(D)DoS protection

A couple of friends are running twitch streams, and are experiencing problems with kids DDoSing them. How they got their IP's, I am not sure, but I'm guessing it's from Skype.

 

My question is: What measures can they take to protect themselves from kids like these? We assume it's some sort of pay-per-minute DDoS, because they're only effective for a short peroid of time (a few minutes) before they come online, then repeat.

Sorry if this is in the wrong subforum, I just thought it's more relevant to hacking than news or whatever.

I'm assumming that they're using layer 4 DoS to attack your network, not layer 7 to attack twitch... If i were you, the next time they start shooting packets at you, start recording network activity with wireshark and set up a simple firewall to block the ip's

Wireshark is not going to pick up those packets because they will be stopped at the router. Even if you do block the IP's it will not matter. They are flooding your connection with most likely UDP packets and taking up all your bandwidth. You could try contacting your ISP and asking them to do something but they more than likely won't know what to do.

I would suggest using a VPN (probably not going to help much though) or purchasing a VPS from a company that has a server in a data center that say they have DDoS protection. You could try BuyVM or Santrex.

http://buyvm.net

http://www.santrex.net/ddos-linux.php

I am having this problem too. This kid uses a booter on me and thinks he some hacker. He gains my IP through Skype. Is there really nothing I can do to mitigate these attacks?

 

My ISP won't do anything. 

i'll admit, i've doene it in the past to people who threatened my mc server.... in fact, i might even know which booter he's using. typically, the booters will max at liek 20sec, and well, really not much you can do unfortunately, other than maybe come up with a really good sob story for 4chan.

dont use skype you can pay them for user IP's just use teamspeak you can buy a sevrer or rent one off them and you will be much more secure and tel your friends to buy a VPS as well so that it might help these are what most twitch streamers use to stop from Ddos attacks and its the simplest.

Would therre be anyway fro someone outside to run an intervention of sorts? I've seen this type of stuff for longer periods of time in Cry and Friends live stream, and would like to find some way to return fire or the like.

http://blog.unixy.net/2010/08/the-penultimate-guide-to-stopping-a-ddos-attack-a-new-approach/

That's actually quite interesting. This could probably be implemented by almost anyone quite easily. Althought I don't think the OP is looking to protect his website from a DDoS attack. He wants to protect his own connection which he is streaming from so a VPS/VPN could work.

Ok, first of all, there is no such thing as a "pay per minute" DDos. To clear things up, let me explain how DDosing works. DDosing is the action of sending a large amounts of packets to an IP address, usually with the intent to disable anything on that IP (Skype, Xbox Live, etc.) With enough power, you can shut down entire websites by DDosing. The only really effective way to protect yourself from DDos attacks is to get an expensive, high-end router. These come with with built in protection and should not be able to be bypassed by a couple of kids with LOIC.

I am a newbie here, and please no one tear me a new for suggesting this (all in theory) but is there any way you can turn build into a some sort of server that traffic could be routed through and analyzed?

What type of DDoS attack is it? Maybe try setting up a HoneyPot?

It's either LOINC or something IPv6 based. Most likley LOINC.

 

Hey Lads,

Shouldn't You be able to see which IPs are sending You huge packets and then block them via Your router's management page (when you enter your IP to the adress bar)

Here's a guide on setting up a separate PC as a firewall for a relatively low price, or even free if you've got an old computer lying around. Guide here.

@R3alityzzzzz 

If it's some stupid fucking booter or other layer 4 attack then yeah it should be pretty stright forward - like ArkaneCow mentioned above - to just identify and manually block the ip's since you can't really launch layer 4 attacks through a proxy. I'm not sure what RyanC is getting at about WireShark not detecting layer 4 attack packets... 

If it's a layer 7 try changing the default packet timeout on your router from 400ms to 1ms...

Kids these days... everybody thinks they are a "1337 hax0r" now when they install LOIC. It is simple, install Wireshark, watch the Wireshark screen until you see a spike in packets, record those IP addresses then block them. The attack packets should show up. Also, use a dedicated voice server such as Teamspeak or Mumble. 

Wireshark will show all packets coming in through an active interface. However, blocking the IP addresses will not solve the problem if it is a UDP flood. With a fairly hefty DDoS attack the entire pipe coming into your server will be overflowing. So much so that even blocking the IP addresses will not do anything. If you have a 100Mbit pipe and someone else has a 1000Mbit pipe and the guy with the 1000Mbit pipe uses their entire connection to flood your's there is absolutely nothing you can do. Even with the most bad ass hardware firewall it will not make any difference due to the amount of traffic coming into your pipe.

LOIC works a little differently. LOIC will pull all the content off a website which will usually bring the web server to its knees if enough people are doing it at the same time. It's exactly like hitting F5 on a website; except millions of times. You can even take a look at the code. It's on sourceforge. http://sourceforge.net/projects/loic/

Since you're talking about Twitch.tv streamers being DDoS'd they probably do not have a connection better than 50/50, and a decent sized DDoS attack is at least 2Gbit. You're basically screwed unless you pay for a VPS/VPN/Dedicated server that has DDoS protection (hardware firewall + big pipe) which can take a massive hit like that and filter the packets so you don't even see the attack on your end.

This video explains a lot:

https://www.youtube.com/watch?v=1EAnjZqXK9E

What I meant to say in my second post was that if it's a UDP flood DDoS attack and no ports are opened on the router you will not see any of that traffic with wireshark. If a port is open and being forwarded to another machine on the network and they are flooding that port you will be able to see the attack with wireshark. Assuming it's a plastic router it will probably croak, overheat, and die before you see half the attack.

Agreed skype is bullshit I have not used it in two years because it sucks google+ and teamspeak are much better

buyvm.net looks nice. Thanks for sharing.