DDoS Prevention Guide

DDoS Prevention Guide - Leaguepedia - Competitive League of Legends Wiki
Yoigo, el operador
Disfruta con
mvil con tarifas
Vodafone de
baratas de voz y
d t
yoigo.com
7 d
Pgina 1 de 10
telefono movil, fijo y
simyo.es
vodafone es
i t
td
DDoS Prevention Guide

From Leaguepedia | League of Legends Wiki
Update (05.25.2013):
Skype has released a new version (6.5) that is still in beta. The reason that this is noteworthy is due to the fact that you can finally prevent users from retrieving your IP
Address. You will first need to download the beta here and after you install go into "Tools" -> "Options" -> "Connections". As seen in the screenshot. Check the "Allow
direct connections to your contacts only" which will prevent users who aren't in your contact list from making a direct connection to your PC, thus preventing them from
obtaining your IP Address.
Contents
1 Who Am I?
2 What is a DDoS?
3 How easy is it to DDoS?
4 First things first
5 Determining if you are being DDoSd or not.
6 Who is targeting me and what can I do about it?
7 DDoS Solution Short Term
7.1 Problem
7.2 Pre-Solution
7.3 Solution
8 MAC Address Change (Solution 1)
9 MAC Address Change (Solution 2)
10 DDoS Prevention Setup
10.1 VPN
10.1.1 Dashboard
10.1.2 Server Selection
10.1.3 My Thoughts on Using a VPN
11 Skype Proxy (Best Solution - Combination of 2 & 3)
12 Skype Proxy (Solution 2)
13 Skype Proxy (Solution 3)
14 Closing
Who Am I?
I will start this guide by introducing myself and my credentials: My name is Matt gamebox Gunnin, President/CEO of Leaguepedia. I am a 27 year-old System
Administrator for Rackspace Hosting. I have an Electrical Engineering Degree with a specialization in Wireless Engineering. Working for a web hosting company, I
deal with malicious activity on a daily basis, some of which involves DDoS attacks on an Enterprise level. This can include hundreds of botnets sending millions of
packets directed towards not one, but multiple endpoints. I am very confident in my abilities as a System Admin, and have a proven track record on both an
infrastructure and networking standpoint. You can find more about me on my LinkedIn profile if you are in need of more background info.
When I put together our recent Leaguepedia Invitational I, we experienced the DDoS bug just like every other recent tournament, but I'll talk more about this later.
Please understand this guide isnt the end all be all of DDoS prevention; and for every person trying to prevent these attacks, there are ten more figuring out new ways
to do the attacking. I do, however, feel that if you follow my advice, you will be 100 times less susceptible to denial of service and other attacks that could take down
your internet connection and harm your computer.
What is a DDoS?
"A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer or network resource unavailable to its
intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted efforts of a person, or multiple
people to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely."
How easy is it to DDoS?

To see how easy it is to DDoS, I will walk you through each step of the process Just kidding. But in all honesty, it takes about 10 minutes of googling to figure out
how. Now, the thing is anyone can DoS someone which involves sending tens of thousands of tiny packets at a person computer. The problem with a DoS attack is that
it only comes from one location and can easily be blocked or may not be even be noticeable if the attacker doesnt know much about what they are doing. On the other
hand, a Distributed Denial of Service attack will come from multiple locations. This makes the attack harder to block due to the IPs of the attacker/s being from
multiple subnets. Most routers will allow you to block a subnet range but if that involves 100s of subnets (botnet), then you will more than likely end up blocking a
person/application/website/etc IP that was assigned to that subnet.
Most of the attacks that have been occurring around the League of Legends Professional scene are more than just a script kiddie sitting is his grandmothers basement.
For instance, during the Leaguepedia Invitational Nhat Nguyen and Aphromoo were both DDoSd during their match with Team Dynamic. I immediately had them both
call me while the game was paused and once I was able to trace the source of both attacks, I quickly realized that Aphros DDoS attack was of larger scale coming from
multiple botnets, while Nhats was be directed from 2 singular locations. The fast solution for both cases was an IP address change since the attacks are pointed at a
specific IP address and not a specific physical location. But cant the attacker just find your IP address again? Well yes, so I will cover this in more detail later and how
to keep that from occurring.
First things first

What I am going to start with is how to stop a DDoS attack if you believe you are being hit by one. Now let me make one thing clear, if you are having lag, internet is
running slow periodically, or you are disconnecting from a match everyone once in a while and then being able to reconnect, the odds are that you arent being DDoSd.
DDoS attacks do start slow with latency issues and then they gradually get worse to a point where you are unable to access the internet whatsoever. You will begin to
connect and reconnect to skype until you are unable to connect any longer. Remember that what you are being hit with is a large number of internet packets one at a
http://leaguepedia.com/wiki/DDoS_Prevention_Guide
30/05/2013
Pgina 2 de 10
time at a very fast pace. Just imagine jellybeans being thrown at you one at a time, it starts with 1 jellybean being thrown over and over, and then 2, and then 3, and so
on and so on until you either have to eat all the jellybeans or your explode.
First and foremost we want to find out what our IP address is. The easiest way to do this is to go to www.whatismyip.us and write this number down. This will display
your external IP address since if you attempted to pull up your IP address directly from the command prompt you would be going through your router, as seen below.
Determining if you are being DDoSd or not.

If you begin experiencing a DDoS attack (say during a big name tournament like the Leaguepedia.com Invitational) then the first thing you should do is make sure you
are actually being DDoSd or not. We have a few options to go about doing so and I highly recommend doing each.
First, we open a command prompt:
Next we will attempt to ping the outside world. We will use Reddit.com as our example.
Note: You can add the -n option to specify how many ping request you would like to make. The default is 4. You can instead use -t which will ping the destination
until you stop it by pressing Ctrl + c.
The main two things we are most concerned with here is the number next to time = as well as the percentage of packets loss which is displayed below Ping statistics.
The time column is the amount of time it takes for a packet that is 32 bytes in size to travel from your computer to Reddits servers and then back to your computer. This
is also known around the League of Legends community as your latency and is a number Im sure most of you are pretty familiar with. In the beginning stages of a DoS
attack this number will increase periodically (40ms to 800ms) and will eventually respond with Request timed out. So if you believe you are being DDoSd, the first
thing to do is open a command prompt and ping a reliable website that you know is online (Reddit, Google, etc). Remember that most amateur DDoS attacks take time
to build up steam so you can usually catch the less sophisticated attacks before they take you completely offline. Just because you start lagging in-game or your internet
goes offline momentarily doesnt necessarily indicate you are being targeted.
NETSTAT
Netstat is the best tool you will more than likely have at your disposal that you can also run from the command line and will most likely give you a much clearer picture
as to what is going on. Once you are at the command line as demonstrated above, type netstat -ano which will display all your current TCP/IP connections. You are
looking for a large bulk of connections coming from the same IP address. You will also want to look at the STATE that each connection is in. If you see a bunch of
SYN_RECEIVED, which means the connection has sent a request and is staying open waiting for an acknowledgement.
Who is targeting me and what can I do about it?
30/05/2013
Pgina 3 de 10
Most attacks that have occurred recently were done via botnets that are spaced out amongst hundreds if not thousands of IP addresses. This is where the Distributed
part of DDoS comes in to play. However, if you are instead being hit by some teenager that just found a new tool from the internet that he believes makes him a l33t
h4x0r so to show off his new skills he finds out your IP address, plugs it into the program and clicks the start button, he is instead performing a DoS attack. If you are
so lucky (or unlucky) that this is the case, he more than likely hasnt spoofed or blocked his IP. To find out where the DoS attack is coming from, you can run the
program TCPView (which I included in the download packet). What TCPView does is display all the current connections (endpoints) on your computer. It will be
very clear where the attack is coming from once you open the program but to give you a hint, it will be the connection that is shown 100s of times. From there you can
do what you please since you now have his IP address. If you want to go the legal route then you can plug his IP into www.whois.sc and find out who his ISP is and
give they will usually be pretty helpful once you tell them the situation.
DDoS Solution Short Term

Problem
So you are positive that you are being hit by a Distributed DoS attack and you are completely disconnected from the internet. You cant ping any websites, all your
applications are offline, and all of this is happening while you are 35 minutes into game 3 of the Leaguepedia Invitational 2 Finals. Your team has activated the pause
feature for the match but you dont have long so you need to act quickly. What do?
Pre-Solution
What is the most important ingredient that an attacker needs so they can perform a Distributed Denial of Service on someone? An Internet Protocol Address Whenever
you log into your PC and connect to the internet, you are sending a request to your Internet Service Provider (ISP) asking for them to open a connection via their
pipeline to the web. Once your ISP accepts the request, it then assigns you with an IP Address that will now be your identifier whenever you sign online. IP Addresses
are assigned to ISPs via subnet blocks. To simplify it, your ISP is essentially given large handful of numbers that can be assigned to their customers with each one
being unique. I wont go into any further detail but the point I want to make clear is that every internet connection (no matter where) has an address that it is assigned
and is how devices communicate with one another so if you want to stop communication from occurring, you cant just block the attack because it is coming from
hundreds of separate locations. So the best short term solution is to change your IP Address since the DDoS attacks are directed at your IP and nothing else.
Solution
Please understand that some of these steps (3 & 4) are outdated and will more than likely not work.
They are included however as a precursor for some of the sections later on in the guide.
I am going to list the different ways to possibly change your IP. Start from the top and work your way down if the previous solution didnt work.
Note: There are two different ways that your ISP can provide you an IP, Dynamically and Statically. Dynamic IP addressing involves your ISP assigning you a different
IP each time you log on the ISPs network. This doesnt necessarily mean your ISP will change your IP each and every time your restart your computer as it is solely
dependent on when they deem it necessary. A dynamic IP address will be shared with other customers and will jump around as to who receives what IP. A Static IP is
exactly what it sound like, static and never changing. Static IP addressing is much less secure since you are provided an IP that never changes. ISPs now a day only
provide static IPs to their customer due to it being cost effective compared to dynamic addressing. I highly suggest calling your ISP and finding our 1) What type of
addressing you have and 2) If you are Static, is there any possibility to be changed to dynamic?
1. Unplug your cable/dsl modem as well as your router (for good measure) and wait 60-120 seconds. Plus back in and check www.whatismyip.com to see if you
were assigned a new IP.
Some ISPs put a TTL (Time to Live) on your IP for 8 to 24 hours so if you are under no time constraint then this can be attempted.
2. Call your ISP and tell them that you are being DDoSd and that you need a new IP. Depending on who you get on the phone, as well as your ISP will determine if
they will or not. I havent heard of many people having issues however.
3. Open a command prompt (Start -> run -> cmd)
Release (This will disconnect you from the internet)
Renew
4. Open a command prompt
You are looking for the default gateway:
Type your default gateway into your internet browser to bring up your routers admin page. You will need to google the type of router you have for the
username/password. Some common ones are root/password, admin/password, password/password, admin/admin.
Once you get in you can attempt to Release/Renew you IP here. Here is a screenshot of my routers configuration page.
5. If the above doesnt work then your next step is attempting to clone your mac address. This can be done here and is as simple as pressing the "Clone My PC's
MAC Address" button. You can only clone your mac address once but it should change your IP. This page will look like the following:
30/05/2013
Pgina 4 de 10
Note: The MAC Address boxes will have letters and numbers. I blurred them out for security reasons.
MAC Address Change (Solution 1)

1. Go into your Control Panel and pull up Network Connections
2. Right click your Network Adapter > Properties > Configure
3. Next you will want to click on the 'Advanced' tab and scroll down to 'Network Address'. The MAC address consists of 6 pairs of numbers (0 - 9) and characters
(A - F) in combination. For example 22-19-A2-C5-3D-65. Remember however that when entering this value in the 'Network Address' field that you want to omit
the dash (-), for example 8817E890E20A.
MAC Address Change (Solution 2)
30/05/2013
Pgina 5 de 10
1. If you still are unable to get a new IP address then you can try going into your registry settings and changing the MAC address of your Network Interface Card
(NIC).
You will first want to find out what type of NIC you have. So go to Control Panel -> Network and Internet -> Network Connections and find the
connection that is enabled and connected and right click it and select properties. You will then see the following which will tell you what type of NIC you
are using.
As you can see here, I am using an Intel(R) 82579V Gigabit Adapter.

Next you want to go your registry editor
Start -> Run -> regedit
From inside the registry editor you will navigate to:
Under this key, you should see numbers in sequence as 0000, 0001 and so on. Click on one at a time to check the description of the device to
match it with that of your Network Card. I found my NIC all the way down at 0022.
Once found, in the right-pane, look for NetworkAddress key value. If you find it, right-click and select modify. Enter the desired MAC-Address as
a 12 digit number (all in one, no space . or -). Note that you can enter any arbitrary MAC-address as long as it is hexadecimal (a 12 digit string
containing numbers 0-9 and letters A-F).
If you dont find the key, right-click in the right pane, select New String Value. Enter the name as NetworkAddress. Now modify and set the
desired value.
Now, disable and enable the Network card from the ControlPanel Network Connections.
30/05/2013
Pgina 6 de 10
This should reflect the new MAC-Address on your NIC. Should you choose to go back to the original manufacturer set MAC-Address simply delete
the key you just created/modified in the Windows Registry.
After changing the MAC through the registry, start back at the first step and reattempt restarting the modem, etc.
DDoS Prevention Setup

This part of the guide will entail the actual prevention aspect and what to do to keep a DDoS attack from occurring. I am not going to try and explain the technical
aspect of the VPN I am suggesting at this moment since I am trying to get this guide out as soon as possible. You will just need to trust me when I say that this VPN is
your best option and provides the best of everything.
VPN
From what I have read in terms of reviews and ratings, HideMyAss is far and beyond the best VPN on the market. However, at the time of writing this guide I haven't
tried their service and the only way to really know if this VPN would be suitable for LoLs professional scene was to buy the product myself.
Dashboard
Server Selection
They have a huge list of available servers that are categorized according to geographical distance from you.
My first attempt at connecting to a server prompted me with this:
30/05/2013
Pgina 7 de 10
This is a pretty big deal since they classify their servers as being overloaded at 30%
Once I made a successful VPN connection, here is the new dashboard that is displayed. Some important things to note is how you are able to make quick location
changes, IP changes, as well as schedule for an IP change.
So far, so good. The next thing I wanted to check out was how my latency was in-game.
Not Connected to VPN
Connected to VPN
There was absolutely no change with my ping. I tested with other servers and on a few of them I had some jumping around between 70ms 100ms but for most servers
it would stay pretty steady. This was also done while I had two streams running.
Now for the speedtest through Speedtest.net.
Not Connected to VPN
Connected to VPN
The first thing you notice is the decrease in download speed. I have 50/5 here through time warner but if you were on a 10/5 plan through your ISP then you wouldnt
see much, if any noticeable differences. They guarantee certain speeds through their servers which is a higher speed that what most of you have at home. The ping is
slightly higher but nothing of much concern either and varies according to server location.
My Thoughts on Using a VPN
My honest opinion is that if you are serious about completely protecting yourself from being DDoSd ever again and dont want to be forced into forfeiting a match
during a $5k+ event, then purchasing a VPN is the way to go. It will easily pay for itself after one tournament. And recently, there are a good bit of the pros that havent
been able to play a full tournament all the way through without being targeted. Whats good about HideMyAss is that you are able to make quick and fast connections to
and from the VPN. So what I would do is setup the VPN and then get a new IP address via your ISP through the methods I mentioned earlier in this guide. This way if
you are hesitate of using the VPN due to any performance problems there may be, you could turn it off while in-game and since you are proxied through Skype, you
would be good to go.
Their FAQ will answer most of your questions and you can sign-up for an account here. -- I just created this affiliate account a few minutes ago as I figured that the
League of Legends community should get something in return if we send them a handful of new accounts. So if you do decide to use hidemyass, please go through the
affiliate links. I will post updates of the figures for the entire community to see and then at a certain point I will use those funds to do some sort of giveaway,
tournament, you name it.
Skype Proxy (Best Solution - Combination of 2 & 3)
Step 1: Go to http://hidemyass.com/proxy-list/ , then match your settings to this -- Step 1 Screenshot

This should list the fastest proxies for the US. Obviously, substitute the country for another if you are not residing in the US ( Or if you wish to use a proxy in
another country for whatever reason )
Step 2: Pick a server, generally you want to go with the one at the top since it's the fastest -- Step 2 Screenshot
The top three should give you a good fallback if the very top one becomes overloadedNote: Skype does not typically USE the proxy you set unless it's blocked
from a direct connection however you can FORCE it to use the proxy via registry settings. That's what we're about to do.
Step 3: Input the proxy information here

This configurator will generate a registry file for you to merge into your windows registry.It's entirely safe, and in the event that you wish to remove your proxy
( You can't remove it through Skype itself ) , it also provides a key that will automagically remove your proxy settings.
By default, there are no registry settings
Which equates to the first "empty string = unset", skype will attempt a direct connection, and if it fails it will use the proxy set in the Advanced Connection
settings to connect.:If you know what you're doing, you can set it to Automatic so skype will use the system's proxy settings ( Internet Explorer's proxy settings ) ,
but for this guide we're going to be forcing it to use an HTTPS Proxy.
Obviously, substitute HTTPS for SOCKS5 if you are lucky enough to get a GOOD SOCKS5 Proxy
As seen in the previous image, Skype will still try to direct connect over UDP even while proxying TCP over HTTPS. This is a HUGE problem since it
effectively renders your proxy useless. However, we can fix that by forcing Skype to disable it's usage of UDP. This will impact voice and video quality a bit, but
30/05/2013
Pgina 8 de 10
overall it's not a huge problem and being safe is more important.I'd also like to re-iterate that SOCKS5 Proxies do not have this problem, they support both TCP
and UDP through the proxy. If you can find a good one, you're very lucky or you're paying for it.
Step 4: Put your selected proxy's IP and port in the appropriate boxes
And click save. It will prompt you to save the file, so save it somewhere you can find it.
Step 5: Go find the file, and either right click -> Merge... Or just double click on it
Step 6: It will tell you that you shouldn't add information from sources you don't trust
Click Yes
Finished: It will merge the values into your registry, now RESTART YOUR COMPUTER and you should be protected!
You can then verify that the proxy settings are saved into Skype by going to "Tools" -> "Options" -> "Advanced" -> "Connections" and checking the IP listed as
the same one you picked as your Proxy
Information taken from http://imgur.com/a/NpFdW
Skype Proxy (Solution 2)
In Skype, Go to Tools -> Options -> Advanced -> Connection
Check the box that says "User port 80 and 443 as alternatives for incoming connections"
Click this drop-down and change it to "SOCKS5"
Go to http://www.xroxy.com/proxy-country.htm
Select the Country that you reside, pick any SOCK5 IP Address from the list and enter it as the host.
Note: What you are doing is running Skype via a proxy. As long as you pick an IP that is in the same country as you reside then you shouldnt see much, if any
degradation in call quality. If you do, just select a new IP until you find the best setup.
Skype Proxy (Solution 3)
Open notepad and paste the following (substituting the proxy information with your proxy server)
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Skype\Phone]
"DisableSupernode"=dword:00000001
"ProxySetting"="HTTPS"
"ProxyAddress"="x.x.x.x:yyyy"
"ProxyUsername"="username"
"ProxyPassword"="password"
Save the file as a .reg (Example: skype.reg) and then double click on it and confirm.
Thank you to MarkyOchoa from Reddit for this setup.
Closing
I'm still working on improving this guide but just haven't had the time. I have some videos that will go into more detail on what exactly a botnet is, how they are started,
and why they were created in the first place. League of Legends is in a very delicate state professionally right now and all of you pro's out there need to put all of your
efforts towards growing the e-sports scene worldwide, but instead you have all had to deal with the recent DDoS attacks. I plan on removing that burden from each and
every team associated with the professional scene of League of Legends and would more than happy to sit down with each of you and get you to where you need to be
from a technical point of view so you are no longer hindered to pursue what's most important. If you would like to talk, please feel free to email me or follow me or
Leaguepedia on Twitter.
30/05/2013
Tweet
214
Pgina 9 de 10
Me gusta
Retrieved from "http://leaguepedia.com/index.php?title=DDoS_Prevention_Guide&oldid=476300"

Yoigo, el operador
mvil con tarifas
This page was last modified on 25 May 2013, at 19:39.

Content is available under Creative Commons Attribution Share Alike.
2006-2013 Curse, Inc.
League of Legends content and materials are trademarks and copyrights of Riot Games Inc. or its licensors. All rights reserved. This site is a part of Curse, Inc. and is not affiliated with Riot Games Inc.
Curse
Curse is the #1 Resource for core online gamers.
Not a Member?
Get your Free Account!
Sign up for Free!
Featured Sites
More
Guild Wars 2 Guru
Guild Wars 2 Guru

The latest and greatest on Tyria.
LoL Pro
LoL Pro
Dominate with Pro LoL guides.
MMO-Champion
MMO-Champion
Keep ahead with the champions of WoW coverage.
GW2DB
GW2DB
Explore Tyria with Curse and GW2DB.
Browse
Core
Curse
MMO-Champion
WowStead
CurseForge
WowAce
SkyrimForge
SC2Mapster
LoLPro
ExilePro
Bukkit Forums
Community
Minecraft Forum
Terraria Online
Arena Junkies
Guild Wars 2 Guru
DiabloFans
FPS General
DarthHater
Defiance Forum
Wildstar Forums
Database
Guild Wars 2 DB
Zybez
DarthHater DB
Aion Armory
WoW Database
Marriland
Wiki
Minecraft Wiki
Terraria Wiki
Wowpedia
Skyrim Wiki
Wiki SWTOR
30/05/2013
Pgina 10 de 10
Dragon Nest Wiki

Vindictus Wiki
Back to Top
About Us
Advertising
Privacy Policy
Terms of Service
Premium Terms of Service
Curse Newsletter
Jobs at Curse
vodafone.es
Yoigo, el operador
mvil con tarifas
baratas de voz y
d t
yoigo.com
7 d
Handcrafted in San Francisco & Huntsville

simyo.es
30/05/2013

DDoS Prevention Guide

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

DDoS Prevention Guide

Hochgeladen von

Copyright:

Verfügbare Formate

DDoS Prevention Guide - Leaguepedia - Competitive League of Legends Wiki

mvil con tarifas

telefono movil, fijo y