Server Down

[Theiron]

Quote:

Originally Posted by Atern [You must be logged in to view images. Log in or Register.]

The company I work for uses F5 for this type of thing I believe. I don't feel like requesting a quote on it but I'm pretty sure it's quite expensive. I'll touch base with him tomorrow and see what we pay.

But that being said, I think I found our guy!

http://pwned.nl/

I'm in the business and f5 hardware is very expensive. Maybe not for a $100M company but for personal use it is.

My curiosity comes when I ask is the server itself just on the public network with a public IP or does it have some sort of firewall in front of it? Based on the attacks and what not I'm going to assume it's completely open with a public IP.

Problem being that you'll need a some decent hardware to put in front of it to protect it and maintain the 400+ users it gets on a regular basis.

[choklo]

Quote:

Originally Posted by Theiron [You must be logged in to view images. Log in or Register.]

I'm in the business and f5 hardware is very expensive.

How much is it? Just give us a ballpark figure please.

In response to your edit, how much would the hardware be as well?

[maultar]

I talked briefly with Rogean on the new temp server tonight. He said he is too busy to talk on here and go through the posts. But did say yes donations will help and this "should" all be resolved in 5 days. Later told me to donate 300 I loled. I'm good for 20 but not 300. Once I figure out how to donate that is I can't find that thread anymore.

[choklo]

This is good news if this is true. Donations will help keep the server up. If we give a paltry $10 each, this should really help. 10 bucks is a pizza, a movie, a couple of beers. What it buys us is priceless, really. Name another place you get classic EQ with damn good devs.
The thing is, you have to actually DONATE. Click on the paypal logo on the home page and donate 10 or even 5 bucks. Talk is cheap people.

If you don't have a paypal account, make one, it's easy. Go to the website and spend 2 minutes making an account. You just need a credit card.

[Elissa]

Just donated 25$...

[cadiz]

Quote:

Originally Posted by Theiron [You must be logged in to view images. Log in or Register.]

I'm in the business and f5 hardware is very expensive. Maybe not for a $100M company but for personal use it is.

My curiosity comes when I ask is the server itself just on the public network with a public IP or does it have some sort of firewall in front of it? Based on the attacks and what not I'm going to assume it's completely open with a public IP.

Problem being that you'll need a some decent hardware to put in front of it to protect it and maintain the 400+ users it gets on a regular basis.

According to Rogean the abuse is from UDP traffic so it seems that simply rate limiting the traffic should be sufficient to block this, with sane thresholds on bitrate and packet size that would constitute and classify abuse appropriately.

Given that the server runs Windows you don't have kernel level packet filtering functionality available so you'd want a solution available at the switch level or before it arrives to the server.

Most co-location facility carriers provide this functionality, however you could easily use the same approach with a cheaply built unix based machine between drop-->server to rate limit and meter UDP connections.

My 2 copper pieces, this sort of thing is my career outside of Norrath, it pains me dearly to see such an awesome project suffer from a few nerdragers and I'd be more than happy to donate my time and experience to help get us back on track if needed. Rogean, you know how to get in contact with me [You must be logged in to view images. Log in or Register.]

[Phineas]

Quote:

Originally Posted by cadiz [You must be logged in to view images. Log in or Register.]

According to Rogean the abuse is from UDP traffic so it seems that simply rate limiting the traffic should be sufficient to block this, with sane thresholds on bitrate and packet size that would constitute and classify abuse appropriately.

Given that the server runs Windows you don't have kernel level packet filtering functionality available so you'd want a solution available at the switch level or before it arrives to the server.

Most co-location facility carriers provide this functionality, however you could easily use the same approach with a cheaply built unix based machine between drop-->server to rate limit and meter UDP connections.

My 2 copper pieces, this sort of thing is my career outside of Norrath, it pains me dearly to see such an awesome project suffer from a few nerdragers and I'd be more than happy to donate my time and experience to help get us back on track if needed. Rogean, you know how to get in contact with me [You must be logged in to view images. Log in or Register.]

Or just shove a Cisco ASA in front of the server, set a max embryonic conneciton limit of say 1000, and then configure an IPS module to also drop packets from obvious attackers.

Someone mentioned that the problem with this kind of solution is the bandwidth being eaten up at the router.

/shrug

We've killed many ddos attempts at our datacenter doing just what I outlined...

~phin

<edit>
it should be noted that I have no idea if limiting the half opened connections would also affect EQ clients. It certainly doesn't harm web traffic from my experience...

[cadiz]

Quote:

Originally Posted by Phineas [You must be logged in to view images. Log in or Register.]

Or just shove a Cisco ASA in front of the server, set a max embryonic conneciton limit of say 1000, and then configure an IPS module to also drop packets from obvious attackers.

Someone mentioned that the problem with this kind of solution is the bandwidth being eaten up at the router.

/shrug

We've killed many ddos attempts at our datacenter doing just what I outlined...

~phin

<edit>
it should be noted that I have no idea if limiting the half opened connections would also affect EQ clients. It certainly doesn't harm web traffic from my experience...

That's a solid solution too. The ASA's are really nice improvement upon the PIX, unfortunately they come with a hefty price tag. For SYN proxy functionality and just general usage I've found OpenBSD with pf achieves the same thing for free minus all the contextual stuff. You'll actually find this embedded in most off the shelf firewall/proxy solutions due to its flexible license. I used this quite a bit in my consulting days.

Unfortunately not everyone can operate at Layer 8 (politics and $$). We use ASA's and ACE's at work as well and are quite happy with them, but for smaller shops or the budget constrained some good old pf is hard to beat, combine that with carp/pfsync and you've got some nice redundancy [You must be logged in to view images. Log in or Register.]

[ooantipostoo]

Quote:

Originally Posted by cadiz [You must be logged in to view images. Log in or Register.]

Given that the server runs Windows you don't have kernel level packet filtering functionality available so you'd want a solution available at the switch level or before it arrives to the server.

)

D-dos attacks can and will affect any operating system given it be wondows Linux or so forth.

[Eastwood]

yeah PEQ is silly,

I started last night and a P1999 friend who used to box insanely on PEQ has power leveled me to 34 in 24 hours of not even close to non stop play.

The useful thing is im playing a class i've been curious about in EQ and I'll probably use PEQ to practice the lambent armor quests, buying the spells around norath, and other time wasting things that I can have polished when time is a little more valueable on P1999.