the bad traffic and only let through the good traffic. It does mean your normal route may be longer (and thus more latency) - but it will only be for the duration of the DDoS.

    In my case my provider uses BlackLotus, and when someone tries to DDoS us most of the traffic of the DDoS is from the USA or China, so my provider announces a new route for anyone coming from USA or China to go via BlackLotus. BlackLotus filter out the bad traffic, and let through the legit traffic. My Australian players don't notice a difference, as their routes are unaffected. Most USA players don't notice any increased latency either - as the deviation in the route doesn't add significant latency when compared to normal latency from USA to Australia.

    Using BGP routing and a mitigation service isn't cheap. You also need to have your own AS Number, which means a class B IP allocation or better. Pretty much only ISP's or governments and large corporates have access to this.

    You can check if a provider peers to such services using he.net. It shows the routes between ASN's - this is the report for my provider : http://bgp.he.net/AS56106 - as you can see it has black lotus shown as a peer - which indicates they can readily redirect traffic to them.

    It does work, though. I've been targeted with many DDoS's - one was 4GB/s for over 12 hours - and did not notice it one bit.

    In case you're wondering - my DDoS protected dedicated server costs $404 a month (Xeon 1230 V2, 32GB RAM, 3x128GB SSD's, 1x2TB SATA and 3TB traffic). It is expensive, but it's impervious to attack.

    I hope this was of some value - good luck,

    Mike


    ovh.com ? Does not seem to peer with any known reputable DDoS mitigation service http://bgp.he.net/AS16276

    My guess is the first big DDoS you get, they'll null route you until it ends - which means nobody can access it.

    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
     
    Last edited by a moderator: Jun 8, 2016
    mazentheamazin and Europia79 like this.
  6. Offline

    RZeroX

    OVH Do it them selves they have a 1tbps network so they can easily stop attack with 500gbps ddos protection.
     
  7. Offline

    LegendNinja

    Intreppid?
     
  8. Offline

    Alster551

    Unless you have quite a large server, you dont really need to worry about being DDoSsed.
     
  9. Offline

    mactown21

    my server is like 50-60 players, and i have not advertised my server at all. Im self hosting my server right now and the ram, and internet with the server is doing fine. I just need some type or protection i can use before i start posting my server around. Even tho if you ping my domain you will still get my ip leading to someone that will possibly ddos my server. Im thinking about getting another router with ddos protection, and hopefully everything runs smooth with that. Im just trying to look for more options that might can help my server now before i get my new router with ddos protection. I ddos test my server and its possible for it to lag really badly or people will lose connection. I tried using a dns proxy which seemed to work when i pinged my domain i got another ip address but it changed back to my ip address :( which i thought i made a complete mission using a dns proxy. Maybe the ipv4 proxy i used stopped working? idk. But im just looking for something i can protect my server, I am self hosting my server and is not interested in buying a server
     
  10. Offline

    TnT

    Moved to a more appropriate forum.
     
  11. Offline

    MikeSheen


    I'm not seeing such claims on their website - are these facts published somewhere ?

    Also what does "1tbps network" really mean ? Is that the aggregate for all their peering and transit ? 100GbE (most have 10GbE) is the maximum you see for routers and switches in datacentres, so I'm curious what you meant.
     
  12. Offline

    RZeroX

    http://www.ovh.co.uk/anti-ddos/
     
  13. Offline

    lycano

    mactown21 before you go running around searching for DDos protection please describe first what happens. Before or during the attack.

    How do you know it is a DDos? Just because your server exited this does not mean that you are affected by it. It is likely that someone is sending some sort of modified packages that overload your server like sending "login packets" all the time.

    This is not a DDos its an attack Vector since there is no "distributed attack" going on which requires that those requests come from different locations and different macs...

    Please be a bit more specific then we can help you =)
     
  14. Offline

    MikeSheen

    If your maximum download speed is say 100Mbs, then any $5 booter will be able to flood your connection to the point of unusable. Self hosted offers no DDoS protection.

    He did say "I ddos test my server and its possible for it to lag really badly or people will lose connection"

    I assume he/she tried a booter or similar and saw issues.

    MAC addresses don't pass through routers.


    There is nothing there about a "1tbps network".

    In my previous post I mentioned to be wary of people offering "DDoS protection" - for this very reason. They mention Arbor networks on that page - which is a known DDoS mitigation service - perhaps they BGP route to them - but it looks like a paid extra (and I'm betting awfully expensive as prices are not shown).

    Your comment "OVH Do it them selves they have a 1tbps network so they can easily stop attack with 500gbps ddos protection." implied it was part of their services and they "do it themselves". If their paid extra DDoS protection is to use Arbor Networks then they are clearly NOT doing it themselves.

    RZeroX - If you choose to reply, try to assume that I might know what I am talking about and rely on the fact that I will cut your post to shreds if it's not backed with fact.

    EDIT : Ok - I see now "All OVH servers will benefit from automatic anti-DDoS mitigation by default in the event of an attack (reactive mitigation)" so they must route via Arbor when an attack is detected. Still don't see how that relates to your initial statement regarding the 1tbps network claim.

    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
     
    Last edited by a moderator: Jun 8, 2016
  15. Offline

    RZeroX

    With a capacity of 5 Tbps surplus maintained in relation to our current customer usage, the OVH network is able to withstand, vacuum and mitigate a very large quantity of attacks. During mitigation, which is spread across 3 datacentres (Beauharnois, Roubaix, Strasbourg), attack vacuuming is multiplied. The SLA of all our customers is thus balanced and secured, and the service suffers no disruption.
    https://www.ovh.co.uk/anti-ddos/mitigation.xml
    https://www.ovh.co.uk/anti-ddos/hoovering-up.xml
     
  16. Offline

    MikeSheen


    Thanks for that - it's much more informative. It shows 160Gb/s is the maximum DDoS traffic they can theoretically handle once routed. I'm assuming you got your 1tbs figure from that image, which is actually not part of the DDoS protection circuit.

    Nonetheless - I concede you are right - OVH do indeed have a solid anti-DDoS measure in place. Sorry for my aggressive previous posts - I'm just fed up with being fed BS by outfits which don't measure up.

    Mike
     
  17. Offline

    RZeroX

    You Kinda did have a aggressive towards me I Didn't mean they had 1tbps for the ddos protection that was for the whole network after looking on the OVH Site again they have a 5tbps surplus network it seems I'm pretty sure they can stop a Max of 480gbps through there pre-firewall if I'm not mistaken
    https://www.ovh.co.uk/anti-ddos/pre-firewall.xml
     
  18. Invisible

    DrPyroCupcake

    I don't think you need to worry about DDoS, unless your server gets really big. If you want DDoS protection I recommend just going to a host that has DDoS protection, or maybe get cloudflare or something similar?
     
  19. Offline

    mactown21

    I did a ddos test on my server. of course noone is really able to find my port so i ddosed my server using 25565 and my server instantly shut down during that process. After i stopped the ddos process i was able to enter my server. It was just a sample ddos test to see if my server was able handle handle ddos packages
     
  20. Offline

    MikeA

    What is your budget?
     
  21. Offline

    lycano

    If i would have ment "MAC Address" i would have written it so.

    mactown21 what exactly did you do? I try to understand what your definition of ddos in this case is. I think you mean something else but the result is the same.
     
  22. Offline

    mactown21

    Right now, im trying to save up for other things with the server, Im currently planning on buying another router that has ddos protection. I currently host my own server atm and currently worried about if anything happens to my server and or internet connection. Im planning on hosting a bungeecord server and run spigot so i can give away the bungeecord ip instead of my actually ip. I just need ideas. Should i get a bungeecord server from a hoster with ddos protection, and just rediect my servers from bungeecord?

    I just did a simple DRDoS(Distributed Reflection Denial of Service) test on my server to see if my server was able to handle ddos packages, unfortunately not. Was that clear enough? Im just trying to get to the point to figuring out how to protect my server from ddos attacks on my port 25565 & 25575 minecraft ports

    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
     
    Last edited by a moderator: Jun 8, 2016
  23. Offline

    MikeA

    A router won't protect you from a DDoS attack. Since you host your server at your house, there is no way to protect your network from DDoS attacks. If you're constantly attacked, your internet provider might terminate your service with them. Even with hosting your BungeeCord proxy server at a host, the bandwidth usage will be quite a bit and maigh saturate your connection if your server gets popular.

    If you want DDoS protection, rent a server from a company that provides it.
     
  24. Offline

    Bobcat00

    Changing your router won't help. Your Internet connection will be saturated and your server will be offline no matter what you do with a router.
     
  25. Offline

    TnT

    Locked. We can offer no support or advice for those who do not run our software and on top of that, looking to run an authentication method prone to problems, forced by software we do not make. The best place to seek advice for running software not found on our forums would be on the forums for the software you run.
     
Thread Status:
Not open for further replies.

Share This Page