What is a DDOS and why is it so hard to stop?

[Teddy]

A number of people have complained about DDOS attacks bringing down the servers over the last couple of weeks, and well, pretty much throughout the entirety of Argonath's history. Some have asked why we can't do anything about it. So this is basic introduction to what exactly a DDOS attack is and as a result why it's so hard to stop.

First off there is a difference between DOS and DDOS. DOS by itself stands for Denial of Service attack, which indicates a single machine attacking a target. In DDOS it stands for Distributed Denial of Service. Meaning the attack is coming from an arbitrary amount of sources. Since a DOS attack is from a single user on a single network connection, these attacks are generally a lot easier to detect and resolve.

How exactly is this preformed?
Quite simply a denial of service attack is flooding the server with so many requests it unable to handle legitimate traffic. Imagine this: Your friend wants to come over and hangout, however, once he nears your house the entire front lawn and street is flooded with hundred of people standing in between him and your front door. This is a similar concept to denial of service.

Why is it so hard to stop?
Denial service attacks by concept seem so simple and rudimentary, right? So why are they so hard to stop... well by the simple nature of networking. Denial of Service attacks are simply flooding of requests and it's not yet possible to effectively distinguish between legitimate traffic and attack traffic. As a result of this simple factor, preventing denial of service attacks becomes a challenge. There is methods to do so however they create latency issues and other efficiency problems which most professional denounce. The next available step is to detect and mitigate the service disruption attempts.

How is it stopped by hosts like OVH?
Any service that offers anti-ddos protection does not actually prevent denial of service attacks. They use specialized network monitoring software and hardware which can detect an influx or irregular amount of traffic. Essentially they detect that there is a shit load of traffic coming in and it's not usual traffic. This then triggers a series of protocols (both hardware and software) which aim to remedy the issue. Each data center has their own methods of conducting this protection. OVH specifically uses a method called vacuuming, and no, it's not a bunch of French people standing at a server with a vacuum and a baguette, as interesting as an image as that may be to picture. It is some really complicated network stuff that nearly surpasses my understanding of computer networks, and happens to be the most state-of-the-art and industry leading method.

All of what was mentioned here are what are referred to as volume based attacks, which is what Argonath mostly receives. There are also protocol attacks and application layer attacks. Last year there was a Zero-day exploit found in SA:MP which allowed attackers to bring down a server. Similar incidents have occurred before as well in the VC:MP server and other game servers; they are often quickly patched. Since this exploited a bug in the server software, this was an application layer denial of service attack. Protocol attacks aim to disrupt server resources rather than network.

[KelviNC]

Can't we get a DDOS protector for the server? Like I have no idea from where and how to get it. But still, if we can get one that will be great.

[CharlieKasper]

Informative, helps us all users who don't have much knowledge. Thanks!

[AryaN]

Thanks for this elaboration. This just cleared my many doubts related to DDOS. 

[Teddy]

Can't we get a DDOS protector for the server? Like I have no idea from where and how to get it. But still, if we can get one that will be great.

It is being worked on as far as I am aware.

[Axison]

Thanks Teddy, cleared some of my questions regarding ddos

[Ben.]

Does the server have the funds for this, or will donations be essential?

[Tovenaarke]

Informative, helps us all users who don't have much knowledge. Thanks!

Indeed, now I can 'imagen' what it is...

[Teddy]

Does the server have the funds for this, or will donations be essential?

That's something for Gandalf to disclose. However, I will say donations are always helpful in expanding and improving.

[Kostas]

From the few articles that I've read in the past. The people doing DDoS attacks usually have a whole army of "zombies"(not sure if I remember well that name) in their possession which they use in order to attack the server at that time. Seeing how many people have access to such attacks, I guess anyones computer could be a "zombie", used when ever they want to attack a server. So first of all, is there any way for someone to find out, if he is being used? And also, is there any way for us, from the server side, durring the attack to somehow record the "attackers" (or atleast as many as we get the time to) and then notify them, that their computers are being used like that, and guide them on how to remove their "virus"?

[Mikro]

From the few articles that I've read in the past. The people doing DDoS attacks usually have a whole army of "zombies"(not sure if I remember well that name) in their possession which they use in order to attack the server at that time. Seeing how many people have access to such attacks, I guess anyones computer could be a "zombie", used when ever they want to attack a server. So first of all, is there any way for someone to find out, if he is being used? And also, is there any way for us, from the server side, durring the attack to somehow record the "attackers" (or atleast as many as we get the time to) and then notify them, that their computers are being used like that, and guide them on how to remove their "virus"?

It is not like every attacker got his own army of zombie computers. The thing is that the better hackers/crackers created software to make these attacks easy for people with no understanding of how it actually works. Even worse, they created paid services for bigger DDoS attacks. So every dick with a credit card (from their parents probably) can buy an attack..

[Ben.]

That's something for Gandalf to disclose. However, I will say donations are always helpful in expanding and improving.

Will kick things off then 

[Teddy]

So first of all, is there any way for someone to find out, if he is being used?

If your PC is being used for an attack you will have a noticeable increase in system resource usage, specifically bandwidth. Typically the software used for zombies is a virus or worm-based. Run virus scans frequently

And also, is there any way for us, from the server side, durring the attack to somehow record the "attackers" (or atleast as many as we get the time to) and then notify them, that their computers are being used like that, and guide them on how to remove their "virus"?

All requests made against a server are logged in some high level log. The problem is distinguishing legitimate attackers (those willing) and illegitimate attacks (those compromised). Since all you get is an IP, the only thing you can contact is their ISP, since from an IP you can't get the user's email address or physical address.

[Stivi]

since from an IP you can't get the user's email address or physical address.

Can't you match the IP with a user's IP ?

[Ben.]

Can't you match the IP with a user's IP ?

I imagine law enforcement would need to be involved for that.