Linden

The term botnet is still slung around quite a bit, but the definition has been skewed. You have a lot of attack vectors that don't require you infect computers to abuse their connection. Here's a basic list of reflective attacks. (it's not all inclusive) But the way the reflective DDoS attacks work attackers don't actually need control over the machine. They just abuse a service on the machine. Here's an example: Attacker spoofs target game server IP to 1500 NTP servers All those NTP servers respond to the game server IP with a much larger response. The potential amplification factor for NTP is 556x what was received by the server. So you could use a shitty VPS and buy an amp list of NTP servers being sold on these shitty "hack forums" sites and launch a decent sized attack. This doesn't technically fall under the "botnet" definition, but it's the same concept, without the requirement of infecting the hosts. This is why DNS, NTP, SSDP, RIP, LDAP, etc are all common attack vectors on these shitty stresser sites. The attacks are easy to do, the scripts to do the attacks are public, and people are selling amp lists for each protocol for pennies.

Distributed attacks can still be extremely small. The attacks we had the most issue filtering were the ~100-200mbps attacks, they still originate from thousands of addresses but they match legitimate traffic in almost every way, size isn't the only factor when it comes to dealing with attacks. These current large attacks aren't "hard" to filter from a mitigation standpoint, the issue is the capacity to do so. The current attacks all originate from a single source port, and the attack is reflective meaning the source addresses aren't spoofed, but they're originating from thousands of legitimate servers around the world. But the shear size of the attack would result in a huge amount of overall bandwidth being used during the mitigation. So essentially not implementing nullroutes would be opening the flood gates and allowing 200Gbps to flow freely into the network just to filter 99% of it and allow 30mbps worth of Arma connections through. Is it possible, yes. Is it costly, absolutely. There is mitigation in place at all times to prevent attacks, some attacks require me to personally implement new filters (the application layer attacks) but in general, most attacks are caught without you guys even noticing them.

Mitigation is much more than just blocking an IP, UDP attacks generally have spoofed source addresses, so you would have to drop the entire internet. SteamIDs aren't ever going to help you mitigate an attack, they're not connected in anyway.

What would be the point of attacking the server when it only has a few players...? Are you being intentionally dense? Cloudflare is only for protecting websites, has nothing to do with the game servers.

@xlOutsiderlx The devs have acknowledged performance issues with the Arma servers, but today there has been multiple >200Gbps attacks which resulted in nullroutes. (1 hour each) There are only a few providers who are even going to tolerate attacks that large without telling the customer to kick rocks. (OVH, Voxility, Prolexic) Asylum has used OVH previously, and while OVH is more than capable of sustaining >200Gbps attacks, they don't deal with a lot of the smaller attacks that target the application directly. (Layer 7) Today is the only day I think Asylum has ever received a null from us, and that's because we have to leverage our upstream provider to handle attacks that large. So while we could technically filter these attacks, it's going to cost significantly more money. And no offense, but CompTIA is a joke. CompTIA is just general certifications. If you are serious about networking/security you should be aiming for a CISSP. Nobody in the industry cares about a CompTIA certification unless you're trying to land an entry level job. You literally don't even understand the OSI model, which means you wouldn't make it past the lobby at a company that specializes in DDoS mitigation.

Ignorance is bliss.

Back to back 200Gbps attacks resulting in an hour long nullroute.

Attacks, working on it.

It's possible, I know there is at least one filter that is rejecting a small portion of legitimate traffic at this point.

It's being worked on, should be resolved shortly. @Azeh

What misinformation have I spread about OVH?

Server #3 has only been attacked once in the past 20 days. Server #1 and #4 have exceeded 40 attacks in the past 20 days. There's no such thing as a strong filter, no mitigation is going to catch every attack. The attacks that have been causing issues for #1 and #4 are small (500Mbps-1000Mbps) application layer attacks. (Targeting the arma3server process itself rather than trying to saturate the server's NIC.)

Likely because server #1 and #4 are the ones always getting DDoSed. Doing testing on those while someone keeps trying to take it down would result in confusion. (Kicks wouldn't be related to the performance patch, some people not able to connect while the volumetric protection is active, etc.)

If the above doesn't work can you PM me your IP. You may be stuck in one of the newer mitigation filters.