Identifying DDOS attack

As a gamer who competes in high-level gaming leagues, it's not uncommon to suffer a DDOS attack. Immature gamers, upon realizing they cannot win the game, will resort to any number of publicly available DDOS sites and launch a DDOS attack, disconnecting their opponent and securing the "win" for themselves.

I realize there's not much one can do at the home level to prevent or mitigate a DDOS attack. (If I'm wrong, please let me know). Given that, my question is more about identifying the attack. It's not real hard to see the effects of the attack. My connection lags, I get disconnected and my constant ping to the internet dies. It takes a good 30 minutes for my Internet connection to return.

What statistics should I be watching out for? Number of connections is the obvious one, but I wanted to make sure there aren't others to watch or even better ways of identifying the attack.

Thanks for any input!

the obvious one would be packets received per second, and/or bandwidth on the WAN. The Luci bandwidth charts should show a DDOS right away.

3 Likes

I am not a gamer, so with that said, perhaps paying for/using a VPN with DDoS protection may help.
Others more familiar with your scenario may provide a more helpful suggestion(s).

1 Like

@wadesworld, welcome to the community!

It depends on the type of attack. Since you're looking for it, you'll know soon.

1 Like

As a gamer who competes in high-level gaming leagues

Basic rule if you play at competitive level is to have a backup internet connection along with your main.
Not all tournaments are LAN based, some are played online. What can be worst than your single internet connection to start to act up (due to ISP not DDOS) due to an important game?

Sure a backup line is not perfect, there will still be a dowtime there but it's nothing compared to the alternative.

If you have cable internet well a 4G connection from your smartphone can act as backup.

1 Like

Those would not work for a "professional gamer" (maybe cable backup).

I do have some suggestions, I manage/consult 2K and other gamers that stream/get contracts/get drafted. :smiley:

People will probably disagree; but your use case is what I debate here:

  • Change your WAN input to DROP instead of REJECT
    • This will reduce the CPUs the routers takes to respond
  • Disable Ping (ICMP-Echo request)
    • While the rule has a limit in OpenWrt by default, you are against an adversary who in fact has money and resources - they could initiate from multiple IPs
    • This again would reduce CPUs
  • Ensure SYN flood and DROP INVALID are enabled
  • Make a rule that does not allow TTL <= number of routers to your gaming machine
  • You can create a rule to ensure you drop all TCP initial connections that so not begin with SYN

No, it's not. You shouldn't see any connections, as it's unsolicited traffic. Bandwidth on WAN (as @dlakelan noted) , yes.

It may behoove you to setup softflowd in the long-term and tun tcpdump when you experience the attack.

# in /etc/config/firewall

config rule
	option proto 'tcp'
	option name 'Block_In_Not_SYN'
	option src '*'
	option target 'DROP'
	option extra '! --syn -m conntrack --ctstate NEW'

config rule
	option name 'Block_FWD_Not_SYN'
	option proto 'tcp'
	option src '*'
	option dest '*'
	option target 'DROP'
	option extra '! --syn -m conntrack --ctstate NEW'
# in /etc/firewall.user
# you may need to install kmod-ipt-raw

iptables -t raw -A PREROUTING -m ttl --ttl-lt 7 -j DROP
6 Likes

Problem with DDos is that you as a user you cannot do much, problem must be solved upstream.
If for example you have a 100Mbps line, and 100 bots start flooding you with 1Mbps each, no matter what you configure on the router your bandwidth is all consumed. Therefore the attach must be mitigated before it reaches your router.
I don't know if your ISP can detect the anomalies and sanitize them, but using an alternative provider for that in a form of a vpn might kill your ping times.

1 Like

I appreciate all the discussion and suggestions.

There's two problems with a VPN:

It will add latency

They can still DDOS your VPN IP address. The advantage of course is then you'd be able to drop your VPN and reconnect without VPN, but as stated, the additional latency likely prevents this from being a solution.

Having a backup Internet connection is not something I'd considered and since I don't play at a professional level, I doubt I'd ever go to that expense but I can see how it might be useful for the pros.

Understood. Honestly I'm a bit reticent to contact my ISP. Their reply might be "Wait...you're the guy who is causing us to get so many DDOS attacks? We're sorry but we're going to have to terminate your service for the good of the rest of our customers."

The suggestion with a 4G connection was only made cause he/she might already have a smartphone and 4G. Ideea was to actually try to finish the game (try cause nothing will prevent them to get the new ip (that will probably not actually be the real ip cause usualy you are behind CGNAT) and happy DDOS it too) rather than not be able to play it at all and also to not really add costs (cause the traffic for 1 single game is usually not much).

Where I live I basicaly have only 1 single cable internet provider (that ignores issues with the electrical line resulting in the ISP ONT/managed switch located on the stairs of the flat going crazy 1 time / month and if it happens friday evening problem won't be fixed until monday and with the crazy packet loss you can't really do much usually even the pppoe link can't be negotiated or kept) and 4 4G providers and that's it. So basicaly if I want to have a backup my alternative is 4G and well I just prefer to share the internet from my smartphone when main is down/not usable.

While you can do some things there are things you can't do. Let's say you have a 1Gbps line. Looks like a good line that can take some flood and not care. But what you do with a botnet made of 50+k devices that will hit you? If each of them sends 1Mbps you are dealing with 50+k Mbps that is way way more than what your line can handle. Such DDOS might easily take out some of your ISP main nodes...

The problem with how they get the IP remains. As long as they can get the IP (even if you are behing CGNAT/VPN) they know what to DDOS and if they are motivated enough they will take it down.

In normal conditions the game publisher rents/owns the server and only the server knows your IP. Clients don't really have much of a reason to know the IP of the rest of the players and for security reasons they shouldn't know it.
If for whatever reason the game server is sending the IPs of each player to all the player than sorry to say it's not bad coding is plain awfull coding and such game should be avoided.
If it's a game where one of the players is the host well that player can dc you all and happy win the game and there is nothing you can do about and also there is no reason to DDOS someone, just blocking the ips in the firewall will do it.

1 Like

If your ISP cannot protect you from a bunch of spoiled kiddies, or their bandwidth is exhausted from an attack to just one customer, then I don't see the reason to stick with them.

Unfortunately, many games use a peer-to-peer networking architecture to reduce the latency of having route through a central server, so any player determined to disrupt another can usually find ways to discover the IP of other players in the match.

1 Like

A game developer that uses a peer-to-peer network model just doesn't care (in an obvious way) about player's experience while playing their game.
It make it just easy to gain unfair advantages and never get banned for what you are doing.

Some people just want to get first no matter how they do it. Such people will have no issue to abuse the peer-to-peer network model and you actually can't do anything. Sure you might be able to report that particular game. I will assume a positive case when they actually decide to monitor the rest of the players involved into that game. They notice that in the case of one particular player when he/she is not winning the ones better placed start to have network problems. You are sure about what he/she is doing but... you don't have any real evidences of what he/she is doing, he/she can just be extremely lucky (in the MOBA games I played I actually saw some extremely lucky players that supposed to stay in silver league at best and they were diamond, checked their games basicaly they had a crazy luck, with such luck I would be master despite the fact that I lack the skills (I'd rather stay Iron and have fun in my games than be Master and feel totaly useless game after game)). What they gonna do? They gonna ban him/her cause when he/she is not first the ones placed above him start to have network problems? He/she is gonna contest the ban. If it's not lifted either he/she is gonna do it again, even more angry than before or alternative cry spam about the unfair ban.
Let's say that player is perma banned and it's a final decision. What's gonna stop him/her to do it again? What's gonna stop others to do the same? It's basicaly a game design that allows it... Until the code will be fixed it will happen over and over...

In some cases they will just do nothing with players that spend a lot in their game no matter what that player does. More than 10 years ago I reported a cheater in a game. That guy was spending a lot of moneys in that game, I wasn't. I was the one perma banned not the cheater... (I assume that the fact that I was skilled enough to handle the cheater was the reason I was perma banned, I was disrupting the cheater gaming experience, the cheater was unhappy cause he was hidding in the walls and shooting at me and was failing to kill me (he wasn't doing enough damage to deal with my healing, he supposed to come melee range to stop my healing but well we was busy hidding in the walls..)...) Ofc game collapsed and ended up cheater vs cheater. Yes I contested the ban, they never told me what I actually did to get perma banned. I left that game. Yes I checked the rankings for the next 6 months, the cheater stayed in top 10, he wasn't banned cause if he was banned he would had been removed from rankings.

Legal aspects.. Sure you can try this way. But.. if none of the compromised devices used in the DDOS attack is located in your country things will become complicated. Depends a lot where you live. Where I live they won't really do much (they might not even understand what I'm reporting).

It my look harsh what I wrote/will write but I have to write it. You might like the game, spent a lot of hours, spent a lot of money. But a game where anyone that just want to win no matter what can just get your IP and DDOS just doesn't deserve you.

Sorry for writing something not really related to OpenWRT.