- Mon Jun 03, 2013 2:04 am
#163607
Hey everyone,
As you guys may have noticed, there was a stretch of downtime on the server yesterday (June 2, 2013). Unfortunately, this was caused by an attack against the server. As I wasn't around when the attack started, the server went down until I was at a computer to block it.
The attack
The first thing I did when I saw the server was down, was determining the cause of the downtime. This was fairly easy, as looking at the console, I saw something similar to this:
There were around a dozen or so IP addresses, each making around 15-20 bad connections per second. These connections were overwhelming the server software, locking out legitimate connections and freezing the server.
Now, the simplest way to mitigate an attack like this is to block the IP addresses using the system firewall. However, we've had a few attacks like this so far this year, so I decided to write up a script to automatically block the connections.
Automatic IP bans
The script I developed is fairly simple, and only took around 15 minutes to code. What it does is counts the number of times an IP has recently made a bad connection, and if it crosses a set threshold, it automatically blocks the IP using the system firewall. Pretty basic stuff, but it works well.
I won't post the full code - security through obscurity and all that. No reason to let the attacker know the thresholds.
This script won't block all potential attacks, and without a doubt, someone will find a new way to take the server down in the future. However, it will automatically block script kiddie connection floods in the future, and help maintain the servers uptime.
Hopefully you guys enjoyed this information regarding the cause of the downtime, and what we did to block the attack.
As always, thanks for supporting MineRealm
As you guys may have noticed, there was a stretch of downtime on the server yesterday (June 2, 2013). Unfortunately, this was caused by an attack against the server. As I wasn't around when the attack started, the server went down until I was at a computer to block it.
The attack
The first thing I did when I saw the server was down, was determining the cause of the downtime. This was fairly easy, as looking at the console, I saw something similar to this:
There were around a dozen or so IP addresses, each making around 15-20 bad connections per second. These connections were overwhelming the server software, locking out legitimate connections and freezing the server.
Now, the simplest way to mitigate an attack like this is to block the IP addresses using the system firewall. However, we've had a few attacks like this so far this year, so I decided to write up a script to automatically block the connections.
Automatic IP bans
The script I developed is fairly simple, and only took around 15 minutes to code. What it does is counts the number of times an IP has recently made a bad connection, and if it crosses a set threshold, it automatically blocks the IP using the system firewall. Pretty basic stuff, but it works well.
I won't post the full code - security through obscurity and all that. No reason to let the attacker know the thresholds.
This script won't block all potential attacks, and without a doubt, someone will find a new way to take the server down in the future. However, it will automatically block script kiddie connection floods in the future, and help maintain the servers uptime.
Hopefully you guys enjoyed this information regarding the cause of the downtime, and what we did to block the attack.
As always, thanks for supporting MineRealm
"When you do things right, people won't be sure you've done anything at all."
