Linux DDOS Attacks

[L0FIC]

Hey guys,

These peruvian or br guys are DDOS attacking my Hetzner VPS every night now..
It's pathetic considering I peaked at 35 players and I'm hosting a new small server.

Cant access website even though i have cloudflare full stricted, also fail2ban and crowdsec installed and enabled on my VPS.
They still make the website unaccessable and DDOS until shutdown of server and we cant get back in.

Someone that wants to aid me against these internet pirates ruining my life?

VPS is not dedicated server but 16 RAM and 8 vcores.

Any tips and tricks at this day and age?

Zamonia77.com

Best,
Zeke

 

[Marko999x]

Called kids and has no lifes.
Sadly the ddos protection from Hetzner is fucked up and bad as fuck.
Switch to OvH it can save you from normal ddos but not from the hardcore ddos of that one retard on discord ( idk his name )

 

[L0FIC]

Called kids and has no lifes.
Sadly the ddos protection from Hetzner is fucked up and bad as fuck.
Switch to OvH it can save you from normal ddos but not from the hardcore ddos of that one retard on discord ( idk his name )

Raw.exe? Puttyexe or puttylog or whatever he was called.

The attack has made my website and server unaccessable for 12 hours, they're going at it hard..

 

[Stanos]

Raw.exe? Puttyexe or puttylog or whatever he was called.

The attack has made my website and server unaccessable for 12 hours, they're going at it hard..

Just dont pay those donkies and they should fuck off. Alose would suggest asking for their paypal and just report their paypal for permanent freezing their funds, it should make them shit their pants

 

[L0FIC]

Thanks for the support guys.. I guess you can understand how this feels. Working super hard for 1 year, planning, making sure everything is perfect, tending to the community, launching --> new record in amount of players finally --> 12 hour attacks for two days now.

I'm not even sure how I'm feeling. Tried reaching out to authorities and vps provider, cloudflare etc, still nothing.

I haven't replied to them once, will obviously not pay. But these 12 hour attacks bro my players will never return.
They f:ed my life totally. Imagine having this in your heart to do this to people, how sad and very tragic soulless behavior.

//Z

Post automatically merged: Feb 2, 2025

Now they are attacking 3 other OTs as well. An ot with a peak of 1000 players is down, cant access any of these websites.

This feels like a fucking joke they haven't been caught yet? Why is nobody doing anything?

Post automatically merged: Feb 2, 2025

Please anyone with a big established OT, just tell me plain and simple what I should do to protect myself from these attacks? My motivation is completely killed.

What do I buy/setup? Dont say fail2ban or cloudflare I have it already, unless some setting/config is off.

What do the large OT's like Gunzodus, Evolunia and Kasteria do to protect themselves?? I don't want guesses I need definite answers so that I can get to work and learn.

@Gesior.pl I'm desperate bro.

 

[Stanos]

Thanks for the support guys.. I guess you can understand how this feels. Working super hard for 1 year, planning, making sure everything is perfect, tending to the community, launching --> new record in amount of players finally --> 12 hour attacks for two days now.

I'm not even sure how I'm feeling. Tried reaching out to authorities and vps provider, cloudflare etc, still nothing.

I haven't replied to them once, will obviously not pay. But these 12 hour attacks bro my players will never return.
They f:ed my life totally. Imagine having this in your heart to do this to people, how sad and very tragic soulless behavior.

//Z

Post automatically merged: Feb 2, 2025

Now they are attacking 3 other OTs as well. An ot with a peak of 1000 players is down, cant access any of these websites.

This feels like a fucking joke they haven't been caught yet? Why is nobody doing anything?

Post automatically merged: Feb 2, 2025

Please anyone with a big established OT, just tell me plain and simple what I should do to protect myself from these attacks? My motivation is completely killed.

What do I buy/setup? Dont say fail2ban or cloudflare I have it already, unless some setting/config is off.

What do the large OT's like Gunzodus, Evolunia and Kasteria do to protect themselves?? I don't want guesses I need definite answers so that I can get to work and learn.

@Gesior.pl I'm desperate bro.

• Firm up network firewall for gameserver, remove/block 80/443/22
• Configure new floating ip to machine
• Adopt cloudflare dns, website proxy to the new floating ip (new a completely unknown address)
• Network firewall on new floating ip for 80/443/22 only
• Tune apache2 + php configuration to use mpm event and php fpm to better handle any cloudflare bypass non-cached content style attack
• Set up fail2ban to monitor and handle a range of other vectors

 

[Perun]

Thanks for the support guys.. I guess you can understand how this feels. Working super hard for 1 year, planning, making sure everything is perfect, tending to the community, launching --> new record in amount of players finally --> 12 hour attacks for two days now.

I'm not even sure how I'm feeling. Tried reaching out to authorities and vps provider, cloudflare etc, still nothing.

I haven't replied to them once, will obviously not pay. But these 12 hour attacks bro my players will never return.
They f:ed my life totally. Imagine having this in your heart to do this to people, how sad and very tragic soulless behavior.

//Z

Post automatically merged: Feb 2, 2025

Now they are attacking 3 other OTs as well. An ot with a peak of 1000 players is down, cant access any of these websites.

This feels like a fucking joke they haven't been caught yet? Why is nobody doing anything?

Post automatically merged: Feb 2, 2025

Please anyone with a big established OT, just tell me plain and simple what I should do to protect myself from these attacks? My motivation is completely killed.

What do I buy/setup? Dont say fail2ban or cloudflare I have it already, unless some setting/config is off.

What do the large OT's like Gunzodus, Evolunia and Kasteria do to protect themselves?? I don't want guesses I need definite answers so that I can get to work and learn.

@Gesior.pl I'm desperate bro.

Most large servers simply switch to a proxy system, which hides the real server IP. This makes it much harder to DDoS all proxy servers, and even if an attack occurs, you can just add more proxies to keep the game running smoothly. However, for smaller servers, it's usually not worth it. Instead, you can monitor logs, refine your firewall filters, and set rate limits to mitigate DDoS attacks. In most cases, this will automatically block attacks. Occasionally, you might experience brief website downtime or minor lag, but that's still better than paying some scammer or wasting time on costly, high-maintenance solutions just because of one or two kids.
Also, ban everyone who ddos you just when you see them, do not talk, do not negotiate, just ban and ignore.

 

[L0FIC]

Most large servers simply switch to a proxy system, which hides the real server IP. This makes it much harder to DDoS all proxy servers, and even if an attack occurs, you can just add more proxies to keep the game running smoothly. However, for smaller servers, it's usually not worth it. Instead, you can monitor logs, refine your firewall filters, and set rate limits to mitigate DDoS attacks. In most cases, this will automatically block attacks. Occasionally, you might experience brief website downtime or minor lag, but that's still better than paying some scammer or wasting time on costly, high-maintenance solutions just because of one or two kids.
Also, ban everyone who ddos you just when you see them, do not talk, do not negotiate, just ban and ignore.

Thanks guys. I use Hetzner, what are your thoughts on changing to OVHcloud?

Will it even help if I choose not to get a dedicated server?

My server has around 40 players, does the smaller VPS alternatives on Ovh also come with better/GOOD DDoS protection? Or is this only the case for dedicated servers on ovh (which is way too expensive for me right now)?

I would like to avoid going dedicated for DDOS protection. My reason for going dedicated would be when I reach 100+ players for server performance. But perhaps I'm thinking wrongly about this.

Please educate me or tell me the best approach for me to take right now.
Perhaps Stanos's suggestions is the way to go..

//Z

 

[Marko999x]

My server has around 40 players, does the smaller VPS alternatives on Ovh also come with better/GOOD DDoS protection? Or is this only the case for dedicated servers on ovh (which is way too expensive for me right now)?

OvH won't help if raw.exe ddos you sadly.
Only proxy system can help you in that case

 

[Perun]

OvH won't help if raw.exe ddos you sadly.
Only proxy system can help you in that case

not true, proxy system is easy fix but not the only fix.

 

[damianek113092]

;/ I was waiting for that ots ! PHUCK THIS GUY WHO DDOSING, SHOULD GET ARRESTED AND DONE LIKE LIZARD SQUD FROMUK WHEN THEY SWITCHED OF PLAYSTATION NETWORK. Someone help this dude to get his game back up i dont have means or knowledge to do so!

Post automatically merged: Feb 2, 2025

Or Move your host top Uk , and report it to Uk Police they have quite good cyber crime team, shouldn't
take long before this guy will be visited by authorities.

 

[dolutech]

DDoS attack, you have to choose a host with greater support, unfortunately Hetzner does not have the capacity to mitigate it.

OVH's dedicated server will do the trick, VPS won't, or you can use an anti-DDOS service like Hyperfilter.

The comment above talking about reporting the DDoS attack to the police is ridiculous, because you are hosting a pirated server for a game that ClipSoft owns the copyright to, therefore you are also committing a crime...

 

[L0FIC]

OvH won't help if raw.exe ddos you sadly.
Only proxy system can help you in that case

So wtf do people do when he ddoses?

And especially the big servers?

Is it ovh dedicated as some guy said?? Some other shit? I just want to fix it im willing to do whatever except pay the abuser himself obviously.

 

[Marko999x]

So wtf do people do when he ddoses?

And especially the big servers?

Is it ovh dedicated as some guy said?? Some other shit? I just want to fix it im willing to do whatever except pay the abuser himself obviously.

As far as I know the current solution is proxy system
Idk if there any other fix/help for that

 

[damianek113092]

DDoS attack, you have to choose a host with greater support, unfortunately Hetzner does not have the capacity to mitigate it.

OVH's dedicated server will do the trick, VPS won't, or you can use an anti-DDOS service like Hyperfilter.

The comment above talking about reporting the DDoS attack to the police is ridiculous, because you are hosting a pirated server for a game that ClipSoft owns the copyright to, therefore you are also committing a crime...

Yes but hetzner could report it on his behalf because at the end of the day they are the sole owners of the hosting company. But they are shitty hosting company and dont give a damn. CLEARLY

 

[El Bringy]

Raw.exe? Puttyexe or puttylog or whatever he was called.

The attack has made my website and server unaccessable for 12 hours, they're going at it hard..

Which means your website attempts to connect to database and thats where you are being attacked i believe, setup cloudflare and make the domain restricted to access 80/443 only and make on.domain.name is not accessed by 80/443 and thats the ip you will add on otservlist install fail2ban default setup that might work for you actually make sure you limit access from ALL East Asia countries on cloudflare filers and fail2ban OR iptables (bothways fail2ban default setup is mandatory)

Post automatically merged: Feb 3, 2025

As far as I know the current solution is proxy system
Idk if there any other fix/help for that

i'm planning to make a full tutorial on how to install ubuntu 20.0.4 correctly to prevent future attacks in general, what versions were messed up and aren't safe and how to prevent them on ubuntu 20 for example

 

[Perun]

Which means your website attempts to connect to database and thats where you are being attacked i believe, setup cloudflare and make the domain restricted to access 80/443 only and make on.domain.name is not accessed by 80/443 and thats the ip you will add on otservlist install fail2ban default setup that might work for you actually make sure you limit access from ALL East Asia countries on cloudflare filers and fail2ban OR iptables (bothways fail2ban default setup is mandatory)

Post automatically merged: Feb 3, 2025

i'm planning to make a full tutorial on how to install ubuntu 20.0.4 correctly to prevent future attacks in general, what versions were messed up and aren't safe and how to prevent them on ubuntu 20 for example

this clown is ddosing ports 7171/7172, and any game ports. i can't really post solutions here because i'm pretty sure he has some accounts on otland. the only advice i can give is to set up iptables or some kind of filter logs so you can see exactly what the attacks look like. using that info, you can create rules to rate-limit, temporarily ban, or permanently block the ip addresses the attacks are coming from. you can even use chatgpt to help with that, just be careful not to false-positive ban your own players.

 

[Gesior.pl]

So wtf do people do when he ddoses?

Install OTCv8 proxy on server and enable it in client. Buy 3-15 VPSes in different data centers to filter DDoS with multiple anti-DDoS services (OVH, Hetzner, Google Cloud etc.) at once - that's what OTCv8 proxy does (combines multiple anti-DDoSes).
I installed and configured it on 30+ servers in last few months.

And especially the big servers?

90% OTCv8.
I heard that some BR servers use BR data center with configurable anti-DDoS, so they can list on data center anti-DDoS system allowed/blocked IPs in real time (you have to somehow predict IPs of clients that will try to connect [by www?]). This is not possible with OVH (limit of 20 'rules' on anti-DDoS per IP = per server) or any data center in USA/Europe I know. It also requires own "attack detection" on your server, as you are responsible of listing 'allowed/blocked' IPs.

using that info, you can create rules to rate-limit, temporarily ban, or permanently block the ip addresses the attacks are coming from

That's not how raw.exe full-scale attacks look like. I know that he has at least 3 different attacks. Starting from weak and going to stronger attacks as you configure new anti-DDoS firewalls/systems. Maybe stronger attacks he uses only on bigger server ex. 500+, so your small server is safe for now.
Final attack is X-XX gb/s SYN or TCP flood passing thru OVH anti-DDoS or going around it, which is more than your server network. You cannot limit it anyway with firewall rules on your server, as your server already lose 90-95% of packets (they are dropped by routers on a way to your server), before they come to your server. So players also lose 90-95% packets and it lags like hell or even makes server totally offline for few minutes.

 

[ricardo8112]

Not long ago, this degenerate known as raw.exe from discord attacked a server with 25 players after the start xD

It is really scary that apparently it is so easy and cheap that a guy attacks such servers from which it is known in advance that no one will pay him those of his famous 200$

Let's not kid ourselves, no one will buy 10 VPS each to host a server for 25 people for fun for obvious economic reasons

 

[Itutorial]

This is really the only thing you can do:

1. Use a Content Delivery Network (CDN)​

• How it helps: A CDN helps distribute the load of your website or game server across multiple servers worldwide. It can mitigate DDoS attacks by absorbing traffic spikes and preventing them from overwhelming your origin server.
• Recommended services: Cloudflare, Akamai, Amazon CloudFront.

2. Use DDoS Protection Services​

• How it helps: These services are specifically designed to absorb and mitigate large-scale DDoS attacks. They can detect malicious traffic patterns and filter out bad traffic before it reaches your server.
• Recommended services:
  • Cloudflare: Provides a powerful suite of DDoS protection services that include traffic filtering, rate-limiting, and challenge-based CAPTCHA systems.
  • Arbor Networks: Known for advanced DDoS protection technologies, often used by large-scale enterprises.
  • AWS Shield: A managed DDoS protection service offered by Amazon Web Services.
  • Google Cloud Armor: Designed to protect against DDoS attacks while also providing web application firewall (WAF) capabilities.

3. Implement Rate Limiting​

• How it helps: Rate limiting helps ensure that no single IP or group of IPs can send more requests than a set threshold. This is particularly useful in preventing DDoS attacks, where attackers often flood the server with large numbers of requests.
• Where to apply: You can implement rate limiting in your web server (Nginx, Apache) or via your CDN/DDoS mitigation service.

4. Geo-blocking​

• How it helps: If you're experiencing an attack from specific regions of the world, you can block or restrict access from those regions. This is especially useful if your game or website primarily targets users from certain geographical locations.
• Where to apply: Many DDoS protection services offer geo-blocking features.

5. Enable Web Application Firewall (WAF)​

• How it helps: A Web Application Firewall can block malicious traffic by inspecting incoming HTTP/HTTPS requests for known attack patterns. It can also prevent bots, SQL injection, and cross-site scripting (XSS) attacks, which sometimes accompany DDoS events.
• Recommended services: Cloudflare, AWS WAF, Imperva Incapsula.

6. Anycast Routing​

• How it helps: Anycast is a routing method that allows multiple data centers around the world to share the same IP address. During a DDoS attack, traffic is distributed among multiple geographically dispersed locations, making it more difficult for attackers to overwhelm a single point of failure.
• Where to apply: Anycast routing is often used with CDN and DDoS protection services like Cloudflare.

7. Monitoring and Alerting​

• How it helps: Real-time monitoring of your network traffic, server logs, and performance can help you quickly detect unusual patterns indicative of an attack. Once you spot the attack, you can take immediate actions (e.g., blocking traffic or alerting a third-party DDoS mitigation service).
• Tools to use:
  • Nagios: An open-source monitoring system.
  • Zabbix: An enterprise-level monitoring tool.
  • Datadog: A cloud-based monitoring platform.
  • Grafana + Prometheus: A powerful combination for custom monitoring dashboards.

8. Increase Bandwidth​

• How it helps: If you have enough bandwidth, it becomes more difficult for attackers to saturate your connection. However, this is not a complete solution as attackers can still flood your server with excessive requests, but it's a good precaution.
• Note: Make sure you're leveraging DDoS protection alongside bandwidth increases.

9. Use a Reverse Proxy​

• How it helps: A reverse proxy acts as an intermediary between the users and your server. It can help filter out malicious traffic, hide the true IP of your server, and act as a buffer to prevent direct DDoS attacks.
• Tools to use:
  • Nginx: Can be configured as a reverse proxy to filter and cache requests.
  • HAProxy: A reliable solution for reverse proxy and load balancing.

10. IP Blacklisting and Reputation-Based Filters​

• How it helps: During an attack, you can block IPs or subnets known to be part of the attack. Many security services also maintain reputation databases that identify harmful IP addresses.
• Where to apply: IP blacklisting can be done manually or via automatic rules within your firewall or DDoS mitigation service.

11. Redundancy and Failover Systems​

• How it helps: Ensure your game server and website are not hosted on a single point of failure. Set up multiple instances in different data centers (cloud hosting or dedicated servers). Failover systems automatically reroute traffic to a different server in case of an attack.
• Tools to use:
  • AWS EC2 Auto Scaling: Helps automatically scale resources and reroute traffic.
  • Azure Traffic Manager: A similar failover service provided by Microsoft Azure.

12. Network and Server Hardening​

• How it helps: Hardening your network infrastructure, OS, and server settings can help reduce the attack surface, making it harder for attackers to exploit vulnerabilities.
• Recommendations:
  • Disable unnecessary services and ports.
  • Use firewalls and enable IP whitelisting.
  • Keep software and firmware up to date.
  • Use strong security protocols (TLS/SSL) and encryption.

13. DDoS Resilient Game Server Configuration​

• How it helps: Specific measures can be taken on your game server to help it resist DDoS. For example:
  • Connection limiting: Limit the number of simultaneous connections from a single IP.
  • Challenge-response mechanisms: For online games, consider using challenge-response tests (like CAPTCHAs or puzzle-based challenges) to ensure requests are from legitimate players.
  • Connection authentication: Use token-based authentication for game sessions to limit the impact of DDoS attacks targeting session management.

14. Testing and Simulation​

• How it helps: Conduct regular stress tests or simulated DDoS attacks to understand how your server behaves under load. This allows you to tweak your protection measures and identify weak spots before real attacks occur.
• Tools to use:
  • LOIC (Low Orbit Ion Cannon): A tool for testing DDoS vulnerabilities (use responsibly).
  • Hping: A network tool that can be used for simulating traffic load.

Post automatically merged: Feb 4, 2025

There is also probably some type of method to automatically detect ips sending large amounts of data and blocking them through your firewall. Chatgpt spit this out though it probably won't work out of the box:

#!/bin/bash
# Threshold for data transfer in bytes per second (e.g., 100MB in 1 minute)
# Set this according to your needs
THRESHOLD=104857600   # 100 MB (in bytes)

# Time window to track data traffic (in seconds)
TIME_WINDOW=60    

 # 1 minute# Log file to store traffic data
LOGFILE="/tmp/traffic.log"

# Create the log file if it doesn't exist
touch $LOGFILE

# Temporary file to hold current traffic data for each
IPCURRENT_LOG="/tmp/current_traffic.log"

# Clean previous current log file
> $CURRENT_LOG

# Get all active connections and filter the IP addresses
ss -tulw | awk '{print $5}' | grep -oP '\d+\.\d+\.\d+\.\d+' | sort | uniq -c | while read count ip; do 

    # Get the total data transferred for the IP
    DATA_SENT=$(grep $ip $LOGFILE | awk '{print $2}' | awk '{s+=$1} END {print s}')

    # If no data is available yet for the IP, initialize it to 0 
    if [ -z "$DATA_SENT" ]; then    
        DATA_SENT=0
    fi 

    # Check if the data sent exceeds the threshold 
    if [ "$DATA_SENT" -ge "$THRESHOLD" ]; then     

        # Block the IP using iptables     
        echo "Blocking IP $ip with $DATA_SENT bytes of data"    
        iptables -A INPUT -s $ip -j DROP    
        iptables -A OUTPUT -d $ip -j DROP           

       # Log the blocked IP    
       echo "Blocked IP $ip" >> $LOGFILE
    fi

done

# Reset traffic data log after each run
> $LOGFILE

I would suggest logging the ips that get blocked and if you are using a vps that you can manage firewall rules on block the ips manually there.