Fiber & Getting ddos'd

[Mitch619911]

I am getting AT&T Fiber within the next few days (1-3 days), I have 2 home servers and I want to host a game server off one for a friend that streams on Twitch, AT&T says they provide 1Gbps (1000mbps)..and I would like to know if anyone knows more info, would I be safe from most kiddos bought 'booters/stressors' from my home network of 1Gbps?

 

Thanks for ya time

[Droidbot]

probably would be fine from script kiddos with 1g down 1g up, considering most ddoses don't reach 1Gbps

 

[tlink]

no, its very hard to defend against that.

http://securityaffairs.co/wordpress/37819/cyber-crime/cost-of-ddos-attacks.html

[Mitch619911]

I have an old Cisco 2600 router I wonder if I can setup any firewall that would help anything.

[Mornincupofhate]

18 minutes ago, tlink said:

no, its very hard to defend against that.

http://securityaffairs.co/wordpress/37819/cyber-crime/cost-of-ddos-attacks.html

Yeah dude cause that's totally not a lie and every member totally gets enough bandwidth to take down an entire datacenter.

 

Don't be retarded. If the stresser did hit that much, then it would be taken down by the FBI in less than a week. I can guarantee it doesn't hit more than 3 gigs on a reflection attack.

[Mornincupofhate]

23 minutes ago, Droidbot said:

probably would be fine from script kiddos with 1g down 1g up, considering most ddoses don't reach 1Gbps

 

Wrong. Any stresser today can down an unprotected 1 gig line with ease.

[Mornincupofhate]

12 minutes ago, Mitch619911 said:

I have an old Cisco 2600 router I wonder if I can setup any firewall that would help anything.

That's not how a ddos attack works pal.

[KuJoe]

5 minutes ago, Mornincupofhate said:

Yeah dude cause that's totally not a lie and every member totally gets enough bandwidth to take down an entire datacenter.

 

Don't be retarded. If the stresser did hit that much, then it would be taken down by the FBI in less than a week. I can garuntee it doesn't hit more than 3 gigs on a reflection attack.

3Gbps is a pretty small attack these days. Back in 2013 I got hit with a 30Gbps that my data center considered insignificant compared to some of the attacks they'd seen. In 2017 a 10Gbps isn't hard to do.

[Mornincupofhate]

1 minute ago, KuJoe said:

3Gbps is a pretty small attack these days. Back in 2013 I got hit with a 30Gbps that my data considered insignificant compared to some of the attacks they'd seen. In 2017 a 10Gbps isn't hard to do.

Most ISPs are becoming slightly less retarded (although still pretty retarded) when doing egress filtering. Pretty sure the US government is forcing it upon them.

[tlink]

2 minutes ago, Mornincupofhate said:

Yeah dude cause that's totally not a lie and every member totally gets enough bandwidth to take down an entire datacenter.

 

Don't be retarded. If the stresser did hit that much, then it would be taken down by the FBI in less than a week. I can guarantee it doesn't hit more than 3 gigs on a reflection attack.

no thats not my point, the advertisement is higly overstated yes, im not that gullible. the point is that they can easily get ddos attacks going of over a gigabit per second, even if the advertisement is a great overstatement, its not 2200% overstated. i mean it even says support 24/7 thats a lie too. the mirai botnet would even make it easier. 

[KuJoe]

1 minute ago, Mornincupofhate said:

Most ISPs are becoming slightly less retarded (although still pretty retarded) when doing egress filtering. Pretty sure the US government is forcing it upon them.

And the world would be a better place if cheap-o data centers didn't allow IP spoofing on their networks.

[Mornincupofhate]

1 minute ago, KuJoe said:

And the world would be a better place if cheap-o data centers didn't allow IP spoofing on their networks.

I knew the retard that pulled off this attack.

 

100% NTP flood and it was back in august of last year. 

Good luck pulling that off today.

[kirashi]

35 minutes ago, Mitch619911 said:

I am getting AT&T Fiber within the next few days (1-3 days), I have 2 home servers and I want to host a game server off one for a friend that streams on Twitch, AT&T says they provide 1Gbps (1000mbps)..and I would like to know if anyone knows more info, would I be safe from most kiddos bought 'booters/stressors' from my home network of 1Gbps?

 

Thanks for ya time

I don't know what a "booter" or a "stressor" is in terms of Fiber or DDoS attacks, but as far as a home connection goes, it's up to your ISP to detect and mitigate any such attacks. This is because a DDoS attack, even on a residential Fiber line, would be damaging to more than just you. Eventually the attack would saturate the network node you're connected to, which would affect other paying customers on the same node, so yeah, your ISP should protect its' residential clients. Any ISP that doesn't protect its' own networks is an idiot. It's the equivalent of a prison locking up criminals, then proceeding to have absolutely zero monitoring or guards at the prison, allowing for easy escapes to happen.

 

Now, if you have a business or dedicated line just for you, that's a different story, and you'll want to pickup a few thousand dollars worth of load balancers and other content filtering hardware firewalls to protect yourself. Or, you know, route everything through a DDoS service like CloudFlare or CloudBric and completely hide your IP address.

[tlink]

16 minutes ago, Mitch619911 said:

I have an old Cisco 2600 router I wonder if I can setup any firewall that would help anything.

no that wouldn't help. your isp needs to block it and get the IP's on the SPAMHAUS list etc. so it gets blocked at nodes and never actually reaches your home. if you block it at your home your 1gbs will still completely fill up with traffic even if you nullrouted them.

[Kick]

7 minutes ago, KuJoe said:

3Gbps is a pretty small attack these days. Back in 2013 I got hit with a 30Gbps that my data center considered insignificant compared to some of the attacks they'd seen. In 2017 a 10Gbps isn't hard to do.

Yeah man it's crazy how fast these attacks are scaling. Latest report from Kaspersky: https://securelist.com/analysis/quarterly-malware-reports/76464/kaspersky-ddos-intelligence-report-for-q3-2016/

 

Average in 2014 was like 7 Gbps, now it's in the 50 Gbps range. 

 

Edit: Sorry the Kaspersky report is less relevant than I though, I closed the other tabs before linking. Think VeriSign reported the 50 Gbps average in 2016.

[Mornincupofhate]

3 minutes ago, tlink said:

no thats not my point, the advertisement is higly overstated yes, im not that gullible. the point is that they can easily get ddos attacks going of over a gigabit per second, even if the advertisement is a great overstatement, its not 2200% overstated. i mean it even says support 24/7 thats a lie too. the mirai botnet would even make it easier. 

Lol do you even know what you're talking about.

Mirai can't do shit ever since it was released. It's bots are saturated by 12 year old lizard squad wanna be's that want to brag to their friends at school.

 

DDoS is dead unless you have money.

[Mitch619911]

Just now, kirashi said:

I don't know what a "booter" or a "stressor" is in terms of Fiber or DDoS attacks, but as far as a home connection goes, it's up to your ISP to detect and mitigate any such attacks. This is because a DDoS attack, even on a residential Fiber line, would be damaging to more than just you. Eventually the attack would saturate the network node you're connected to, which would affect other paying customers on the same node, so yeah, your ISP should protect its' residential clients. Any ISP that doesn't protect its' own networks is an idiot. It's the equivalent of a prison locking up criminals, then proceeding to have absolutely zero monitoring or guards at the prison, allowing for easy escapes to happen.

 

Now, if you have a business or dedicated line just for you, that's a different story, and you'll want to pickup a few thousand dollars worth of load balancers and other content filtering hardware firewalls to protect yourself. Or, you know, route everything through a DDoS service like CloudFlare or CloudBric and completely hide your IP address.

 

Thanks for the USEFUL info unlike some  +1

[Mornincupofhate]

7 minutes ago, kirashi said:

Now, if you have a business or dedicated line just for you, that's a different story, and you'll want to pickup a few thousand dollars worth of load balancers and other content filtering hardware firewalls to protect yourself. Or, you know, route everything through a DDoS service like CloudFlare or CloudBric and completely hide your IP address.

You have no clue what you're talking about. A load balancer would do 100% nothing in terms of protection on your end. Cloudflare would also do nothing holy shit do some research before you type out an entire paragraph.

 

Also how are ISPs that don't protect network traffic stupid? Do you know how expensive ddos mitigation costs? It's just one thing to have your servers stay up during that packet storm, but it's another thing to write a program that can intelligently detect and mitigate malicious traffic without completely null routing the line.

[KuJoe]

1 minute ago, Mornincupofhate said:

You have no clue what you're talking about. A load balancer would do 100% nothing in terms of protection on your end. Cloudflare would also do nothing holy shit do some research before you type out an entire paragraph.

Calm down, a lot of people on here don't have a clue and that's fine. It sucks when misinformation is spread like that but there are better ways to handle it. If the guy wants to argue about it then you're more then welcome to escalate your tone with him but just take a chill pill and enlighten these people in a more collected manner, it will leave a much better impression and they'd be more inclined to ask you questions and listen to you if you're not going off on them.

 

That being said, @Mornincupofhate is correct that hardware mitigation is useless without a big enough bandwidth pipe to handle the attack to begin with.

[tlink]

6 minutes ago, Mornincupofhate said:

Lol do you even know what you're talking about.

Mirai can't do shit ever since it was released. It's bots are saturated by 12 year old lizard squad wanna be's that want to brag to their friends at school.

 

DDoS is dead unless you have money.

again that's not my point. mirai is just an example. stop picking anything but my main point and attacking that when it literally isn't relevant to the larger image.

[Mornincupofhate]

Back to what @Mitch61991 was asking in the first place:

 

No, you can't block ddos attacks on your end period. 

If you want some form of protection, look into https://www.privateinternetaccess.com/ It's about $3.50 / month and in your case, it's the only way to keep yourself from being DDoS'd.

[Mitch619911]

Just now, Mornincupofhate said:

Back to what @Mitch61991 was asking in the first place:

 

No, you can't block ddos attacks on your end period. 

If you want some form of protection, look into https://www.privateinternetaccess.com/ It's about $3.50 / month and in your case, it's the only way to keep yourself from being DDoS'd.

 

That's a VPN correct? - I'm going to be giving out my ip for users to connect too, just don't want someone to get salty and do the bad.

[Mornincupofhate]

3 minutes ago, Mitch619911 said:

That's a VPN correct? - I'm going to be giving out my ip for users to connect too, just don't want someone to get salty and do the bad.

Yes, It's a VPN.

 

If you're hosting game servers on a residential line, your ISP will get mad at you. One of those reasons being you're an easy target for DDoS.

If you want to host servers, https://www.ovh.com/us/ is a great host, and has about 7.5Tbps global network capacity. They include DDoS mitigation regardless of if you want it or not, and they've mitigated the worlds largest DDoS.

 

Prices start at $4.00 per month.

[KuJoe]

1 minute ago, Mornincupofhate said:

Back to what @Mitch61991 was asking in the first place:

 

No, you can't block ddos attacks on your end period. 

If you want some form of protection, look into https://www.privateinternetaccess.com/ It's about $3.50 / month and in your case, it's the only way to keep yourself from being DDoS'd.

Does PIA offer any form of DDoS mitigation or are you suggesting he just hide his IP so the attack is directed elsewhere? I'm wondering what the latency or packet loss impact would be using a VPN with DDoS mitigation on the network, I have never personally been DDoS'ed at home thought so I've never had the need for it nor can I test it out without violating some Terms of Services.

[Mornincupofhate]

1 minute ago, KuJoe said:

Does PIA offer any form of DDoS mitigation or are you suggesting he just hide his IP so the attack is directed elsewhere? I'm wondering what the latency or packet loss impact would be using a VPN with DDoS mitigation on the network, I have never personally been DDoS'ed at home thought so I've never had the need for it nor can I test it out without violating some Terms of Services.

PIA's datacenters have mitigation, but who cares, its not his IP thats being hit, and he can switch to a different server in about 5 seconds. Latency from what I've seen on my end is about 10-20ms increase (I'm also on a slow, shitty DSL line)

 

If you want to test a ddos at home, disconnect your machines from the internet, download (or make) a UDP flooder, and flood your machine and or router's local IP.