Right NOW, at THIS MOMENT, my server is unreachable.

I have being told by some known people that my server is under attack.

IP: 69.93.107.98

I have opened a ticket thru OUTAGE REPORT more than 15 minutes ago. No answer yet.

My server is (?) under FloodGuard protection.

Yesterday, my server was attacked, i opened a ticket, no answer to it in more that 24 hours. (FloodGuard didn't work again).

And now i'm attacked again and NO ANSWER.

FloodGuard NOT WORKING, Server DOWN, No ANSWER TO THE TICKET, even an OUTAGE REPORT TICKET.

You may test. My IP is 69.93.107.98

Anyone from support out there ?????? Some ATTENTION, please !!!!

I ping it at 51ms..

me too. The server is online. It's just being Flooded. That's the problem.

Oh I figured my ping would at least be higher than that. Who floods you?

some unhappy visitors

What kind of flood ??

It can't be a bandwidth attack if your ping is still in double figues.

I wasn't able to reach the ip earlier... but now it seems to be working

I think it was an UDP attack. It has stopped now.

FloodGuard, according to Mr. Crodenberg, doesn't work for my server, and he can't explain why.

Well, if he can't, i would like to know who can.

He asked me if i want a refund for the money payed for FloodGuard on my server and if i want the service cancelled.

I just don't accept it because having FloodGuard on my server will make me not to pay for the additional bandwidth comsumption generated by the attacks. That's the only reason.

I just get very very scared by the person, responsible for this toy (FloodGuard is no more than a toy), being unable to explain why it doesn't work for my server, as it's a simple server that serves pages, and no more than pages.

Just making this public, because someone SHOULD be able to explain this.

I ping your IP just fine atm. Can you give any details on this attack, such what your bandwidth graphs look like for that period (i.e. was the attack against bandwidth or cpu resources?) or web server logs?

It's ok now, the attack stopped some hours ago.

The attack was a 7 mb/s, lasting for 2 hours. It's still visible here:

http://69.93.107.98/mrtg/

I have just requested to upgrade my network from 10 mb to 100 mb, that will make it much more difficult to take the service out, because a much greater attack would be needed.

I just get terrified by the fact that FloodGuard doesn't protect me, and this may happen to other people as well, and Crodenberg just says: I can't explain why it doesn't work for you.

Great.

But with 7mbit/s, how would that saturate your bandwidth if it's 10mbit/s? Wouldn't a 100mbit/s generate the same problems then? It's of course possible that FG mitigated the attack into "just" 7mbit/s. SM staff would have to comment on that.

7 mb/s is enought to make nobody access the server anymore.

It would be much more difficult for the attacker to get to 100 mb/s, keeping everything working.

I would also like to see comment from SM staff on this, as the only thing i heard until now is:
"I don't know why FloodGuard doesn't protect you".

And this is not what anyone here would like to hear about the protection of his server.

On a 10mbps port, I believe you need a constant 10mbps to choke the connection. 7mbps is not going to choke the connection but it was enough to take down your server. As such I doubt 100mbps port would help in this situation unless you are saying that your port choked at a constant 10mbps. You still have 3mbps worth where traffic can still enter.

I believe you did mention that you are worried about the excess bandwidth that the attack brought, wouldn't a 100mbps pipe generate more if it exceeded the 10mbps barrier ?

Perhaps it's because it's the weekend... give them a little time to check things out :-) it would be nice to learn more about this. There haven't been a lot of reports on successful blocks, but I'm sure they exist.

I suspect that if you have a 100mbit/s port, then your server will also be choked with a 7mbit/s flood. It didn't seem from your graphs that your server had a high CPU load... is that correct? You might want to save those graphs so that others can analyze them.

Eddy

I have FloodGuard active on my account, and I pay for it, because of the bandwidth comsumption. It's public said by SM that if you have FloodGuard, you don't pay for the traffic generated by the attacks.

That's the only reason I keep paying for FloodGuard.

Serhat

No, with a 100 mbps port it won't be choked by a 7 mbps attack. The attack will have to get near 100 mbps to choke it, and this is much more difficult.

About the answer i keep receiving, i'm discussing this with Crodenberg since December / 2003. That's why i decided to make it public here. Just because it's getting long past any patiente limits and the answer is not what anyone can accept.

Oops, I misread your statement.

Sorry to hear Floodguard isn't working. I have only had positive experiences with it so far. It's stopped a few attacks recently, some around 30 MBit/s.

About the 7Mbit/s that is most likely the limit the 10Mbit port can push. I maxed out a Celeron at 6Mbit/s with a Realtek NIC and a SuperServer at 7Mbit/s with an Intel NIC. Anything over that caused extreme packetloss when running game servers. After upgrade to 100Mbit all went smooth but now the DoS attacks also reach 30Mbit (though Floodguard have stopped them so far).

Good to hear... question though: how do you know they reached 30Mbit? What kind of feedback did you get on it?

I guess you could look at the Orbit Resource Utilization chart to check where the peak points are during the attack.

Yes the graphs show an initial spike on 30, nothing you can do about that. The graph then goes downhill from there.

argyle

You are a lucky man. FloodGuard works for you !!

I would like it to work for me also.

By the way ... no offical response. And i believe we won't have one. Just because there isn`t any answer different of "i don't know why it doesn't work for your server".

Please...Floodguard is just like any technology..it can fail.
We all pay for Microsoft Windows and they keep finding large bugs in it all the time (in the last case even keeping a fix away for 6 months...so much for increased security)

Now add to it that floodguard is a somewhat experimental feature as it attempts to detect the attacks signature while allowing good data to pass, I can kinda understand it's not fail safe.

Sucks however that you got attacked =/

Yes, it can fail.

But fail is different of never working. And it has never worked for my server, in many attacks.

Still no official response.

"all" is a strong word in a community where a significant amount of people use Linux servers :-)

Well nowhere did they garantee it worked right?
Also, pray tell..why are you under attack so often?

Because i run a real time online game that works only in pages ... And some players always try to take advantage.

Like people running bots refreshing a page? I dont think floodgaurd stops that kind of attack, however you can write a script to reject them if they make a certain number of page requests within a certain amount of time

Wasn't it somewhere here that they say that Floodguard may not work for games because of the way they request for data streams or something.

Floodguard goes through a process of learning past usage pattern to determine what is normal. If the patterns are basically the same during a flood and beyond that, it may perceived it as just normal traffic but just heavier.

Webgames that are based on HTML pages don't use datastreams, they use standard HTTP on TCP, usually through Apache.

Floodguard protects your server agains "flood" attacks. Technical attacks, like SQL slammer or bots that request pages over and over again won't get stopped by floodguard. Without knowing the details of your attack I couldn't say why floodguard didn't help. Crodenberg knows the most about this. He's your best bet to say what happened.

i have an answer to your problem
install it and you will be hopefully protected
http://forums.servermatrix.com/viewtopic.html?t=4330
also i recomand installing the following:
APF + antidos
mod_security
also putting the game domain on a ip to moniter it better
good luck

Klaude

It was crodenberg who said he doesn't know why FloodGuard doesn't work for me.

bman

I have dos_evasive installed. My problem is not that. My problem is that the requests arrive on my server (my server discards them, but they arrive) flooding the network port.

The request are discarded, but they arrive anyway.

If it stumped crodenberg I don't know how much help I can be for you. Keep working with him. He and his team can figure it out.

my guess is to ban the ips from the router but if there so many then i dont know what else.
my guess there hiting you by ip so why not change the game ip and null that ip

Ban their IP's, suspend their accounts, make it less interesting to attack you
And state you will murder their pets in the AUP

But that would mean there there are at least some types of (common?) attack that FG is utterly unable to defend against....

I am having the same problme where the server becoms inaccessible thru the web but very much pingeable.

In my case, I am quite sure it's an attack.
SM recmomended installing FG but after reading these posts, I am not sure that would do it!?

I will be installing dosevasive and see what else I can do.
Any helkp would be appreciated.

If nothing works, then I'd have to leave SM and go to an ISP managed box.

PS: I already have APF installed.

Z.

Give FloodGuard a try first. You can't install it during an attack though since it needs a couple of weeks to learn your normal traffic patterns.

Klaude, crodenberg doesn't want to work on this. He has cancelled FloodGuard protection for my server without telling me first.

He said he didn't know what is happening, cancelled FG and that's all. That's why i came to the forums. Because this guy just doesn't want to try to solve the problem.

And the answer from SM keeps the same:

"I don't know what is happening"
"i can't be of much help".

great.

Is it true?

They cancelled that service that your paid for?
They cancelled that service without any reason?

SM may be slow abut I don't think they would cancel a service you had paid for this way.

As for me, I might opt for an ISP service instead. SM has asked for $250 to harden the box plus the FG monthly fee.

Since I am running one non for profit site, I think the semi-dedicataed ISP I was with @ 65 US/Month, would be a much more cost and headache effective solution.

I am paying $100 US/Month with SM for a 2.4 SC with cpanel/whm. This is my first month here

Z.

Crodenber cancelled it and stated he would give me my money back.

But I didn't (and don't) want the service cancelled, i want it WORKING for my server.

And no answer.

I ended up using the SIM script from : http://rfxnetworks.com/proj.php which basically monitors the systems and could reboot it whenever the system gets overloaded by the attack.

A reboot would take about 10 minutes. Much cheaper than $250 US and $10 US/month!

The above has several other useful scripts. Check it out.

Z.