0

I host a GameServer and some stupid guy just keeps attacking my Application server with random queries. I have found a solution to block it but he uses different kinds of queries so I have to block the new ones almost daily using iptables. I bought a test VPS to try and change those flood strings and attack my Dedi just to be sure if everything is now safe because I can't wait for him to attack everyday.

Now the thing is, he uses multiple spoofed IPs in the attack. While my test tool can do it, it looks like some Networking issues not letting it happen. Lets say the target IP is target.com and it has to be attacked by attacker.com while test.com will be the IP that will be used for generating the attack from attacker.com to target.com.

Now I do see on the test.com machine using iftop that attacker.com is flooding target.com but no such attack appears entering the target.com machine. The script for the application flood is the same being used by the attacker and on asking the developer of the script, he says you have to directly be connected to the internet without a firewall/nat/ router.

I'm not good in Networking so I'd like to ask how can we achieve it. Aren't the VPS machines already directly connected, if not how can we get such a machine cheaply for testing?

Asad Moeen
  • 437
  • 3
  • 11
  • 22

1 Answers1

2

It would make more sense to start throttling connections to your application in my opinion, if iptables are an option this: http://www.cyberciti.biz/faq/iptables-connection-limits-howto/ provides the required information.

Oneiroi
  • 2,063
  • 1
  • 15
  • 28
  • Well actually I've researched a lot on the issue and I've already come to a perfect iptables solution in my case. But I just need some testing against it for which I need to generate a multiple IP Spoofed attack. – Asad Moeen Mar 19 '12 at 12:57
  • @AsadMoeen a scripting startup of multiple cloud instances may well be the way to go in this case, just ensure you have full legal sign off between yourself and your provider for carrying out the test to avoid any backlash. – Oneiroi Mar 22 '12 at 15:58
  • So you basically a mean a Network level startup script before everything to do so? How should I do so? – Asad Moeen Mar 24 '12 at 07:01
  • @AsadMoeen I was more referring to the "spoofing" test, instead you could quickly spin up multiple attackers vm's and run your attacks, evaluate the results etc. – Oneiroi Mar 26 '12 at 11:25
  • Yes but how do you do that? Attacker is doing that with pretty much ease because he gets like new IPs every second and since 30 days now. – Asad Moeen Mar 27 '12 at 11:21
  • @AsadMoeen your attacker may be in control of or have access to a BotNet, or simply may be using readily available technologies (chef,puppet, etc) to spining up small instances to carry out the attack, and immediately shut them down post completion, spin more get new ip's rinse and repeat for desired effect, there are numerable ways to achieve this sort of attack – Oneiroi Mar 28 '12 at 12:48
  • So could you make something that would use any Random IPs and flood the target with a given string on a given port? – Asad Moeen Mar 28 '12 at 17:39
  • 1
    @AsadMoeen yes _I_ could and no _I_ wouldn't attack anything without prior legal sign off from all relevant parties, and I would advise you on the same. – Oneiroi Jul 09 '12 at 20:26
  • 1
    And when you own both the "to" and "from" servers, legalization isn't a problem right? – Asad Moeen Jul 10 '12 at 14:30
  • @AsadMoeen assuming you also own the network connecting them, I wouldn't of thought there to be an issue. – Oneiroi Jul 10 '12 at 15:46
  • Yes we have a test box and we'll try this on our internal network making the appropriate rules. I tried hell a lot of tools before this as well but they just leave the machine and never reach. – Asad Moeen Jul 10 '12 at 15:58
  • So what about it ? – Asad Moeen Jul 13 '12 at 06:32