Fullserver.su CS 1.6 Community Forum
Common DDoS Attacks and Countermeasures - Printable Version

+- Fullserver.su CS 1.6 Community Forum (https://fullserver.su/forum)
+-- Forum: Server Creation and Configuration (https://fullserver.su/forum/forum-7.html)
+--- Forum: Server Protection (https://fullserver.su/forum/forum-10.html)
+--- Thread: Common DDoS Attacks and Countermeasures (/thread-7.html)

Common DDoS Attacks and Countermeasures - Fullserver - 06-04-2023

Types of Attacks and Used Techniques

Mini-FAQ on commonly seen DDoS attacks today.
Currently, the most popular attacks are amplifications, based on the principle of "amplification." In simple terms, the attacker spoofs the IP address of the target and sends requests to DNS, NTP, and other servers using that IP. Consequently, the server responds with packets of significantly larger sizes. To put it bluntly, sending 1 byte results in receiving 30-60 bytes in response. The more requests made to different services and the higher their quantity, the more powerful the attack becomes. Currently, amplification attacks range in strength from 1 to 30 Gbps. This method is widely used due to its affordability.
However, the good news is that such attacks are "dumb" and can be easily blocked by having the necessary resources for it.

The main types of amplifications are:
  1. DNS - Packets arrive with source port 53 (UDP) To block these attacks, all UDP packets with source port 53 are trimmed, except for the IP addresses of DNS servers used by the server (eg, 8888)
  2. NTP - Packets arrive with source port 123 (UDP) Blocking is similar to DNS attacks, possibly without allowing specific IP addresses if you don't use internet time synchronization
  3. SSDP - Packets arrive with source port 1900 (UDP) Blocking UDP Source Port 1900
  4. CHARGEN - Packets arrive with source port 19 (UDP) Blocking UDP Source Port 19
  5. SNMP - Packets arrive with source port 161 (UDP) Blocking UDP Source Port 161
  6. QOTD - Packets arrive with source port 17 (UDP) Blocking UDP Source Port 17
  7. TeamSpeak - Packets arrive with source port 9987 (UDP) Blocking UDP Source Port 9987
  8. NetBios - Packets arrive with source port 137 (UDP) Blocking UDP Source Port 137
  9. Quake 3 - Packets arrive with source port 27690 (UDP) Blocking UDP Source Port 27690
  10. Steam - The majority of packets arrive with source port 27015 (UDP) Blocking UDP Source Port 27015
  11. This type of attack cannot be classified as amplification and is primarily used by certain botnets However, it is still popular for attacks on HLDS servers, with source port 0 (UDP) Blocking UDP Source Port 0
There are various types of P2P amplification attacks, but they are not widely popular. However, any ports can be used in such attacks.

The attacks described above are primarily blocked at the ISP and data center level. Blocking them on the server itself is pointless unless you have a minimum of several gigabits of bandwidth.

Amplification Coefficient Table:
[Image: 000001.jpg]

RE: Common DDoS Attacks and Countermeasures - brainohyeah - 06-04-2023

really useful