DDoS Attacks & Convictions

Question

I could probably make a better title, edit it if you find a better way of phasing my problem. Basically what's happened is that a gameserver host thinks I keep attacking their dedicated server with a DDoS attack; but I do not.

I have a theory that someone is faking their IP so it matches up with mine, and is launching attacks with it. I am worried that this is the case, and am having a hard time convincing the owner of the gameservers that it's not me attacking his servers.

How plausible is this theory?

I also have a connection with only 64kbps upload; this is no near enough to bring the dedicated servers' network down. I would not do such a thing, but if I were to launch a full-scale DDoS attack from my network, what effect would it have (if any) on the target dedicated server?

Edit

The server is question is not mine, but I know the sysadmin of it and can tell you the specs: 16 core (dual CPU) Intel Xeon, 32GB RAM, 8TB HDD space. The sysadmin claims the attack crashed some of the running gameservers on the server.

This question has nothing to do with my other question, which is about testing my software's handling of a DDoS. https://i.stack.imgur.com/2uUol.jpg

This is pretty much a duplicate of your other question, which is currently circling the drain. — DanBig, Sep 25 '13 at 13:17
@DanBig It might have the same topic of DDoS, but is is not a duplicate. Please read the questions again, and tell me where I have mentioned any legal stuff in this one. This is a legit question and currently has absolutely no connection whatsoever to the other question. — AStopher, Sep 25 '13 at 13:19
From your network? Next to nothing. Even if you had a local network of several hundred machines the result would probably not be noticeable. The first D of DDoS is distributed. You need a lot of machines to hit a server (unless the server is hugely underspecced.). Do you need to DDoS it? Can't you benchmark the server? — tombull89, Sep 25 '13 at 13:20
Oh also if you launched a DDoS from your network your ISP would (or should) shut you down. — tombull89, Sep 25 '13 at 13:21
OK, so it may not be an exact duplicate, but its still not appropriate for the site because all we can do is speculate. — DanBig, Sep 25 '13 at 13:21
Based on your other question about you developing software for these gameservers, when you say DDoS do you really mean an external attack? Or are they claiming that your new software/code is crashing some of their gameservers on the server? Did you upload code and it caused an issue? Why would the sysadmin know you and somehow think you were the cause? What proof are they citing? — TheCleaner, Sep 25 '13 at 13:26
The code I'm writing is designed to stop these attacks against the gameserver. This code will be in my server modifications and will prevent the attacks from crashing the server. — AStopher, Sep 25 '13 at 13:31

score 1 · Accepted Answer · edited Apr 13 '17 at 12:14

1

That theory is plausible. For some types of DDoS attack (such as SYN floods) it is normal for all the source IPs to be spoofed and for there to be hundreds of thousands or millions of them. Yours could have been included by accident.

Two other plausible theories:

There was a DDoS against your server that was not using spoofed IPs and an infected machine on your network was part of the botnet delivering this DDoS.
Your hosting provider did a simple count of connections to your server and saw your IP address at the top of the list. They concluded that the IPs with the highest number of connections were causing the DDoS. This is probably an erroneous conclusion.

64Kbps upload would probably have little effect on a server but this is dependent on many factors including what type of DoS attack it is and the specs of your server, the applications running on it and its internet connection. It is certainly possible to DoS very powerful servers with dial-up connection if it's the right type of DoS (Slow-loris and the old Ping of Death spring to mind).

Ask your hosting provider for the evidence of the DDoS and how they collected the evidence.

Based on my reading of the related thread in that gaming forum, someone is seeing a lot of UDP traffic from your IP address. UDP is easily spoofable (no response is required) so that's not reliable evidence that it was in fact you.

But it's also clear that you are not a professional sysadmin acting in a professional capacity. As such this question is off-topic.

edited Apr 13 '17 at 12:14

Community

1

answered Sep 25 '13 at 13:19

Ladadadada

26,787

The server is question is not mine, but I know the sysadmin of it and can tell you the specs: 16 core (dual CPU) Intel Xeon, 32GB RAM, 8TB HDD space. The sysadmin claims the attack crashed some of the running gameservers on the server. – AStopher Sep 25 '13 at 13:22
An attack that crashes the gameservers suggests that it's a DDoS that targets that application. A SYN flood or reflected DNS flood wouldn't do that. Specs and bandwidth are mostly irrelevant in this situation. – Ladadadada Sep 25 '13 at 13:24
The latest attack (from screenshots on their site- one is attached) targets UDP port 50010. See the question that I've just updated with a screenshot of the attack, as given to me by the sysadmin. – AStopher Sep 25 '13 at 13:26
Is it possible for attack software to launch an attack as though it's coming from a specific IP? A similar situation happened a couple of weeks ago with someone (with the same victim dedicated server), and he asked that I personally log into his machine and clear it of any attack tools (he foolishly gave out details to others to access the machine). I failed to find any evidence whatsoever of any attack tools, and the servers' bandwidth charts did not show any rise in traffic, of what you would expect for an outgoing attack. – AStopher Sep 25 '13 at 16:58
With UDP, yes. Every IP packet has a destination address and port and a source destination and port and all of these can be set to anything you like. For a TCP connection the source must not be spoofed but since you're talking about UDP, anything goes. Someone could be framing you. – Ladadadada Sep 25 '13 at 20:04

DDoS Attacks & Convictions

1 Answers1