I don't know what to do, I think my server is under some sort of an attack or something.

Basically we run a game server, when the attack happens everyone's ping goes to 10000 and then we all get kicked. I can't ping the server for the next 2-3 minutes, and then we are able to get back on again.

I go to the resource utilization and see that the inbound traffiic suddenly had huge spike in ibbound traffic and it peaks at 10.00 mbit (maxes out my pipe) and then all the outbound traffic goes offline.

This has happened varous times. I had floodguard isntalled it didn't do anything the same problem kept happening.

What can I do? THe attack seems to happen for only a couple of minutes, enough to knock everyone offline from the game.

I called tech support and they basically act like they don't know what is going and are telling me to take a hike

please someone help me

try the floodguard service or try upping your pipe to 100meg

If I recall correctly, I read here that Floodguard is ineffective for game servers because of the way it operates.

I use it on game servers and it has worked good. You often can't do anything about the first initial spike though but if you have a 100 Mbit connection you can usually handle this till floodguard kicks in and stop the traffic.

Since you already use floodguard and this didn't help I would try tech support again. Also do you have other services running on the server like web or ftp? It could be normal (but a lot of) HTTP requests beeing made flooding the server and this flood guard would still see as ok traffic I believe.

Try locking the server down to the ports that you need for the game server. Might want to look into a firewall as well so you can log the traffic coming in.

When this happens how does your CPU load look? Also while this is going down open a command prompt and run "netstat -an". That will give you a list of all connections currently on the machine.

Are you running any other services besides game serving like web or DNS hosting?

No only the gameserver. Here is an example of what happened last night:



both times everyone was kicked from the server Servermatrix tech keep bs-ing me around saying security will have a look at it, but the never do.

I think I wil have to move, I can't pay 260/month for 2 servers and have the crash all the time.

Those just look like simple spikes, not a sustained attack. Keep yourself connected to your server via RDP while gaming. Be ready to run that netstat command the next time this happens.

If these spikes are coming from somewhere out there on the internet there's a good chance you'd get this kind of traffic no matter what datacenter you used. We certainly don't mean to bs you around at tech support. Please PM me the numbers of any tickets you've opened on this. Thanks!

Yeah good thinking. Now instead of a constant 10mb's inbound he will have 100mb's .... Hate to see that bill at the end of the month.

But to answer your question, Like Klaude said run a netstat -a to see where the traffic is originating from and send the output to support.

well how am I supposed to do this when I can't even ping the server?
I can't login into the server if I can't even ping it

Ok backup. You can't login to the machine at all? That is a bigger problem..

looks like ddos to me Try a 100mbit upgrade, Then you will be able to see which ips are attacking you if it is a single or multiple.

If he is getting attacked why in the world would you recommend upgrading to 100mb port?

That makes exactly no sense at all.

First off port speeds have nothing to do with anything. and second having him upgrade to 100mb's will lead to 10 times more traffic going through... Are you going to pay his bandwidth bill?

IMHO I would upgrade to 100 mbit so I could at least see what the hell is going on. Those bursts won't jack up the bill.. Also I would get the floodguard. Damned if you do.. Damned if you don't in this situation. If you can live with not knowing then leave it alone.

I may be missing something but what does upgrading to a 100mb port have to do with your server being attacked? Your looking for a bandaid here..

The two spikes seems to have lasted for a very short time. It doesn't look like an attack to me unless of course floodguard went into action and had them blocked.

Do you have the access logs which you could look. I am sure that you be able to find something there.

If it is a ddos, and he upgrades to 100Mb. If it is a ddos and the 100M keeps the server from going down. The attacker will keep pushing it longer probly. Because if it is a ddos. The attacker seems to just want to kill the server to kick everyone. If thats the case and he went 100M and he cannot achieve that. The attacks may last alot longer,and possibly harder... Try to work with tech support more before thinking about the 100M. I have to agree with X-Gaming here

Edit: If eddy is correct about floodguard going into effect. Whouldnt it seem, that floodguard is just killing all traffic?

Well actually if you see the graph, you see the traffic slowly creeping back to normal after that sharp drop. You see a somewhat 45 degrees slope skewed to the right which shows the traffic building. The No traffic period seems to be when the spike reachines 9.9mbps.

If it was a typical DDoS or DoS, it would have been sustained for a longer period than that.

Here is what I see happened. The first spike shows the initial stage of a DoS which blocks everything out. Floodguard kicks in and then people started reconnecting and thus traffic started rebuilding again to where it was before the attack. Floodguard switches back to watch mode. The culprit launches a second attack which starves all traffic then floodguard kicks in again and things got back to normal. At this stage, either floodguard learns that two attacks from the same ip got to be a Flood and blocks it off and everything returned to normal.

Id have to agree... how about an update? Still happening?

Yes agreed but upping the port to 100mb won't solve the problem. I mean technically yes it will but spending extra money on a larger port is not the answer. Unless you really made someone mad it should be a random thing, No need to worry too much over it.

I am not a real gamer but was just wondering if gamers exhibit the same behavior and characteristics as they are in the game persona ? I know in First Party Shooting games, the main objective is to kill and the more blood, gore and violence the better. Are they the same in real life or are they just timid nerdie people who likes to act out a character totally distinct from themselves ? Are they irritable people who cannot take no for an answer and would resort to violence (in this case DoS attack) because they lost a game or get angry with someone in the game or the game server provider ?

So far I have not seen a network game as popular as say Halo which deals with the persona going around helping people instead of hurting them .

Sorry if I offend anyone.. I am just plain curious.

Ive experienced it.... Player gets banned, gets cussed, or just plain gets owned. Some of they get very mad about it... And some others will just keep pushing it in the game. And make a person even more angry. Ive seen some result in ddos attacks. And server whould just completely die.

Thanks for the insight. I guess that probably explained why the original posters server got hit. I supposed moving out of SM would not help since the issue is going to follow around and it has nothing to do with a hardware failure so really nothing much SM can do about it. You could block a block of IPs but people can come from another ISP and the more you block, the more enemies you make and the more your server gets exploited. Ouch, it is a real dirty business where real life mirrors that of the alter ego. The battle of the Id and the Ego with the id taking prominence.

We were laughing earlier when one of our server administrators decided enough was enough and blocked the whole country of Romania from our voice machine

Good stuff!


BTW eddy are you following me? I just get done posting on another forum about a topic you are involved in and get an email saying there is a new post here and guess who?

haa haa.. Well, I am a ownerless dog looking for my Alpha. haa haa. Nah. I just happened to be looking at both places. and you happened to be there too.

it happened again




I called tech, they said it was spoofed IP attack, they don't know where it came from and there is nothing they can do, I will keep getting hacked because it is a UDP attack.

They said also the 100mbit idea is very very bad, I would be getting 90mbit spikes.

Was there any angry gamers who got banished or got jealous of someone on your server who may be taking it out on your machine and the people on it ?

It looks like a targetted attack so if you move, chances are it will follow you. Maybe you could have tech turn off your server for a week or two, this might fool the culprit to think he got his revenge and may stop launching the attack. Then you could restart the service and continue from there.

Yes thats what a few of us have been saying about the 100. Whould their be anytype of connection logging type of software he could try? Say a ip pings him this program will log the connection ip from it to a log file? Im not saying this will work against a spoof. But I whould try it. Their is a possibility he isnt spoofing, and it could work out. I dont know of any apps that will do that I iwll have to look around. What os are u using?

Heh, no offense to the SM folks, but years ago I had a group of trouble makers on a text game I helped design and build up. After a while I just applied a *dallas* ban to get rid of all of them. :/ It worked too

I've also applied *.aol.com bans in the past. We changed our ban system on that game to stop account creation rather than connection though, so old players could still get on.

I never said it was a solution but a chance to have some bandwidth so that he could log in and run some tools while he is being attacked. Which now he doesn't have to do since they identified it as a UDP flood.

Having 100 Mbit instead of 10 Mbit have saved me a few times when the attacks have been over 10 Mbit (around 30). The game gets a bit laggy at the initial spike (but you are not kicked out since you still have more bandwidh) and then floodguard kicks in and stop the attack.

Looking at your graphs the spike is higher than 10 Mbit and upgrading to 100 Mbit would at least let you see if they are higher than 100 Mbit as well. If they aren't the game might just be a bit laggy instead of kicking everybody out (depends on how the game handles the lag though).

That whould work, on the note that floodgaurd is actually stopping the attack. If not well good luck and hope you dont over over 1TB/month. The attacker either is stopping the attack. Or floodgaurd is

Doesnt SM cover the b/w if you go over aslong as you got FloodGuard? I think so.

I whould say that depends on how close to the actuall 1tb month he gets without the attacks. If its very close i doubt they will. Im not sure on this tho, just a guess.

The graphs looks like mine when floodguard kicks in so I would say it's worth a test. If it doesn't work out go back to 10 Mbit again.

You might want to try running a network sniffer so you can see what kind of traffic you're getting flooded with. Ethereal is a good one. Once you know what kind of traffic it is you might be able to filter it with a firewall or something.

Ethereal uses X windows. It's just a X interface to tcpdump. Just use tcpdump... same thing, minus the GUI... unless you're insane and run X on your server, or something.

-ee99ee

Not true at all, the link I posted takes you directly to the windows download page. Ethereal can read and log in tcpdump format but its not an "interface to tcpdump", thats a common misconception.

Oh, sorry.

-ee99ee

No problem.