DDoS Protection for home based servers

[Wagonbomb]

I'm looking to compile a method to protect Ark servers running out of any home based network using services that are now available where a protected frontend IP is used and passes traffic from the backend Ark server. So far I've been able to get my server working to a point where I see it on the Steam server list but when I try to join it I get "Unable to query server info"

I've ruled out firewall being the issue already through a number of tests, and its not port forwarding since I can see the server on Steam, so the port pass-through works. I've wondered if there's an entry in the Ark server ini's I'd have to define the frontend IP address on, but haven't been able to get any clarification on this so far.

Does anyone have input that might help find this missing piece? This process could help many communities stave off trolls.

[Zhandroid]

@Wagonbomb You will more than likely need to join your own server with the local LAN ip address of the machine that the servers are running on. Players outside of your network will need the external IP to connect. Most home routers don't support the kind of routing that you would need in order to connect to your own external IP.

If you need someone to help test, please PM me. I'd be more than happy to help!

 

 

[ScottZ]

Don't run uPNP or OPEN NAT on your home based server.  Open the required ports and either honeypot or send the common DDoS ports to nowhere (0.0.0.0 or some fake IP. NOT 127.0.0.1).

Common ports for DDoS
... 22
... 3389
... 21
... 443
... 80
... 587
... and block external ICMP / ping requests.

Some newer "game spec" routers support a DDoS prevention which will automatically blacklist any external IP addresses over saturating the network. My ASUS R66T(or whatever it's called) has this. I'd stay away from NETGEAR and DLINK routers for home, they just aren't spec'd high enough.

[Wagonbomb]

On 2/10/2019 at 3:17 PM, ScottZ said:

Don't run uPNP or OPEN NAT on your home based server.  Open the required ports and either honeypot or send the common DDoS ports to nowhere (0.0.0.0 or some fake IP. NOT 127.0.0.1).

Common ports for DDoS
... 22
... 3389
... 21
... 443
... 80
... 587
... and block external ICMP / ping requests.

Some newer "game spec" routers support a DDoS prevention which will automatically blacklist any external IP addresses over saturating the network. My ASUS R66T(or whatever it's called) has this. I'd stay away from NETGEAR and DLINK routers for home, they just aren't spec'd high enough.

If it were that simple companies would just use some Asus R66T router for their datacenters to stop DDoS attacks on multi-million dollar corporations as well.. Instead they either spend tens of thousands of dollars on internal infrastructure to handle it or spend a bit less to route their traffic through a service that does that for them.  

The original attack was 23 gigabit from over 15 different countries. An obvious botnet rental. I'm not looking for a trivial feature to stop some kid trying to use the LOIC. This is for real network protection against a bit more sophisticated of an attack. 

All I need to do is figure out what the missing link is between the "query info" from client to server and this whole thing will work. Like I said, the server already shows up on Steam server lists but you can't connect to it because of something not passing properly. I'm going to guess it has to do with the data required over the query port to establish the connection (at least I'd hope that's it because that's what the error says) 

[ScottZ]

Absolutely. I had to build my own PC and make my own firewall (using Linux IP TABLES) to keep up with traffic demand (when I was DDoS'd). The problem is it usually kills the CPU instances. I am just providing some back home remedies to help keep people off the list of bots/hackers trying to ruin someone's life. It took a 4 core 4.0 GHZ (x86/x64, not ARM) machine for me to keep up with the traffic requests, but it worked.

[Wagonbomb]

2 hours ago, ScottZ said:

Absolutely. I had to build my own PC and make my own firewall (using Linux IP TABLES) to keep up with traffic demand (when I was DDoS'd). The problem is it usually kills the CPU instances. I am just providing some back home remedies to help keep people off the list of bots/hackers trying to ruin someone's life. It took a 4 core 4.0 GHZ (x86/x64, not ARM) machine for me to keep up with the traffic requests, but it worked.

I've got a quad core i7 to spare. If it worked, it would be worth it to dump it into that. Shoot me a PM if you're interested in going into detail about this. I've got a few questions plus more info about what I'm attempting to mitigate.

[ToeiRei]

Sorry for breaking some news here, but (D)DoS can be even more simple caused by one machine and having less traffic than you'd suspect by just keeping the ark server busy. It's not just about flooding. What @ScottZ was listing is 'common ports'. Usually it's just opening only the ports needed - and even that is not a way to keep it safe as DDoS protection happens at the ISP layer so the path to your host isn't blocked...

[Wagonbomb]

On 2/13/2019 at 4:18 AM, ToeiRei said:

Sorry for breaking some news here, but (D)DoS can be even more simple caused by one machine and having less traffic than you'd suspect by just keeping the ark server busy. It's not just about flooding. What @ScottZ was listing is 'common ports'. Usually it's just opening only the ports needed - and even that is not a way to keep it safe as DDoS protection happens at the ISP layer so the path to your host isn't blocked...

Sorry for breaking some more news but I was able to determine what I already stated in one of my earlier comments. So I guess that's not really "news" then is it, you just didn't read.

The original DDoS attack was 23 Gigabits of traffic from over 15 different countries.

A simple router trick does not fix that. Please don't waste my time with condescending remarks when you didn't even bother to read the thread. DDoS protection does not happen at the ISP level because currently there is no ISP that provides any sort of DDoS protection for their clients residentially. Plainly put, they don't care if you're getting attacked because all their contract entails is providing you a circuit to connect to the internet. Nothing more. 

[Wagonbomb]

Here's something interesting. So far other game servers I run allow players to connect just fine using my protected IP while Ark does not respond to connection attempts. The provider is handling the reverse proxy so traffic technically should be passing through just fine.  

The Ark server is clearly doing something different when communicating with the client... I contacted Wildcard support, waited the 1-2 weeks for reply, and they simply shrugged their shoulders.. A+

 

I'm surprised there's not more interest in this topic considering how easy it is to rent a botnet these days. 

[Sphere]

Not a lot you can do if somebody is determined to take down your Internet. Only once did I manage to work with the FBI to track down an idiot who was using University Computers to ddos, and that was being done on camera in the library. He setup a program on each machine that would run in the background and would serve as his barrage. This was back when I was into TF2/HL2DM. Don't drop the soap lmao. For some reason the Fems got the idea of 1 in 5. Must have been reading the male prison stats. Did it just get dark in here?

Nowadays, ah good luck.

[Wagonbomb]

On 2/15/2019 at 1:00 PM, Sphere said:

Not a lot you can do if somebody is determined to take down your Internet. Only once did I manage to work with the FBI to track down an idiot who was using University Computers to ddos, and that was being done on camera in the library. He setup a program on each machine that would run in the background and would serve as his barrage. This was back when I was into TF2/HL2DM. Don't drop the soap lmao. For some reason the Fems got the idea of 1 in 5. Must have been reading the male prison stats. Did it just get dark in here?

Nowadays, ah good luck.

That's no longer the case. What I've been trying to explain in my last number of replies is that I have a known-good, working solution. This solution would protect servers from DDoS attacks, nullifying them completely.

This DDoS protection works for other games but not ARK. If only WildCard would actually try to take a look at this and provide a reason as to why their game is a special case, that would be helpful. Instead it feels more like they take every opportunity they can to ignore things unless it causes catastrophic damage to the Official servers. Screw everyone else, right?

[Wagonbomb]

Still haven't gotten any useful input from Wildcard (surprise surprise). Their response to the ticket I opened was pretty much them shrugging their shoulders and refusing to even acknowledge the problem, let alone look into a solution.

Guess that's to be expected though...