I think it's to bring it to the public forums, as my tickets aren't answered.(correctly ?)
I am an ex-EV1 customer. I have come to SM because of FloodGuard. I run an online real time game and some players attack the server sometimes to stop the "real time" part of the game, trying to get more time to do something.
That's odd to be attacked every single night and it begun affecting my game reputation. So, I decided to look for a safe place. SM with FloodGuard, apparently, could keep me safe.
I have requested a server and subscribed to FloodGuard. Mentioned I needed FloodGuard activated ASAP, because of the nightly attacks.
On 12/10/03, the FloodGuard Setup Ticket was updated as follows:
(crodenberg-12/10/03-12:48):
Your IP's have been added to Floodguard.
Thanks!
That's it, i thought. I can filnally sleep well.
Not at all. I saw on forums, on the other day, that there was a TRAINING period of 7 days. Oh, God, 7 more days. But if it's necessary, that's ok.
I have waited these 7 days. I have asked on forums and Crodenberg answered: "there is no advice when FloodGuard changes it's state from TRAINING to OPERATIONAL, just count 7 days from the OK ticket.".
Great. 7 days had passed, and in theory, FloodGuard was already protecting my server.
On Wednesday, 18th (1 day AFTER FloodGuard changed to OPERATIONAL, according to Crodenberg) i received and UDP Flood Attack and at night the same attacks that always came.
Oh, no, i said. Something must be wrong. So, i opened another ticket, on 19th, asking:
Could you please verify and tell me if FloodGuard for my IPs are on TRAINING or OPERATIONAL status ?
And Crodenberg, himself, replied:
(crodenberg-12/19/03-08:38):
Customer:
Your IP's have been added to FloodGuard.
Thanks!
How can it be ? I have asked if it was in TRAINING or OPERATIONAL status. And he gives me the SAME ANSWER than when it was added, exactly 9 days before.
As the ticket is not answered anymore and the only answer that i have received didn't clarify anything, i'm asking here on the forums where i know Mr. Crodenberg passes by what is happening.
Is FloodGuard Active for my server ? Is it in TRAINING or OPERATIONAL mode ? If it is OPERATIONAL, why aren't the attacks being stopped ? If it is in TRAINING mode, when will it be OPERATIONAL ?
I need answers. As a customer I shoudn't need to beg for an answer. But it's what i'm doing here.
I beg for an answer, Mr. Crodenberg.
Edit: Support Ticket ID is 127373PLNT
Full Version: FloodGuard ... No answers, no protection ?
FloodGuard is not a surefire fix to DoS attacks. But your situation does sound fishy, a simple UDP attack, I'd expect FloodGuard to block that.
Craig's response, well, he probably saw your thread and it was the 982nd FloodGuard ticket he'd dealt with the day, and maybe he was on autopilot a bit
Craig's response, well, he probably saw your thread and it was the 982nd FloodGuard ticket he'd dealt with the day, and maybe he was on autopilot a bit
QUOTE (Guspaz)
FloodGuard is not a surefire fix to DoS attacks. But your situation does sound fishy, a simple UDP attack, I'd expect FloodGuard to block that.
Perhaps his game uses UDP and those attacks mimic actual game behaviour, so FloodGuard will see it as heavy use rather than unusual patterns?
The best would be some interface through Orbit to see the status of FloodGuard and some info on a) whether it's up & running for your ips and B) if/when it's blocking attacks and the nature of those attacks. I believe they are working on something like that (can anyone confirm?)... that should be a very welcome feature and also help keep down the number of tickets along the lines of "is it working yet??"
Btw, it seems that the motivation for this attack is clear... perhaps something can be built to heaviliy disadvantage the players when an attack is in place? If you can eliminate the motivation, you will probably also eliminate the attacks.
Btw 2, I'm an ex-EV1 customer too. During my one attack there, they simply null-routed my ip. Bah. I didn't even see a spike in my bandwidth graph. FloodGuard seems to be something recent here, so hopefully with some time, the situation will improve.
Btw 3, Guspaz - you've mentioned being attacked several times... have you had any attacks since FloodGuard was activated?
QUOTE (Guspaz)
FloodGuard is not a surefire fix to DoS attacks. But your situation does sound fishy, a simple UDP attack, I'd expect FloodGuard to block that.
Craig's response, well, he probably saw your thread and it was the 982nd FloodGuard ticket he'd dealt with the day, and maybe he was on autopilot a bit
Craig's response, well, he probably saw your thread and it was the 982nd FloodGuard ticket he'd dealt with the day, and maybe he was on autopilot a bit
I would expect FloodGuard to block not everything, but a lot of things, and right now, if it's active for my server, it's not blocking ANYTHING.
Nobody here is paying for autopilot responses.
QUOTE (Serhat)
Perhaps his game uses UDP and those attacks mimic actual game behaviour, so FloodGuard will see it as heavy use rather than unusual patterns?
No, it's an http game. No need of any additional ports, just web pages.
QUOTE
The best would be some interface through Orbit to see the status of FloodGuard and some info on a) whether it's up & running for your ips and B) if/when it's blocking attacks and the nature of those attacks. I believe they are working on something like that (can anyone confirm?)... that should be a very welcome feature and also help keep down the number of tickets along the lines of "is it working yet??"
I totally agree and i think thatīs imperative to reduce the load on support tickets, as lately SM support isn't able to deal even with the day-by-day tickets.
QUOTE
Btw, it seems that the motivation for this attack is clear... perhaps something can be built to heaviliy disadvantage the players when an attack is in place? If you can eliminate the motivation, you will probably also eliminate the attacks.
No, because they become ex-players. About the attacks ... thatīs why i move here. If FloodGuard doesn't work ... i'll find another place.
QUOTE
Btw 2, I'm an ex-EV1 customer too. During my one attack there, they simply null-routed my ip. Bah. I didn't even see a spike in my bandwidth graph. FloodGuard seems to be something recent here, so hopefully with some time, the situation will improve.
It happned to me also.
Only one of the attacks was while FloodGuard was operational, and it was still in Training mode, so it couldn't block it. I haven't seen an attack yet with FloodGuard running.
QUOTE (DeepBlue)
No, it's an http game. No need of any additional ports, just web pages.
Can you see in the logs what the nature of the attack is? Are they flooding with 'legal' queries to the server? In such a case, an anti-dos module in apache could possibly solve your problem.
Serhat
my question is quite simple. i'm not discussing the effectiveness (yet). I just want to know if it's operational. And i just don't get this simple answer. Not on ticket system, nor even here on forums , as Mr. Crodenber didn't reply yet.
By the way, it's a TCP SYN FLOOD attack.
my question is quite simple. i'm not discussing the effectiveness (yet). I just want to know if it's operational. And i just don't get this simple answer. Not on ticket system, nor even here on forums , as Mr. Crodenber didn't reply yet.
By the way, it's a TCP SYN FLOOD attack.
More then 48h have passed. No staff answer yet, not on the tickets, nor here in forums.
Hope I get a response before I am like Santa Claus.
Hope I get a response before I am like Santa Claus.
Deep Blue, your FloodGuard protection is operational.
The proper way to escalate a DoS attack is as follows:
1. If you notice a DoS attack before Support does, call Support (that's the fastest) or open a ticket with DoS ATTACK as the subject.
2. Your attack will be assigned to one of my engineers, who will adjust FloodGuard (using ACL's if necessary) to mitigate the attack. Normally, Floodguard will do this automatically. Occasionally, additional ACL's will need to be applied.
3. Once the DoS has been mitigated, your profile will be updated to include the new UDP threshold.
As you have noticed, DAYS may pass before I have the time to check these forums. If you are under a DoS attack, call support or open a DoS ticket. My team handles the DoS / Emergency tickets before the "quick questions", "How do I" and "What if" tickets.
I am currently staffing up the Security Team (Very carefully) so that Security Incident Response will be handled completely outside of the normal support path. This will happen soon.
Until then, if you are under a DoS attack, the fastest way to handle a security incident is to call, or open a DoS ticket. If you feel that your DoS / Security Incident was not escalated in a timely manner (After you call or open your DoS ticket), Email me at: crodenberg@theplanet.com and describe what happened.
The proper way to escalate a DoS attack is as follows:
1. If you notice a DoS attack before Support does, call Support (that's the fastest) or open a ticket with DoS ATTACK as the subject.
2. Your attack will be assigned to one of my engineers, who will adjust FloodGuard (using ACL's if necessary) to mitigate the attack. Normally, Floodguard will do this automatically. Occasionally, additional ACL's will need to be applied.
3. Once the DoS has been mitigated, your profile will be updated to include the new UDP threshold.
As you have noticed, DAYS may pass before I have the time to check these forums. If you are under a DoS attack, call support or open a DoS ticket. My team handles the DoS / Emergency tickets before the "quick questions", "How do I" and "What if" tickets.
I am currently staffing up the Security Team (Very carefully) so that Security Incident Response will be handled completely outside of the normal support path. This will happen soon.
Until then, if you are under a DoS attack, the fastest way to handle a security incident is to call, or open a DoS ticket. If you feel that your DoS / Security Incident was not escalated in a timely manner (After you call or open your DoS ticket), Email me at: crodenberg@theplanet.com and describe what happened.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.