@eykalzz let me post the firewall log, to see what can be done to prevent another DoS.
I am will list some IP’s and analytics
SRC=103.187.191.231 / India /clean
SRC=101.127.109.246 /Singapore /Spamhaus Listed
SRC=180.74.225.119 /Malaysia / clean
1 Like
Above is the Firewall log from @eykalzz
1 Like
Here is the log again sorted a bit
1 Like
So for the time being, what is the best solution for this issue?
now i just do block country for access my game server … maybe attacker will come again attack me with open ip country
I would pull the plug for the time being.
I am not sure yet, what is the best solution, I don’t see a free blocklist that would block the listed IP, the spamhaus is a paid list
I will try to look more over the weekend.
but basically you need to setup
conntrack/ netfilter
- rate limit connections
- Drop invalid packets
- packets that are new and are not SYN
- spoffed packets
- packets with bogus flags
- packets from BOGON
…
which part for can i do step 2 3 4 5 6
Your Firewall options look good.
Do you want to make screenshot of
- Firewall and Location Block
- Firewall and IP Address Blocklists (enable all Blocklists and click Apply in Firewall rules.
- Firewall rules - any rules for the gaming server?
I found the place where you can do 1.-rate limit connections.
Go to Firewall - Firewall rules and on the bottom of the rule you see.
Looking through the Firewall log, I found the most frequent IP address
SRC=180.74.225.119
This IP occured 698 times in your log as source
Are you able to block Location Malaysia? or maybe the whole range?
What is interesting, on Friday this IP was showing clean - not listed on a blacklist,
right now it is listed on 3 blocklists, unfortunately they are pay to play
How to see if IP 180.74.225.119 is blocked by IPFire IP Blocklist:
[root@IPFIRE ~] # ipset list | grep 180.74.225.119
[root@IPFIRE ~]
Empty means not blocked
]# ipset list | grep 100.21.223.19
100.21.223.19
This address is blocked
thank you … my game got 10 port … so i need set limit concurrent connect at all port ??
my game base on singapore … and my player many from malaysia …
You could create a Firewall rule that only allows those 10 ports.
I understand that you can’t block Malaysia.
So maybe just create that rule and use “Rate limit connection”
To add all 10 ports to single rule you can use Firewall Groups and Service Groups
2 Likes
ok i try now … thank you for assist
How did the game function after you added a firewall rule to rate limit connections
hi , i stop already ipfire … my game last night got big ddos attack … hmm … i already added for limit connection … but result is same …
i put 3 limit connection
That is a bummer I am sorry I wasn’t able to help.
Do you want to post a screenshot of your Firewall Rule?
Maybe someone knowledgeable will comment.
Can you also post screenshot from Logs - IPS logs,
I want to see if any of the Emerging DOS.rules kicked in during your game
1 Like
Logs.zip (1.7 MB)
here log … maybe he use ip malaysia for attack my game … because i allow only malaysia country to access my game …
Is the IPS log during the game? I don’t see much of the Emerging rules being activated… Mostly SURICATA STREAM 3way handshake excessive different SYNs
which is more of an annoyance then protection
yes this ips during game … my game got attack arround 20:10 ~ 22:30 something
If the DDoS attack overload the downlink between your ISP and the server IPFire cannot do anything because the attack was successfull before it reached you. Such type of attacks only the ISP can filter.
Is you server overloaded or have you massive packet loss?
1 Like