-2

I am managing a game server prone to DDoS. I have kept the upstream IP secret and only published the addresses of 100 load balancers forwarding traffic via iptables:

echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
sysctl -p
iptables -t nat -A PREROUTING -p tcp --dport 1010 -j DNAT --to-destination MAIN_GAME_SERVER_IP6:1010
iptables -t nat -A PREROUTING -p udp --dport 1010 -j DNAT --to-destination MAIN_GAME_SERVER_IP:1010
iptables -t nat -A PREROUTING -p udp --dport 1011 -j DNAT --to-destination MAIN_GAME_SERVER_IP:1011
iptables -t nat -A POSTROUTING -j MASQUERADE

Yet, my upstream IP address has been discovered.

What about my setup could have allowed this to happen?

  • None of the load balancing addresses received DoS traffic.
  • The upstream server is configured to only respond to traffic from the load balancers.
  • My load balancers are reachable through addresses x.x.x.20 through x.x.x.60, with the upstream server sitting at x.x.x.61.
anx
  • 8,963
  • 5
  • 24
  • 48
Manya Singh
  • 1
  • 1
    Is this one of those *"DDoS protections"* where your users connect via x.x.x.20 through x.x.x.60 while the machine at x.x.x.61 hosts your super secret sauce? (other than suggesting some simple mistakes, this question can not be answered conclusively with the few details provided) – anx Jun 15 '21 at 02:08
  • Yes this is the one. – Manya Singh Jun 15 '21 at 02:21
  • @anx Yes you are right. Basically, multiple public servers and one secret server. – Manya Singh Jun 15 '21 at 02:28
  • sorry your question is currently such low quality and since this is offtopic ask please on superuser.com – djdomi Jun 15 '21 at 10:38
  • In the context of mitigating DoS by proxying traffic, the upstream server is often referred to as [*the origin*](https://blog.cloudflare.com/ddos-prevention-protecting-the-origin/) – anx Jun 16 '21 at 00:30
  • Also inspect mail headers of any emails originating at the origin server. – Paul Jun 26 '21 at 03:15

1 Answers1

1

You kind of solved the mystery in your reply to my comment: If your IP addresses can be guessed, then they can also be guessed by your less welcome users.

Public sources like certificates, previous network-scan results or simply whois entries allow one to guess which (more so if consecutively numbered) IP address blocks are managed by the same party.

As long as the service you provide remains vulnerable to whatever attack you observed, the guess can then be quickly confirmed by watching your service become unresponsive.

anx
  • 8,963
  • 5
  • 24
  • 48