| Pages: [1] :: one page |
| Author |
Thread Statistics | Show CCP posts - 0 post(s) |
Ralle030583
The Phoenix cor
Phoenix Allianz
   |
Posted - 2007.01.22 12:53:00 -
[1]
Edited by: Ralle030583 on 22/01/2007 12:52:31
Hi guys,
i have no probs to supply you with the service of eve-kill.net which are
creating many traffic and some costs for me. I see in the logs that many corps and alliances are using this service and that makes me happy. I enjoy it to work on the Public Killboard and as Master Server for linqs sync mod.
But there is one think what makes me sick...
there are some *** which try(!) to block my service with DOS-Attacks etc.
Plz stop the ****, it hurts.. you try to help and offering a service for free and thats what you get :-/ Think about what you are doing... 
Sig removed. Please keep sigs to 400x120 pixels and 24000 bytes in size or less. -Kaemonn ([email protected]) |
Dark Shikari
Caldari
Imperium Technologies
Firmus Ixion
|
Posted - 2007.01.22 13:05:00 -
[2]
Why not just block the DOSers? If all else fails, heck just block their entire IP range. Might block a few small countries in the process but if it keeps EVE-Kill running... its worth it 
-[23] Member-
Listen to EVE-Trance Radio! (DSTrance channel ingame) |
Cardassius
Seraphin Technologies
S.E.R.A
|
Posted - 2007.01.22 13:06:00 -
[3]
Bah..
Are people to pathetic that they don't want other people to see their losses?
|
Stevie mcStepherson
FATAL REVELATIONS
FATAL Alliance
|
Posted - 2007.01.22 13:09:00 -
[4]
Edited by: Stevie mcStepherson on 22/01/2007 13:08:34
Have you checked your webserver logs and implemented bans on any ips (or range such as china) that stand out. Eve-files had a similar issue in the past here . Probably worth talking to chribba.
Best of luck
Stevie
|
Dekiri
Exanimo Inc
|
Posted - 2007.01.22 13:25:00 -
[5]
Chribba had massive problems with that stuff as well on the eve-files site. Maybe you should chat with him. AFAIK those attacks mostly came from the asian area, so it should be possible to block the IP ranges.
---------------------------------
Exanimo Inc. - Mercs for hire
Join channel "CONTRACT EXAN" in game if you wish to hire Exanimo Inc.
Or contact cptblood or kakanur |
Crashys
Caldari
|
Posted - 2007.01.22 14:13:00 -
[6]
You don't even block ICMP... you're not much into security, are you? |
Ralle030583
The Phoenix cor
Phoenix Allianz
|
Posted - 2007.01.22 14:32:00 -
[7]
 Originally by: Crashys
You don't even block ICMP... you're not much into security, are you?
argh damm new server forgott it... fixed^^
Sig removed. Please keep sigs to 400x120 pixels and 24000 bytes in size or less. -Kaemonn ([email protected]) |
|
Chribba
Otherworld Enterprises
Otherworld Empire
|
Posted - 2007.01.22 14:36:00 -
[8]
No need to drop ICMP if the problem lies with getting hit over another protocol or other type of attack, but general rule yes drop it unless you need it.
And to Ralle, what type of attacks are you seeing? General resource attacks(!) in the line of spiders or actual TCP/UDP/ICMP flood attacks?
Chribba is for sale, buy a part of me today |
|
zeeZ Exus
Citizens of E.A.R.T.H.
E.A.R.T.H. Federation
|
Posted - 2007.01.22 14:42:00 -
[9]
Originally by: Chribba
General resource attacks(!)
aka impatient fanbois of some random corp doing 200 F5/s to stay updated or just waiting for a doomsday mail 
Character Portrait  |
Ralle030583
The Phoenix cor
Phoenix Allianz
|
Posted - 2007.01.22 14:44:00 -
[10]
Originally by: Chribba
No need to drop ICMP if the problem lies with getting hit over another protocol or other type of attack, but general rule yes drop it unless you need it.
And to Ralle, what type of attacks are you seeing? General resource attacks(!) in the line of spiders or actual TCP/UDP/ICMP flood attacks?
DROPED ICMP cause i dont need it atm^^
Have looked again prob is except of ICMP(whats now fixed) that the feed.php for sync is abused through sending requests again and again... pherhaps i have to implement user and paswd for sync so that KB who want to sync have to register ...
but its a not a 5min work to implement user and change the syncmod for this
Sig removed. Please keep sigs to 400x120 pixels and 24000 bytes in size or less. -Kaemonn ([email protected]) |
Ralle030583
The Phoenix cor
Phoenix Allianz
|
Posted - 2007.01.22 14:46:00 -
[11]
Originally by: zeeZ Exus
Originally by: Chribba
General resource attacks(!)
aka impatient fanbois of some random corp doing 200 F5/s to stay updated or just waiting for a doomsday mail
yeah thats another thing but i'm optimizating caching atm so that the side havent to read everything from DB always..
Sig removed. Please keep sigs to 400x120 pixels and 24000 bytes in size or less. -Kaemonn ([email protected]) |
JoDirt
Minmatar
Tides of Silence
|
Posted - 2007.01.22 14:54:00 -
[12]
Block all ports except for port 80 and what ever ports you need for the sync (sql). Remove the banners from your services. Use a firewall with anti syn scan technology (sonic wall). implement the bandwidth load ballancing on your web server. Keep your server completely patched all times. disable services you don't need.
that's all I have right now, good luck!
--------------------------------
Luckily my neck broke my fall... |
|
Chribba
Otherworld Enterprises
Otherworld Empire
|
Posted - 2007.01.22 15:12:00 -
[13]
Originally by: Ralle030583
Edited by: Ralle030583 on 22/01/2007 14:44:56
Originally by: zeeZ Exus
Originally by: Chribba
General resource attacks(!)
aka impatient fanbois of some random corp doing 200 F5/s to stay updated or just waiting for a doomsday mail
yeah thats another thing but i'm optimizating caching atm so that the side havent to read everything from DB always..
or I tempban those ppl :-P thinking about this^^
I drop many China requests from EVE-Files just beacause of this issue, since them bots are requesting files over and over again - probably the same thing happening to you.
Right now I just flip the switch if I see the amount of requests building up and poof 98% of China is blocked 
Chribba is for sale, buy a part of me today |
|
Ralle030583
The Phoenix cor
Phoenix Allianz
|
Posted - 2007.01.22 15:17:00 -
[14]
Originally by: Chribba
Originally by: Ralle030583
Edited by: Ralle030583 on 22/01/2007 14:44:56
Originally by: zeeZ Exus
Originally by: Chribba
General resource attacks(!)
aka impatient fanbois of some random corp doing 200 F5/s to stay updated or just waiting for a doomsday mail
yeah thats another thing but i'm optimizating caching atm so that the side havent to read everything from DB always..
or I tempban those ppl :-P thinking about this^^
I drop many China requests from EVE-Files just beacause of this issue, since them bots are requesting files over and over again - probably the same thing happening to you.
Right now I just flip the switch if I see the amount of requests building up and poof 98% of China is blocked
hmm btw .. have you got a good programm to analize the acces log?
Sig removed. Please keep sigs to 400x120 pixels and 24000 bytes in size or less. -Kaemonn ([email protected]) |
|
Chribba
Otherworld Enterprises
Otherworld Empire
|
Posted - 2007.01.22 15:27:00 -
[15]
I have an eye in real-time on the fw to see multiple connections, but otherwise there are many log analyzers out there, probably one of the best is WebTrends but maybe overkill if you just want to analyze one log kinda.
Chribba is for sale, buy a part of me today |
|
Xiaodown
Dragons Of Redemption
Southern Cross Alliance
|
Posted - 2007.01.22 15:41:00 -
[16]
Part of the point of a DDoS attack is that if it's big enough, it doesn't do enough good to block it.
If it's just a bunch of people trying to hit a database intensive query, and it's driving up the load on the server, then yeah, blocking can be fine.
But, if you've only got like a 1.5Mbit connection or something, even firewalling the connections still means that they are swamping your incoming bandwidth. If there's enough traffic, legit customers won't be able to get through. You'd need to call your upstream provider and get them to firewall it off at a border router.
It takes a lot to flood 1.5Mbits with HTTP1.1/GET requests, though. And hopefully you have a burstable connection. Good luck, man.
~X
|
Ralle030583
The Phoenix cor
Phoenix Allianz
|
Posted - 2007.01.22 15:44:00 -
[17]
Originally by: Xiaodown
Part of the point of a DDoS attack is that if it's big enough, it doesn't do enough good to block it.
If it's just a bunch of people trying to hit a database intensive query, and it's driving up the load on the server, then yeah, blocking can be fine.
But, if you've only got like a 1.5Mbit connection or something, even firewalling the connections still means that they are swamping your incoming bandwidth. If there's enough traffic, legit customers won't be able to get through. You'd need to call your upstream provider and get them to firewall it off at a border router.
It takes a lot to flood 1.5Mbits with HTTP1.1/GET requests, though. And hopefully you have a burstable connection. Good luck, man.
~X
if got an 100MBit connection .....
Sig removed. Please keep sigs to 400x120 pixels and 24000 bytes in size or less. -Kaemonn ([email protected]) |
Xiaodown
Dragons Of Redemption
Southern Cross Alliance
|
Posted - 2007.01.22 15:51:00 -
[18]
Oh, for traffic monitoring - I mean, you can always use webalizer to check HTTP traffic - it'll tell you what IPs are hitting the server too many times, the most requested files, etc.
But for realtime traffic monitoring, you want to use MRTG. It's open source. It doesn't tell you individual connections, so it won't help you much with watching the firewall, but it makes prettier graphs than webalizer =) like this:
check http://mirror.cs.vt.edu/public_html/test/mrtg/ for the traffic on a server that I run. It polls SNMP data in realtime, as a daemon
I wish there was an MRTG-type thing that could monitor connection states - a combo of netstat -an and a realtime bwm-ng, displayed in pretty graph form on a webpage.
|
Xiaodown
Dragons Of Redemption
Southern Cross Alliance
|
Posted - 2007.01.22 15:55:00 -
[19]
And if you've got a 100mbit connection, I hope your bottleneck is CPU usage and not incoming bandwidth requests. 100Mbits is a METRIC CRAPLOAD of http1.1/get requests. At that point, you start blocking whole class-a IP blocks, like 145.0.0.0/255.0.0.0 and hope you can contain it.
Good lord, I can't imagine 100 megabits of INCOMING traffic on a webhost. I mean, you see it in outgoing - a couple of FTP transfers can put you near that, but incoming requests....
May god be with you, sir. Let us know if we can help. |
JoDirt
Minmatar
Tides of Silence
|
Posted - 2007.01.22 16:28:00 -
[20]
If you would like to take a closer look at the packets being passed you might want check out ethereal for packet analysis. You will be able to see any mal formed requests and half open connections. BackTrack has a lot of tools available for analysis also. Even the ability to return fire 
--------------------------------
Luckily my neck broke my fall... |
Jimmy Carlos
Minmatar
|
Posted - 2007.01.23 00:19:00 -
[21]
Originally by: Crashys
You don't even block ICMP... you're not much into security, are you?
You aren't either, are you? I bet you only use those 'Personal Firewalls'.
There isn't just ICMP, there's types of it. Some are useful, some are better shut off. And if one uses a 'decent' operating system, there's an option to limit responses to ICMP requests.
I suggest you go, read a bit on ICMP and it's use. You should STFW for terms like PMTUD, source quench and others...
Get clued. <- Hint
|
Kung Zao
|
Posted - 2007.01.23 00:20:00 -
[22]
Originally by: Stevie mcStepherson
Edited by: Stevie mcStepherson on 22/01/2007 13:08:34
Have you checked your webserver logs and implemented bans on any ips (or range such as china) that stand out. Eve-files had a similar issue in the past here . Probably worth talking to chribba.
Best of luck
Stevie
yeah sth bad happend....it must have been China!!!....gtfo
|
Jimmy Carlos
Minmatar
|
Posted - 2007.01.23 00:36:00 -
[23]
Originally by: Xiaodown
And if you've got a 100mbit connection, I hope your bottleneck is CPU usage and not incoming bandwidth requests. 100Mbits is a METRIC CRAPLOAD of http1.1/get requests. At that point, you start blocking whole class-a IP blocks, like 145.0.0.0/255.0.0.0 and hope you can contain it.
Good lord, I can't imagine 100 megabits of INCOMING traffic on a webhost. I mean, you see it in outgoing - a couple of FTP transfers can put you near that, but incoming requests....
May god be with you, sir. Let us know if we can help.
Indeed. If the stuff you're running is PHP, which I think it is, you might want to check out PHP accelerator (Linkage) to reduce CPU load. Also check your PHP installation on not needed options and your apache on not needed modules and the like. Might want to compile it yourself to get rid of some of the options it has in most of the base installations/packages.
Last, but not least, you can ofc start to block entire IP ranges off and then see if it gets better.
I would hate to see a community service go down because of this kind of stuff. If I might be of help, just send me an EvE mail.
|
Sausage Mahoney
|
Posted - 2007.01.23 00:40:00 -
[24]
Originally by: Kung Zao
Originally by: Stevie mcStepherson
Edited by: Stevie mcStepherson on 22/01/2007 13:08:34
Have you checked your webserver logs and implemented bans on any ips (or range such as china) that stand out. Eve-files had a similar issue in the past here . Probably worth talking to chribba.
Best of luck
Stevie
yeah sth bad happend....it must have been China!!!....gtfo
Yeah, actually, when it happened to chirba, it WAS china. Who brought eve-files down for days? China. Where are paid macrominers from in eve? China. Where are paid gold farmers from in WoW? China. Who got thier very own server?
Of course, they'll never admit to it, because when you convo them you always get 'CIRCLE SQUARE SQUIGLY T ASDF ICICLE SPRAYPAINT TACO CANISTER'
But we all know who it is thanks.
|
Jimmy Carlos
Minmatar
|
Posted - 2007.01.23 00:47:00 -
[25]
Originally by: Sausage Mahoney
[...stuff...]
Very constructive. It will help the OP to reach new heights while maintaining his service.
|
BlazeRage
Caldari
Flashman Services
Ratel Alliance
|
Posted - 2007.01.23 02:31:00 -
[26]
is it me or did chribba get a facelift?
|
Lowanaera
Amarr
1st Praetorian Guard
Vigilia Valeria
|
Posted - 2007.01.23 02:56:00 -
[27]
Originally by: BlazeRage
is it me or did chribba get a facelift?
He has to spend all that ISK earned with the veldnaught somehow!
|
| |
|
| Pages: [1] :: one page |
| First page | Previous page | Next page | Last page |