My bungeecord is being attacked

Discussion in 'BungeeCord Discussion' started by TheWarden, Dec 30, 2018.

  1. Help my cpu usage is at 100% and I see my bungeecord with these attack messages:
    https://pastebin.com/kYkW2MB9

    I am running ubuntu, do you have any suggestions to prevent these ddos attacks? Thanks
     
  2. Get a VPS or change your IP by talking to your host maybe that should help :)
     
  3. It is a ddos attack, it is definitely not because of my ip
     
  4. He was suggesting to change your ip as then the ddoser may not have the ip.
     
    • Funny Funny x 1
  5. no he definitely knows my ip
     
  6. Yeah but what he is trying to say is get a new IP and that could stop the attacker from ddosing you further, unless he figures out the new one.
     
  7. I understand but he knows my server ip, I need a wait to limit the connections to my 25565 port, does anyone know how with ubuntu?
     
  8. You have no DDoS protection?
     
  9. You need to use a host with DDoS protection, most server providers (OVH, ReliableSite etc.) have DDoS protection
     
  10. op i would rent a small vps with a ddos protected host like ovh(between about £3.50-£5.00 a month)
    Then from there enable ipv4 forwarding using this command
    sysctl net.ipv4.ip_forward=1
    and setup iptables to pass traffic threw on your server port
    i'm pretty sure you can do it using this command
    iptables -t nat -A PREROUTING -p tcp --dport 25565(or your server port) -j DNAT --to-destination ip: port < make sure you use your bungeecord proxy and not your other servers as we want traffic to come threw the vps and then to your bungee
    then use
    iptables -t nat -A POSTROUTING -j MASQUERADE

    Then on the vps that is now acting as a proxy install a program called snort and setup rules to detect things such as ddos atttacks or other attacks that way you will be alerted and what time and day etc the attack is happening

    Give out the ip or update your dns server to the vps and not your bungee ip :)
     
    • Funny Funny x 1
  11. Thanks, the thing is alot of these ip are duplicates, is there way to rate limit to port 25565 to say 1 or 2 requests per second?
     
  12. Im sure that making a tunel in a vps is not allowed in some hosts..
     
  13. I host a website for someone non gaming related

    And have had this setup running for months works perfectly fine :) actually your creating a reverse proxy ids system :)
     
  14. Duped as in the attacks ip? like from multiple sources, please explain abit more

    Op might want to read this: looks like it needs some tweaking to get it working though,You should also become familiar with iptables or ufw for hosting a server :)
    https://debian-administration.org/article/187/Using_iptables_to_rate-limit_incoming_connections

    When setting up your proxy if you rent from a "host" that sells minecraft packages its also a good idea to forward your ftp,sql,etc traffic threw the proxy
    You should also install a program called fail2ban on your vps just incase someone is trying to bruteforce attack your server
     
    #14 NullRootix, Dec 31, 2018
    Last edited: Dec 31, 2018
  15. There is not bad solution from Russian developer
     
  16. I won't repeat what others said in too much detail, but you should be looking for a host that offers proper DDoS protection, such as OVH for example.

    If for whatever reason you cannot do that, you could look into this anti-ddos guide using IPTables (a linux firewall software). By all means don't expect it to fully prevent any attacks, but it can definitely help a bit if the CPU is the one being overloaded. Follow this guide here. I think this guide should help you somewhat, considering you're mentioning the CPU is starting to show issues rather than the network. This firewall will filter out some traffic on the kernel level, which should hopefully lessen the load on your BungeeCord proxy.

    How does getting a new IP help? Judging from what OP is describing in his first post, it seems that his BungeeCord is the one being attacked, not any of the backend Spigot servers. The fact that he's showing a BungeeCord error log confirms this, if his Spigot backend servers were being attacked, BungeeCord would not even be invoked and it shouldn't show any errors.

    The BungeeCord is always publicly accessible (unless you have some other reverse proxy in between), so getting a new IP address is simply pointless as anyone can just ping the DNS record and get the new IP address and start another attack.
     
    • Agree Agree x 2
  17. If op used my method you'd be able to see what attack etc is being used and what time of the day
    Then just simpley nullroute the ip so it doesnt go anywhere
    https://www.cyberciti.biz/tips/how-do-i-drop-or-block-attackers-ip-with-null-routes.html

    Snort covers a whole bunch of rules to detect attacks from a wide range from a simple ddos attack to a more complex attack and how to respond to them :)
     
    #17 NullRootix, Dec 31, 2018
    Last edited: Dec 31, 2018
  18. You've ran tcp dump on your interface to confirm its a ddos attack?
    you can also throw that log into wireshark if needed
    Then nullroute the ip if your being attacked
     

Share This Page