• There is NO official Otland's Discord server and NO official Otland's server list. The Otland's Staff does not manage any Discord server or server list. Moderators or administrator of any Discord server or server lists have NO connection to the Otland's Staff. Do not get scammed!

Linux DDOS Attacks

L0FIC

L0FIC

Active Member
Joined
May 29, 2024
Messages
72
Reaction score
48
Hey guys,

These peruvian or br guys are DDOS attacking my Hetzner VPS every night now..
It's pathetic considering I peaked at 35 players and I'm hosting a new small server.

Cant access website even though i have cloudflare full stricted, also fail2ban and crowdsec installed and enabled on my VPS.
They still make the website unaccessable and DDOS until shutdown of server and we cant get back in.

Someone that wants to aid me against these internet pirates ruining my life?

VPS is not dedicated server but 16 RAM and 8 vcores.

Any tips and tricks at this day and age?

Zamonia77.com

Best,
Zeke
 
Sort by date Sort by votes
Marko999x said:
But he doesn't
Click to expand...
I can confirm that he tried to DDoS OTS with 7 proxy VPSes and he wasn't able to DDoS them all at once, so players noticed some lags, but OTS did not go offline. Big OTSes (500+) use 10-20 VPSes for proxy, to make it even harder to take them down all at once.
I think he wouldn't take down even 4 VPSes, if I configure firewall right and block haproxy from processing packets from Asia and Russia, which are responsible for ~90% of his DDoS network. I'm working on efficient solution to ban Asia and Russia. I will post tutorial after I confirm it's possible on cheap VPS (it won't use 100% of CPU to process packets during attack).

Point about 'he knows your IPs, because they are listed in client in plain text' isn't right. He knows few IPs that are listed in client, but you can buy more VPSes and return them in login.php or in Login Protocol, when client logins to account. With 10 IPs you can create 210 groups of 4 IPs, so if attacker login into account, get his 4 assigned proxy IPs and take them down, only 1 per 210 clients will get kick/lags (209 other groups will have at least 1 'other IP' in their IPs list). Proxy IPs groups can be assigned to account by checking max. level on account, IP (ex. from 10.x.x.x to 20.x.x.x is one group, from 21.x.x.x to 30.x.x.x is another group) and if you have cam system or other system that tracks time online per IP, you can check, if given IP was online for more than X hours and assign to it 'more trusted' group.

Of course real hackers can take down 20 or 200 VPSes at once easily, but real hackers don't spend time to DDoS 100 players online OTS, which can pay max 200-300$.
Methemia said:
he is attacking our server, any idea how to prevent this?
Click to expand...
OTCv8 proxy + 7-15 cheap VPSes and you must move server to new VPS/dedic.
Attacker already knows your server IP and in most datacenters it's impossible to change IP of server ex. in OVH you can buy 'additional IP' for your server, but you cannot unassign main dedic IP, so attacks on that IP will still hit your server. I worked for someone who had dedic in Hetzner and support helped server owner to manually unassign main IP from his server and use only additional IP, to stop attack without changing dedic.
EDIT:
Servers often move to Hetzner after they get DDoSed. Servers in Hetzner are faster and cheaper than in OVH. Real OTS IP is hidden from players/attackers, so anti-ddos system quality does not matter anymore. They buy cheap Cloud/dedic in Hetzner for OTS and OVH VPSes for OTCv8 proxy servers that will filter DDoS attacks.
 
Last edited:
Upvote 0 Downvote
i still dont understand why after all these years he is not taken down. no authority or police or whatever that can do something?
he is threatening people and DDOSING and money extorsion, all illegal. never pay him never.
 
Upvote 0 Downvote
L0FIC said:
i still dont understand why after all these years he is not taken down. no authority or police or whatever that can do something?
he is threatening people and DDOSING and money extorsion, all illegal. never pay him never.
Click to expand...
Because he only affects small servers and those small servers dont even bother reporting his paypal or bank hes using. His ddos attacks are not affecting any bigger or mid servers so in most cases he doesnt get anything from it, thats why no one even bothers with that scum. He tried ddosing me but he failled misreable and just gave up after one hour
 
Upvote 0 Downvote
Stanos said:
Because he only affects small servers and those small servers dont even bother reporting his paypal or bank hes using. His ddos attacks are not affecting any bigger or mid servers so in most cases he doesnt get anything from it, thats why no one even bothers with that scum. He tried ddosing me but he failled misreable and just gave up after one hour
Click to expand...
He definitely do affect larger (200+ players online) servers too, the thing is most of them are hiding the real server ip behind proxies.
Post automatically merged:


If you could take and process all of this tcp traffic, it just means your server had bigger processing power than his ddos, if he ramps up the attack you'll go down. He attacked me too and saturated all cores (I got mid dedicated server with 6 cores).
CF only protects site, not game servers.
 
Last edited by a moderator:
Upvote 0 Downvote
I've been reading this topic from the beginning.. If I want to start a server, I'd rather spend $300 on protection than pay him $200. Gąsior wrote that he would upload a guide, I think it will help many people who have simply devoted a lot of their time and would like to set up even a small/medium server with pleasure, but do not have enough funds or knowledge on how to protect it well
 
Upvote 0 Downvote
Why, then, does everyone recommend so much those expensive and inefficient OVH servers if their anti-DDOS is ineffective anyway.

How is it possible that the supposedly best DDOS protection lets such attacks through?
 
Upvote 0 Downvote
ricardo8112 said:
Why, then, does everyone recommend so much those expensive and inefficient OVH servers if their anti-DDOS is ineffective anyway.

How is it possible that the supposedly best DDOS protection lets such attacks through?
Click to expand...
Because OVH focuses primarily on network layers like L3,L4 meanwhile raw.exe targets L7, what i mean raw.exe is not him hes just buying the service of ddos from gorilla bottleneck telegram
 
Upvote 0 Downvote
he is actually smart for me on exoria it was different, he tried to do bruteforce ssh attacks which cause denial of service for 5-15 seconds for the servers he could find its ip, i would say he isn't even skilled enough to trace what he is connecting to, he just checks domain, ip on otservlist so i did the following:

1) setup otclientv8 to connect to any of the available proxies through the known 127.0.0.1: proxyPort configuration (login & game)

2) seperate status server from login (otservlist sniffs status information alone from the server on specific port) : so even if it is attacked, you don't lose connection in game, whitelist otservlist on that server and block all (ask xinn for allowance to do that), he is cooperative if you have clean reputation so he will share what he can.

3) using multiple proxy with service provider firewall on hash rate on your custom ips (ban countries that know nothing about tibia as well)

4) reduce connection re-establishment from proxy_client.cpp or proxy.cpp (can't recall the file name) from 2500 to something smaller like 500 (which is still unplayable) and there was another value setted to 500 i changed to 250 (no details here i will have to explain much so either send the files to an AI to explain those defined values roles or make the change as instructed.

5) make sure your main server ONLY allows connection to your known channels (proxy servers, web server)

6) cloudflare is necessary for website and good apache2 configuration (credits to gesior to inform me about that earlier on my first attack occurance @Gesior.pl)

I want to make sure that you know you have to limit connections per ip, limit hash rate, don't make it lower than your server so players doesn't disconnect every 10mins .. etc, iptables is useless the attacks are huge enough so as long as your iptables on the unix level is going to start treating them they will cause ddos, it have to be service provider iptables (main provider ethernet firewall not your server firewall) another layer of your server fire wall would require fail2ban

Finally never use 22 for ssh or 21 for ftp that just makes you threatened by kids

Following that i could sleep at night without worrying about servers monitoring

So you need proxies for sure and you can do something smart like load balancers for multi proxies on the same region if 1 proxy won't be able to handle the connection (which won't happen before that single proxy is serving 500+ players which in tibia a very rare occurance)
I use 4 proxies and another 4 proxies ready to replace them on the same DNS if anything weong happened that its not pinging through simple shell code in linux on cron
 
Upvote 0 Downvote
El Bringy said:
he is actually smart for me on exoria it was different, he tried to do bruteforce ssh attacks which cause denial of service for 5-15 seconds for the servers he could find its ip, i would say he isn't even skilled enough to trace what he is connecting to, he just checks domain, ip on otservlist so i did the following:

1) setup otclientv8 to connect to any of the available proxies through the known 127.0.0.1: proxyPort configuration (login & game)

2) seperate status server from login (otservlist sniffs status information alone from the server on specific port) : so even if it is attacked, you don't lose connection in game, whitelist otservlist on that server and block all (ask xinn for allowance to do that), he is cooperative if you have clean reputation so he will share what he can.

3) using multiple proxy with service provider firewall on hash rate on your custom ips (ban countries that know nothing about tibia as well)

4) reduce connection re-establishment from proxy_client.cpp or proxy.cpp (can't recall the file name) from 2500 to something smaller like 500 (which is still unplayable) and there was another value setted to 500 i changed to 250 (no details here i will have to explain much so either send the files to an AI to explain those defined values roles or make the change as instructed.

5) make sure your main server ONLY allows connection to your known channels (proxy servers, web server)

6) cloudflare is necessary for website and good apache2 configuration (credits to gesior to inform me about that earlier on my first attack occurance @Gesior.pl)

I want to make sure that you know you have to limit connections per ip, limit hash rate, don't make it lower than your server so players doesn't disconnect every 10mins .. etc, iptables is useless the attacks are huge enough so as long as your iptables on the unix level is going to start treating them they will cause ddos, it have to be service provider iptables (main provider ethernet firewall not your server firewall) another layer of your server fire wall would require fail2ban

Finally never use 22 for ssh or 21 for ftp that just makes you threatened by kids

Following that i could sleep at night without worrying about servers monitoring

So you need proxies for sure and you can do something smart like load balancers for multi proxies on the same region if 1 proxy won't be able to handle the connection (which won't happen before that single proxy is serving 500+ players which in tibia a very rare occurance)
I use 4 proxies and another 4 proxies ready to replace them on the same DNS if anything weong happened that its not pinging through simple shell code in linux on cron
Click to expand...


Very well explained and straight to the point, this is the proper way to deal with attacks from those scammers.
 
Upvote 0 Downvote
ricardo8112 said:
I understand, while from a practical point of view it does not change the fact that their protection is ineffective anyway when you really need it
Click to expand...
You want to demand "justice" in Brazil where an ex-convict is president, forget it, this country has no law!
 
Upvote 0 Downvote
El Bringy said:
he is actually smart for me on exoria it was different, he tried to do bruteforce ssh attacks which cause denial of service for 5-15 seconds for the servers he could find its ip, i would say he isn't even skilled enough to trace what he is connecting to, he just checks domain, ip on otservlist so i did the following:

1) setup otclientv8 to connect to any of the available proxies through the known 127.0.0.1: proxyPort configuration (login & game)

2) seperate status server from login (otservlist sniffs status information alone from the server on specific port) : so even if it is attacked, you don't lose connection in game, whitelist otservlist on that server and block all (ask xinn for allowance to do that), he is cooperative if you have clean reputation so he will share what he can.

3) using multiple proxy with service provider firewall on hash rate on your custom ips (ban countries that know nothing about tibia as well)

4) reduce connection re-establishment from proxy_client.cpp or proxy.cpp (can't recall the file name) from 2500 to something smaller like 500 (which is still unplayable) and there was another value setted to 500 i changed to 250 (no details here i will have to explain much so either send the files to an AI to explain those defined values roles or make the change as instructed.

5) make sure your main server ONLY allows connection to your known channels (proxy servers, web server)

6) cloudflare is necessary for website and good apache2 configuration (credits to gesior to inform me about that earlier on my first attack occurance @Gesior.pl)

I want to make sure that you know you have to limit connections per ip, limit hash rate, don't make it lower than your server so players doesn't disconnect every 10mins .. etc, iptables is useless the attacks are huge enough so as long as your iptables on the unix level is going to start treating them they will cause ddos, it have to be service provider iptables (main provider ethernet firewall not your server firewall) another layer of your server fire wall would require fail2ban

Finally never use 22 for ssh or 21 for ftp that just makes you threatened by kids

Following that i could sleep at night without worrying about servers monitoring

So you need proxies for sure and you can do something smart like load balancers for multi proxies on the same region if 1 proxy won't be able to handle the connection (which won't happen before that single proxy is serving 500+ players which in tibia a very rare occurance)
I use 4 proxies and another 4 proxies ready to replace them on the same DNS if anything weong happened that its not pinging through simple shell code in linux on cron
Click to expand...

So you think it's pointless to use iptables, nftables, etc. on the server side? That everything related to firewall configuration should be done only in the OVH panel (or similar provider-level firewall)?
 
Upvote 0 Downvote
OTAmator said:
So you think it's pointless to use iptables, nftables, etc. on the server side? That everything related to firewall configuration should be done only in the OVH panel (or similar provider-level firewall)?
Click to expand...
Double edged question, it depends on the situation.

1) No provider firewall? (yes) you are lucky if it worked.
2) Provider firewall applied? (no) it will increase your server selection for a non-threatening connection.
3) No server-based (VPS/Dedicated) ? (you will face no issues as i don't have a single iptable on my server but i have on the provider solid one)

so its like
Provider -- Prevents denial of service behavior (You can't even connect with SSH) (real case attacks not something like spamming an item that execuses high PING for everybody)
server iptables -- protects the server itself from what is running on it from being a threat.
Edit : that's how IMO a well organized protection layers should be thought of, and the only way that felt really working with my logic and what was happening at this moment.

to upgrade and make sure im fully protecting the provider is not ALLOWING even big packets validation to happen on my side i had to throw the weight on the provider as it should do for the service it provides. so What i do? i use provider firewall to prevent both threats (Attacking & internal exploits to produce instability)

You need to think of network ports as holes or tunnels that the packets are passing through, if there is no hole/tunnel it won't go through, how would you add a door on a door/tunnel if you kept it opened? its like a bomb once it is inside even if standing on the door for validation to access, it can explode and cause you what you want to prevent (instability)
 
Last edited:
Upvote -1 Downvote

Similar threads

Joriku
Linux Ubuntu + Nginx, simple/advanced DDOS protection
Replies
2
Views
731
Joriku
Joriku
Michael Orsino
Alpha Proxy Guide (kondrah/otclient multi-path proxy)
2
Replies
35
Views
5K
Gesior.pl
Gesior.pl
Back
Top