Discovery Discussion of Security. - Printable Version +- Discovery Gaming Community (https://discoverygc.com/forums) +-- Forum: Discovery General (https://discoverygc.com/forums/forumdisplay.php?fid=3) +--- Forum: Discovery RP 24/7 General Discussions (https://discoverygc.com/forums/forumdisplay.php?fid=23) +--- Thread: Discovery Discussion of Security. (/showthread.php?tid=29766) |
Discovery Discussion of Security. - Skyelius - 11-13-2009 I came up with a few thoughts listening to comments about the aggresive attacks our servers are suffering, and perhaps everyone's grain of salt here can help make a change for the best. First off in the discussion should be network security for our server. I went to visit a few friends of mine and I saw that the Procyon server uses a special feature (correct me if I'm wrong), "-proc.no-ip.org" in the shortcut connection tab, which I believe randomizes or rotates the server's IP. If this is indeed possible, then I believe it's a start. As to hardware stuff, I really don't know much beyond a computer's basic functionality, so your ideas are very much welcome. Remember to treat everyone who posts here with respect, and post your opinion if you believe it can contribute to anything. Discovery Discussion of Security. - Alex. - 11-13-2009 ' Wrote:First off in the discussion should be network security for our server. I went to visit a few friends of mine and I saw that the Procyon server uses a special feature (correct me if I'm wrong), "-proc.no-ip.org" in the shortcut connection tab, which I believe randomizes or rotates the server's IP. If this is indeed possible, then I believe it's a start.Third party... Can we trust it? Discovery Discussion of Security. - TheMillers - 11-13-2009 ' Wrote:I came up with a few thoughts listening to comments about the aggresive attacks our servers are suffering, and perhaps everyone's grain of salt here can help make a change for the best. Won't help in this case. Remember, the attack is not directed towards the actual machine, but the transport mechanism. So if such a system was used, the attack would just be directed towards the proc.no-ip.org site, and swamp that sites pipes, resulting in nobody being able to connect to that site to get the IP of the server. Analogy time : Instead of targetting a specific car driving on the road, target the road itself making it congested, traffic slows down or is stopped, resulting in the real car can not reach its destination. Thats what a DDoS attack does in effect. With the analogy in mind, a DDoS attack puts "so many cars on the road, so traffic stalls or completely stops, thereby denying service to the drivers of the real cars." The only effective means of defence against a DDoS attack is, again with the analogy in mind, divert the non real cars into a scrapyard, at the entry point of the road - I.E. nullrouting aka blackholeling the non-valid traffic at routers upstream, untill the machines used to generate and transmit that traffic effectively is cordoned off from the routing used to reach the targetted IP. Given the nature of the Internet, that can involve many ISP's and lots of routers. EDIT: Just checked no-ip.org. Its not a defence mechanism against anything. Its just a dynamic DNS provider just like Dyndns.com. All it does is make it easier for users that have dynamic IP adresses, to provide a more permanent link to their machine. I.E: When their IP address changes, the proc.no-ip.org URL just resolves to the new address. Getting the IP address would just involve a ping, a DNS lookup, or a traceroute. Discovery Discussion of Security. - Fletcher - 11-13-2009 None, every security has a flaw. The server is fine, and a DDoS is VERY hard to avoid due to the logistics involved in defending against it. Discovery Discussion of Security. - Alex. - 11-13-2009 Fletcher, your saying there IS a way to defend against it? Discovery Discussion of Security. - Fletcher - 11-13-2009 ' Wrote:Fletcher, your saying there IS a way to defend against it?Yes, track the attacker first and hit them. That is the only thing I can think of. My class didn't really focus on a defence against a DDoS much, so I assume there isn't a solid one out there. Discovery Discussion of Security. - Alex. - 11-13-2009 Found some info... http://www.computerworld.com/s/article/94014/How_to_defend_against_DDoS_attacks Wrote:Black-holing or sinkholing: This approach blocks all traffic and diverts it to a black hole, where it is discarded. The downside is that all traffic is discarded -- both good and bad -- and the targeted business is taken off-line. Similarly, packet-filtering and rate-limiting measures simply shut everything down, denying access to legitimate users. Discovery Discussion of Security. - Fletcher - 11-13-2009 Black holing is a no-no unless your desperate. As it says, it drops both good and bad traffic. I'm sure we already have an intrusion detection system, we do in-game to a point, but I'm not the host here. I am more than certain that Majkp has the server set properly. Over provisioning I believe is an ISP thing, the server's ISP wasn't prepared if I read right, so thats not our fault. But that kind of hosting anywhere is expensive. You'd need donations constantly to keep that up. As in the conclusion, business servers survive better in average compared to people hosting their own servers for free. Discovery will never, ever be immune. Why? Its a game server run by a community, not a subscriber base like say Runescape or WoW. We either pay, or live with the cancer. Discovery Discussion of Security. - Caelum - 11-13-2009 Quote:The only effective means of defence against a DDoS attack is, again with the analogy in mind, divert the non real cars into a scrapyard, at the entry point of the road - I.E. nullrouting aka blackholeling the non-valid traffic at routers upstream, untill the machines used to generate and transmit that traffic effectively is cordoned off from the routing used to reach the targetted IP.^What he said. That's not happening methinks; blame Zelot. There's no way to protect against a (D)DoS, especially with a game server, other than having a good host. Nothing more than that can be done (easily) or needs to be done to the gameserver, really. For as far as I can see, anyway. Discovery Discussion of Security. - Fletcher - 11-13-2009 I still stand by that sadly, DDoS is very very hard to defend against as a non-corporate server. |