Random 35Mb/sec DDoS takes down my server?

Discussion in 'Server & Community Management' started by joehot200, May 18, 2013.

  1. joehot200

    Supporter

    Hi, last night I had a 35mbps DDoS attack.
    [​IMG]
    Which took down the server, I am with OVH, and i have the 100Mb/s connection. The server was so laggy it was unusable. No members could connect, and the website would barely load.

    How is that possible?
     
    #1 joehot200, May 18, 2013
    Last edited: May 18, 2013
  2. Oh, sorry about that, I connected to your website in two tabs. My bad. Won't happen again.
     
    • Funny Funny x 9
    • Like Like x 1
    • Winner Winner x 1
  3. joehot200

    Supporter

    LOL.
    Ikr, Should not even do a thing.
     
  4. joehot200

    Supporter

    But really. How did that take the server down?
     
  5. Should be careful you don't damage your eyes...

    joehot200 Was there anything of interest in /var/log/messages at the time of the issues?
     
    • Agree Agree x 1
    • Funny Funny x 1
  6. Hmm from my understanding of DDos attacks (which is limited) I think they overloaded the CPU's processing capabilities. IE while the internet speed can cope with the attack, the CPU could not have.
     
  7. joehot200

    Supporter

    Though i do not have a CPU "graph", i can live look at the CPU from my control panel. It was only on about 30%. Obviously thats with all players disconnected, So it may have been attempting to use CPU, but failed.

    LukeHandle, how do i get the log files at a specific time?
     
  8. If your server has CPanel then there should be a section titled "Logs/Errorlogs"
    Also, Is the server a VPS or Dedicated?
     
  9. Install munin and munin-node for future reference .
     
    • Useful Useful x 1
  10. Or Zabbix, I really like Zabbix :)
     
    • Agree Agree x 2
  11. Have you made any custom Templates/Items/Triggers?

    And if this was a CPU issue, surely there must be some sort of rate limiting you can put in?

    Would help if we knew what type of DoS you had, whether SYN or targeting your Webserver or whatever?
     
  12. Not yet... The default stuff it can generate from SNMP and Zabbix agent is already plenty for me. I've made a couple custom graphs and screens, but I rarely use them...
     
  13. That could be because it was a TCP flood, it really depends. But 100Mbit is not hard to take down nowdays.
     
    • Agree Agree x 1
  14. Got it logging player count and TPS and a few other things.
     
  15. joehot200

    Supporter

    I have no idea what type of attack it was. I do not have this sort of data,
     
  16. Oh, wow! Way off topic, but that is TOTALLY interesting... Good thing not many people do that yet, Jarvis would be dead before Bukkit even finish reviewing it :D
     
    • Agree Agree x 1
  17. Would show you the graphs but they aren't that impressive in terms of players :p Does jarvis do a similar function then? I might take a look.

    joehot200 Get that log file. If on Ubuntu it is located "var/log/syslog" apparently, if on CentOS is is located "/var/log/messages".

    Now, bearing in mind I assume you know what time the attack occurred? You can just cut and paste the segments where the attack was occuring. Hopefully there may be some indicators there. The system normally detects when it is being SYN flooded, so that may help.

    Also check your web server logs for the time of the attack, it may highlight if you were being DDoS'd there.
     
  18. Oops, didn't get this notification.

    Jarvis currently only sends out notifications, and doesn't do raw stats logging. I could look into doing that later down the road, but I think I would like to focus on making the monitoring (of potential problems) and notifications (so you can act on the problems) for the time being.