For people that don't know what a DDoS is, you might want to read the Wikipedia article before :
Wikipedia - Denial of service attack.
tl;dr : A cyber attack that consists in spamming the target with generally chunked or invalid messages.
After a while the target's router can't handle the traffic, generating a lot of lag and sometimes overheating the router.
Two days ago I read that JP "itmejp" McDaniel got DDoS'ed while streaming his show "Real Talk" with Dan "Artosis" Stemkoski.
This is not the first time that a stream or a tournament gets interrupted by this type of attacks.
Some of the most known victims count team Evil Geniuses (EG), the "Real Talk" show, Destiny and countless tournaments like "Gigabyte eSports LAN Invitational".
I think that in the future they will only get more frequent, thus threatening eSport's stability.
This post is mainly addressed to streamers, players and tournaments who rely on a stable Internet connection.
It will try to explain one way of protecting yourself from DDoS.
When you talk of a DDoS attack in a case where your website is the victim, you can't do much about it.
There is no tool or technique that will protect you from being DDoS'ed again.
The best the market has to offer at the moment is tools that mitigate the attacks plus buying more bandwidth to support the attack.
Blocking IP addresses isn't a solution either because every IP address connecting to your site could be a legitimate visitor or customer.
So yeah, pretty grim situation ...
BUT you (streamer / player / tournament) are not a website, it means that not every IP address has to be able to connect to your router.
The only IP addresses you really need to allow is Twitch.tv or Owned3D.tv (streams) and Starcraft II (or whatever other game you play).
How it works :
The solution is based on two "configuration modes" your router will run on.
- The "default mode" : these are the default settings of your router.
It's what you are using now.
- The "restricted mode" : which will block every IP address that is not a "vital" service.
This mode will only be activated when you are streaming or playing.
The way you should use it is like this :
1) I'm browsing Internet -> "default mode"
2) I'm going to stream -> "restricted mode"
3) I stopped streaming -> back to "default mode"
By "vital service", I mean software that is in these categories :
- streaming : Twitch.tv, Owned3D.tv ...etc.
- communication : Skype, Raid Call, TeamSpeak, Ventrilo, Mumble ...etc.
- gaming : Starcraft (battle.net 2.0 in general), DotA, LoL ...etc.
- top sites : Google, Team Liquid, Reddit, Twitter, Facebook ...etc.
If a website is not in the white-list and you are in "restricted mode", you just simply won't be able to reach it !
Using a program I wrote, you can generate a range of IP addresses that you will simply copy & paste to your router.
tl:dr; So basically it's an IP address filter that uses a white-list system rather than a black-list system.
1) - Download Node.js from nodejs.org (choose the version for your operating system).
2) - Once you downloaded the program, install it.
3) - Now download server.js from mediafire and copy the file to your desktop
4) - For Windows : + Show Spoiler +
Click on "Start" and type in "cmd" + ENTER
For Ubuntu : + Show Spoiler +
Click on "Dash Home" and search for "terminal"
5) - Then, in the command prompt type : "cd c:\documents and settings\<your user name here>\desktop"
6) - Now type : "node server.js"
7) - In a new browse tab navigate to : http://127.0.0.1:8080
8) - Follow the instructions on the page, submit and wait for 1 - 3 minutes
9) - Once you got redirected to the page with the white-list IP ranges, browse to http://192.168.1.1 (which is usually the address of your router)
10) - Log-in using your routers username & password. If you don't know it, try a blank username & password. Otherwise you can probably find it in the manual you got when buying the router or you can google the default username & password for your router brand / model.
11) - When you're logged-in find the menu which gives you the possibility to block a certain range of IP addresses and enter all the ranges returned by the website.
12) - Congrats ! You are now in "restricted mode".
To go back to "default mode", just remove all the IP ranges you added in step 11.
Technical details :
Since your router still has to block packets (messages) coming from banned IPs, it will still use some resources but this is nothing compared to a real DDoS where your router has to inspect the packet to verify the validity of the packet.
(valid IP packet ? valid TCP packet ? valid HTTP/s packet ? ...etc).
In addition to that, the white-list system prevents your router's packet caching window to be polluted of DDoS packets.
The program is a combination of a small http server, a parser and a DNS resolver.
The program is functional but lacks in options, one of the objectives would be to add them in the future "releases".
Some more changes have to be made to speed-up the program and make it more convenient / easy to use.
In particular, one issue I have is ŵith the "add web site" (the second textarea in the html page) feature that let's people white-list some of the key website they often use.
The way this works is that the user input gets parsed, then, for each domain, it sends a DNS resolution request and waits for the answer containing the IP addresses of all the servers the sites is using.
For example :
- If you have 100 websites you want to white-list, the program, since it's async will send instantly 100 DNS requests without waiting for the answer to the previous one.
What happens is that after +/- 20 concurrent requests (on my linux) the next DNS requests will fail, probably because the network card / DNS server is overloaded.
In the end, the best way would be to have a file (like a DNS table) that feeds the program all the IP ranges the websites operate on. If you want to know more about this read the "Contribution" section.
If you are a using an external DNS server (like Google DNS or OpenDNS), you might want to add these IP addresses too.
It might not be necessary since the program already does the DNS requests one time, the next time they should be cached, but you never know.
One feature I wanted to add is an auto-configuration of the router like this :
- the user inputs his routers username & password
- the program ssh's the router
- and changes the config files
Sadly almost every router is different making it impossible to code.
I didn't test cross OS compatibility yet.
On the To Do list theres is :
- Skype support. I'm not really sure what the best way is to achieve this.
I'm probably going to write a function that will parse netstat results.
If you have a better idea, don't hesitate to PM me !
- Winrar the Node.js executable, the scripts and a batch file as a launcher that will run in the temp file so that people don't have to install Node.js.
If you want to contribute to the project, you could help me get these informations so that I can add support for as much programs and website as possible.
I made a quick list of information that could help me add more options.
A list of all the domain names or server IP addresses of :
- Raid Call
- Battle.net 2.0
To make the DNS request I'm using a CSV file (Coma Separated Values) of the top 500 domains that gets pared by a Node.js script. I wasn't able yet to generate a table with all the IP addresses due to the restriction to the number of requests the program can do. (For more information read the "Technical details" part).
Here is the CSV and the script in question :
- Parser & DNS resolver : click here to download
- CSV data used : click here to download
Ideally, the goal would be to have a file containing the IP addresses of the top 1000 Alexa websites to make the white-list more practical.
This is far from being a miracle solution to DDoS !
You have to take in account that you only have to use the program in "emergency" cases.
Especially for tournaments who have large networks they have to rely on and where : "no lag in game / on the stream" >>> "being able to browse every website there is on the Internet".
And as data gets added, more websites will be supported making the program a lot more convenient to use !
I hope that this program will be helpful to the most people possible !
If you have questions or need more details PM me or simply post in this thread ! ^^
EDIT : Here is a link with more advice to mitigate DDoS effects : http://www.leaguepedia.com
PS : Sorry for the wall of text and the lack of English vocabulary ! :D