Sunday, February 18, 2018

DDoS Attacks & Convictions




I could probably make a better title, edit it if you find a better way of phasing my problem.

Basically what's happened is that a gameserver host thinks I keep attacking their dedicated server with a DDoS attack; but I do not.



I have a theory that someone is faking their IP so it matches up with mine, and is launching attacks with it. I am worried that this is the case, and am having a hard time convincing the owner of the gameservers that it's not me attacking his servers.



How plausible is this theory?



I also have a connection with only 64kbps upload; this is no near enough to bring the dedicated servers' network down.
I would not do such a thing, but if I were to launch a full-scale DDoS attack from my network, what effect would it have (if any) on the target dedicated server?



Edit




The server is question is not mine, but I know the sysadmin of it and can tell you the specs: 16 core (dual CPU) Intel Xeon, 32GB RAM, 8TB HDD space. The sysadmin claims the attack crashed some of the running gameservers on the server.



This question has nothing to do with my other question, which is about testing my software's handling of a DDoS.
http://i.stack.imgur.com/2uUol.jpg


Answer



That theory is plausible. For some types of DDoS attack (such as SYN floods) it is normal for all the source IPs to be spoofed and for there to be hundreds of thousands or millions of them. Yours could have been included by accident.



Two other plausible theories:





  1. There was a DDoS against your server that was not using spoofed IPs and an infected machine on your network was part of the botnet delivering this DDoS.

  2. Your hosting provider did a simple count of connections to your server and saw your IP address at the top of the list. They concluded that the IPs with the highest number of connections were causing the DDoS. This is probably an erroneous conclusion.



64Kbps upload would probably have little effect on a server but this is dependent on many factors including what type of DoS attack it is and the specs of your server, the applications running on it and its internet connection. It is certainly possible to DoS very powerful servers with dial-up connection if it's the right type of DoS (Slow-loris and the old Ping of Death spring to mind).



Ask your hosting provider for the evidence of the DDoS and how they collected the evidence.






Based on my reading of the related thread in that gaming forum, someone is seeing a lot of UDP traffic from your IP address. UDP is easily spoofable (no response is required) so that's not reliable evidence that it was in fact you.



But it's also clear that you are not a professional sysadmin acting in a professional capacity. As such this question is off-topic.


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...