DDoS hitting just the teamspeak, and not the whole server

Cynical

Member
Mar 22, 2017
18
1
41
Hey guys,
So I have relatively decent DDoS protection built on my Teamspeak 3 server, but today we got hit pretty hard by a DDoS attack that has been taking us down 10 minutes at a time. I am noticing however, the server itself is perfectly fine and intact. Infact, my VPS isn't eating any bandwidth at all as it normally would from a regular DDoS attack.
So, what is this attack and is there any way to prevent it? I can't tell if this is just a regular attack, but this seems to me to be something completely different since my server is seemingly online and functioning fine.
 

Asphyxia

Owner
Administrator
Apr 25, 2015
1,844
2
2,197
327
Hey guys,
So I have relatively decent DDoS protection built on my Teamspeak 3 server, but today we got hit pretty hard by a DDoS attack that has been taking us down 10 minutes at a time. I am noticing however, the server itself is perfectly fine and intact. Infact, my VPS isn't eating any bandwidth at all as it normally would from a regular DDoS attack.
So, what is this attack and is there any way to prevent it? I can't tell if this is just a regular attack, but this seems to me to be something completely different since my server is seemingly online and functioning fine.
Can you get us some information? A good start is providing us with a TCPDUMP perhaps?

For some help on collecting a TCPDUMP check below:
http://souptonuts.sourceforge.net/tcpdump_tutorial.html

We need to be able to see what type of attack this is. ;)

If you are not familiar with TCPDUMP, here is some other helpful info:
https://www.wireshark.org/docs/wsug_html_chunked/AppToolstcpdump.html

Tcpdump is a command line packet sniffer. Packet sniffer is a computer software that captures the incoming and outgoing traffic over a network. Tcpdump runs on all Unix/Linux operating system and it uses libpcap library to capture network traffic. Installing tcpdump on Ubuntu is very easy. You can install this by running a simple command on terminal.


apt-get install tcpdump

It can also be used to debug the network setup. Mostly tcpdump and wireshark are used combined. Network administrators capture the packets via tcpdump and then use wireshark to view/analyze these captured packets. “tcpdump -w” parameter is used to write out put of tcpdump to some file. Here is a list of tcpdump commands which are most commonly used.

  • “tcpdump -i eth0” is used to capture the udp traffic on eth0.
  • “tcpdump port test” is used to capture traffic at specified port (Specify port in place of ‘test’ ).
  • “tcpdump -c n” is used to stop capture after ‘n’ packets. Where ‘n’ could be any integer value.
  • “tcpdump -d any” is used to see traffic at all ports/interfaces.
  • “tcpdump -v” is used to display the verbose output.
Further you can explore more about tcpdump by using “man tcpdump” command on your Ubuntu terminal. Enjoy!
 

Asphyxia

Owner
Administrator
Apr 25, 2015
1,844
2
2,197
327
One last thing:
Keep in mind that we need this TCPDUMP while the attack is happening otherwise you may be capturing all clean traffic.
 

Cynical

Member
Mar 22, 2017
18
1
41
Can you get us some information? A good start is providing us with a TCPDUMP perhaps?

For some help on collecting a TCPDUMP check below:
http://souptonuts.sourceforge.net/tcpdump_tutorial.html

We need to be able to see what type of attack this is. ;)

If you are not familiar with TCPDUMP, here is some other helpful info:
https://www.wireshark.org/docs/wsug_html_chunked/AppToolstcpdump.html

Awesome, this is exactly what I was looking for, thank you! I will be sure to go through all this and run it when the next attack comes, updates to come.
 

Asphyxia

Owner
Administrator
Apr 25, 2015
1,844
2
2,197
327
I will look for a response and will check the capture once you are able to capture it and upload it somewhere --- hopefully the a-holes leave ya alone though. If you have any questions about TCPDUMP or anything related, feel free to ask here. :D
 

amsaal

VIP
Jul 28, 2015
273
102
122
yes this will help to block the attack if happens again. I mean it won't be repeated. My suggestion is to get ahead of this like get something better protection so you do not have to work this way every time you got what i mean? i mean if the attack type and length is different from previous . it is a hassle to do again and block it using iptables / netfilter. Better buy OVH Game or Zare . These both have large pipelines and they can protect you. OVH Game for sure can do . Zare is affortable wont get down too easily like you have right now.

Good Luck
 
Top