Speak to OVH about that, they normally mitigate pretty fast but not sure on downtime wise.
1 Like
In contact with them but they are so slow to respond its unreal.
Yeah, I had that issue but theres a way to open a ticket if you don’t pay for their support and they reply at a decent rate. If you mention buying something else they will always want to help faster.
1 Like
I actually called OVH for the same issue and they told me to use Wireshark to log the packets and send them it.
1 Like
ovh won’t be able to do anything about ddos because the kids are ddosing are probably using the L7 expolit
Best way to prevent DDoS attacks are by having sufficient amount of bandwidth to survive the attack and have an active traffic monitor, sniffing and filtering packets and denying traffic that is not intended.
Yeah someone mentioned to me about gathering the ips during the attack and then blocking them which i will do if i face this issue again.
2 Likes
Thing is you’ll probably also screw up some of your players.
Happened to me that I got attacked and I tried filtering IPs to only allow the ones that verify themselves through my website, they just had to log on site and click verify.
I noticed two things, one is my player count went below normal and people argued a lot about that aswell as not getting listed on the master list.
I hired someone and he installed fail2ban. No more DDoS
1 Like
Actually, a well configured IPTables can be enough in somes cases, but it’s mostly complicated for neophyte users.
I recommend UFW with Fail2Ban binded. Most simple and effective solution.
UFW is installed by default Ubuntu. It’s a more “friendly” tool than IPTables.
OVH does provide by default a DDOS Protection for every product but does not replace a well configured firewall. It’s complementary, keep that in mind.
Here how to do it the easiest way, just copy and paste the 2 following blocks:
sudo apt update && apt upgrade
sudo apt install ufw
sudo ufw enable
sudo ufw allow 80
sudo ufw allow 443
sudo ufw allow 22/tcp
sudo ufw allow 30120
sudo ufw reload
sudo ufw status
Fail2ban:
sudo apt install fail2ban
sudo systemctl enable fail2ban
echo "[DEFAULT]
banaction = ufw
[sshd]
enabled = true
maxretry = 3
findtime = 10m
bantime = 10m
" > /etc/fail2ban/jail.local
sudo systemctl restart fail2ban
To check that they’re running and active:
sudo systemctl status ufw fail2ban
To check the number of jailed IP:
sudo fail2ban-client status
3 Likes
Nice info. I installed windows on the box thou, i guess that’s an issue for something like this?
It only work for Linux. I thought you had it.
1 Like
I only know how to do it on Windows. I would suggest doing the followings:
- If you want to do it yourself, create your own reverse proxy server.
- Setup your Windows Firewall to only allow reverse proxy IP address on your FiveM port
- You should put txAdmin and your web port behind your reverse proxy as well
Like _Tangogow said, a well configured IPTables can be enough in some case.
We use a cloud solution for DDoS protection, previously we tried OVH, and some DDoS protection services in my country. However it didn’t work (like vnis, x4b they don’t work at all). Then I found out the service that does work, Lectron, and they have locations in my country so my players don’t get annoyed by high latency. So it’s all good. If you get attacked in the scale of gbps then yeah you should try.
how to do it on windows ?
im not expert in windows sadly in the past i was using linux on to run fivem i was using iptables and fail2ban
but now i moved to OVH gaming server with windows actually i stopped the firewall could you send me how to port forward and protect the port 30120 during UDP flood on that port
as now im using ovh firewall by default i have 20 rules only i added ip ranges for TCP and UDP like that
102.0.0.0/8 UDP ALOW
102.0.0.0/8 TCP ALLOW
the last rules is blocking all UDP
You can probably follow the guide above to try remote proxy like Lectron to hide your server IP and protect from attacks.
Using proxy to hide your real ip is good
But it maybe not enough.
Attackers will just flood the proxy and your done again.
But if you setup a load balancing to your dns.
This needs a domain.
Setup load balance to your domain dns
I setup like 5 ip server proxy in the past to stop the kids.
I use cloudflare.
Load balance is a paid.
And one you could use on cloudflare is spectrum.
Go with their pro plan you will have an access on it.
You can also use The spectrum ip to act like a proxy but its advanced and expensive.
You can also use spectrum domain as a fake proxy using the srv records from dns and your fxserver ip setting… But it needs adv setup.
And the last resort that you can do is basically just block all request from all country excluding your own country.
1 Like
Can you please share some guide or explain how to setup the cloudflare loadbalancer? Or how exactly does it work? Because even if you have 5 IPs proxying to the real server, you will still need to set sv_proxyIPranges as well as override. How will multiple IPs work in that case?
just set a multiple sv_proxy ip range
i remember doing setting up a multiple
endpoint_add_tcp and the udp
loadbalancer at cloudflare you just need to insert all your IP to the balancer.
and everytime people connect to your domain
the IP is randomizing to 1-5 for example
and cloudflare loadbalance will ignore the ip if its currently down.
just make sure you are have multiple ip with multiple server not in the same server.
why not just block the GEO you are not supported in your Fivem server? eg country
I can’t block geo because I have players scattered around in different countries. Also I see that there might still be 1 problem with this solution. Lets say 10 players connect and 3 connect via proxy A, 3 connect via proxy B and 1 connects via proxy C. If a DDoS attack hits IP A, those 3 players will get disconnected / timed out right? Because I don’t think that FiveM will switch to another proxy as it only got that single IP from the load balancer. Any good way of solving this? Or suggestions
1 Like
thats how it works, if the proxy A is down, player will reconnect and will automatically send to Proxy B
not 100% fool proof solution and actually not quite favorable at all.
but you can do this to lessen downtimes.