DDoS protection

It’d take more than one Sponge to soak all of that up.

a layer 7 attack would be attacking the application by sending packets crafted for the application specifically, in the case of minecraft sending thousands of minecraft ping/query packets or join packets. so a layer 7 attack is doable. The issue with blocking using iptables,pf is that it only prevents the traffic from reaching the application it still consumes bandwidth (albeit a bit less because the server isn’t replying back now). Which is what I assume billytheDOLPHIN means when he says “mitigate the attack”. All in all, the only way to prevent a DDoS from taking you down is to have a more bandwidth than the attack can saturate. Meaning if you have a home based server don’t advertise yourself and make yourself vulnerable to attack, if you have a commercial hosted solution then just hope the attacker doesn’t have a zombie network with more bandwidth than you. Commercial solutions sometimes do offer automated ddos protection, which basically just detect the attack and then block the addresses the attack is coming from reducing the bandwidth consumed, but not stopping the attack entirely.

I’m not too familiar with the nitty gritty of DDoS types, but does layer X imply what layer of the OSI model it pertains to? Or a layer of a protocol, etc? Judging that layer 7 is Application layer and 4 is Transport layer, it definitely seems to fit so far.

I just simplified what it did bud. I didn’t copy and paste from google. Plus, your “specifically crafted packets” do exactly that, they open hundreds of browser tabs, which cloudflare protected websites protect against. Also there are only 3 effective 7 layer DDoS types RUDY, Slowloris, and ARME.

yeah, the layer corresponds to the OSI model. so a layer 2 attack would be something like an ARP flood (which is layer 3 but effects things at layer 2) causing switches to run out of ARP table room and revert to hub mode causing collisions and broadcast of traffic which can cause the network to stall or allow an attacker to sniff sensitive traffic. A layer 4 would be SYN flood that uses TCP to attempt to exhaust resources/connections. There are many other types of attacks and probably far more than I’m familiar with since it has been a while since I’ve been in the cisco academy

I meant no disrespect. I didn’t disagree with what you were saying and I’m glad someone else is posting useful information to help people be better informed with security. I merely wanted to point out that minecraft isn’t immune to layer 7 attacks just because it’s not a browser. I apologize if I sounded rude, i did not intend that at all.

I think I get what you mean by layer 7, meaning they affect specific applications. While @billytheDOLPHIN is referring to ones specific to browsers, I think I’ve also seen a layer 7 DDoS against my Minecraft server, which seemed to involve a ton of player connecting and then disconnecting. So if Sponge is to attempt any mitigation of DDoS attacks, presumably they’d need to be layer 7 attacks.

Sorry Fluffy that isn’t how it works, in fact that isn’t a DDoS at all, that is just players joining and leaving. Minecraft can’t be attacked by a 7 layer attack. <-- @antiroot

If someone would like to test this with me later today when I get home you can add me on skype and I can setup some test servers to hit with some ARME attacks, I have 3Gigabit/s total bandwith on my spoofing servers.

skype: billythedolphin

I could be mistaken, of course, but it’d make more sense to me that any flood attack that targets any application that accepts data externally, is subject to a layer 7 attack, as layer 7 implies application, not browser. So even if it isn’t players joining and leaving massively, then I suspect there’s still other parts of the application it can attack, like querying the MC server, or maybe just sending disconnect packets instead of join packets.

DOS is a hard attack to prevent, This attack makes it impossible for real users to establish a connection to the server. There really isn’t much that can be done from a software point of view, this is mostly done on the network side by either changing the ip address of the server or simultaneously blocking every ip that sends the packets creating the issue.

Often most network administrators will either have a way of blocking most if not all ip’s that is cluttering up the network or give up on the ip address the isp has assigned to them and have it changed.

Its common for high quality server hosts to have a team dedicated to preventing such an issue and in some cases hosts will often either offer the service at an extra premium or included as part of you hosting with them.

Some people also opt for a server dedicated to preventing DOS attacks, these servers often act like proxies between the server and the client thus the client never truly connects to the server allowing the DOS’ed ip address to quickly be changed, often these are implemented with DDNS(Dynamic Domain Name Service) so that the ddos can quickly be responded to and circumvented. Most methods I’ve listed above are common practice on the network administrative level and should not be considered a professional opinion.

At the end of the day it is up to you to decide what is best based upon your network / server setup.

If a server has a player limit of say 100, and someone writes a program that mimics the behavior of a player joining and sending keep alive packets that are identical to how the minecraft client connects to the server. When the the attacker runs the program 100 times with random usernames/ids times the server then believes 100 players are connected and refuses connections to legitimate users. This is an attack that would be directly affecting minecraft and not something like bandwidth, arp tables, NIC buffer space, etc. technically this example isn’t a distributed attack because it could originate from a single source but regardless it still denies service to other users.

In my case, I think plugins also add to the service disruption, since loading player data in massive amounts like that tends to cause a bit of lag as well. Minor note at any rate. Not to mention loading chunk data for the location of the player logging in. It seems that the flood on my server was all from on IP, so not distributed I suppose. And I’m not entirely sure, but it seems like someone may need access to all those accounts in order for them to login? So someone phishing then including details in a script. The flood on my server was actually logging players in fully instead of just sending connect packets.

This attack is usually prevented by plugins, NCP(Inactive due to DMCA) has a method that says if a player from the same ip address attempts to many logins at once it prevents that login request from being processed. This can be gotten around if an attacker has 100 legit minecraft user accounts. However an attack of this scale is not often because it directly costs the trouble maker. Most hackers like stuff free (hence why we hack).

if the server is offline mode then no access is needed to real accounts, but in online mode, yes, the attacker would need to be able to authenticate the accounts before the server actually accepted them and allowed them to “join”

Ah, guess that makes sense. It was an online server, so I guess it was someone also phishing for account details from players. Have a good idea of who it was as well since I reported him for selling hijacked accounts earlier. XD

I wasn’t saying it was practical at all, just trying to explain that minecraft can in fact be hit by a layer 7 attack… i do think a plugin that does that sort of job would be great, however it doesn’t need to be part of the core server in my opinion

Would be something worth mentioning for GriefPrevention. That’s generally my go to plugin as NCP and such seem to cause more issues than it solves that past few times I’ve used it.

I agree %100 the core is the framework by witch the server is managed the plugins are what manages issues as trivial as this.

Its all about configuration, there are good and bad parts to NCP, and proper configuration can help to manage those. However it will be interesting to see rather the developer “asofold” continues the plugin for Sponge or not.