Forum

Results 1 to 13 of 13
  1. #1
    Join Date
    January 2015
    Posts
    5

    DDoS on TS3 server application layer

    0000 54 53 33 49 4e 49 54 31 00 65 00 00 88 02 fd 66 TS3INIT1.e.....f
    0010 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    0020 00 00 ..

    Thats the packet currently used to bring my server to its knees. It becomes fully unresponsive, and takes down every virtual server along with it.

    Total bandwidth is about 16 Mbit, 30k pps.

    The server will receive a ton of these, and respond to it aswell.

    Not sure what to do :/

  2. #2
    Join Date
    December 2004
    Location
    RF
    Posts
    3,002
    Filter out the attacker…

  3. #3
    Join Date
    January 2015
    Posts
    5
    I'm not that stupid, if this was from a single IP it was an easy fix.

    This is from a spoofed network, new IP per connection.

  4. #4
    Join Date
    December 2004
    Location
    RF
    Posts
    3,002
    Then move server to a different port.

  5. #5
    Join Date
    January 2015
    Posts
    5
    I run a server with 200 active users, all day.

    It would allow me maybe an hour uptime.

    I am looking for a solution, if you don't have it stop replying.

  6. #6
    Join Date
    December 2004
    Location
    RF
    Posts
    3,002
    You know, if you would have set up your server right from the start, changing port (or even moving server to a different address) wouldn't require any downtime at all.
    Embrace the power of SRV records.

  7. #7
    Join Date
    January 2015
    Posts
    5
    Quote Originally Posted by ANR Daemon View Post
    You know, if you would have set up your server right from the start, changing port (or even moving server to a different address) wouldn't require any downtime at all.
    Embrace the power of SRV records.
    Yeah no, once you connect people can see connection info when hovering over the name at the top or for the slightly more experienced skiddies use wireshark to sniff the packets. Fail.

  8. #8
    Join Date
    December 2004
    Location
    RF
    Posts
    3,002
    Quote Originally Posted by CallMeGamer View Post
    Yeah no, once you connect people can see connection info when hovering over the name at the top or for the slightly more experienced skiddies use wireshark to sniff the packets. Fail.
    What are you blabbering about?

  9. #9
    Join Date
    January 2010
    Location
    Germany
    Posts
    27
    SRV records don't help because whoever is running the attack can also retrieve these. Just keeps you from having to tell clients about new server port changes, but doesn't help AT ALL with regards to being attacked.

  10. #10
    Join Date
    December 2004
    Location
    RF
    Posts
    3,002
    SRV record helps when you need to relocate your server.
    You don't need to chase people and let them know what you did - you just change the SRV target (or target's target) accordingly.

  11. #11
    Join Date
    February 2011
    Location
    Bandung, Indonesia
    Posts
    99
    from what i heard, if you remove your server from server list, it stopped....i havent tried this..but hell, those attacks sure is disturbing..
    and i agree with eViLsTieFel
    i have already tried to change port..but as soon it showed up on serverlist, the flood came again in a flash...the attacker to my servers(yes servers) came from China's IP.i have already block some of those IP which is (mostly) spoofed.probably some udp "crafted" packets...even my ISP block my server from being run...any other suggestion?

  12. #12
    Join Date
    July 2016
    Posts
    1
    Quote Originally Posted by CallMeGamer View Post
    0000 54 53 33 49 4e 49 54 31 00 65 00 00 88 02 fd 66 TS3INIT1.e.....f
    0010 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    0020 00 00 ..

    Thats the packet currently used to bring my server to its knees. It becomes fully unresponsive, and takes down every virtual server along with it.

    Total bandwidth is about 16 Mbit, 30k pps.

    The server will receive a ton of these, and respond to it aswell.

    Not sure what to do :/
    Can you setup an iptable rule on the packet content? Or is TS3INIT1 part of the normal communication between a client and the server?

  13. #13
    Join Date
    December 2004
    Location
    RF
    Posts
    3,002
    It is a part of normal communication.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. DDOS Attack on Server
    By Nawaz032 in forum Server Support
    Replies: 1
    Last Post: June 30th, 2015, 03:33 PM
  2. Server Shutdown, DDOS.
    By phoenixstf in forum Server Support
    Replies: 4
    Last Post: June 17th, 2015, 03:55 PM
  3. Massive DDOS Attack on Teamspeak 3 server
    By BL3ND in forum Off Topic
    Replies: 3
    Last Post: June 30th, 2014, 08:05 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •