These are exact quotes from customers about an issue they see while their server is being protected from a DDoS attack. Usually since we typed out such a detailed explanation or provide the answer more than once we are providing them in this document so that you can be better informed and we don’t need to type them again. This helps us with support times and helps you stay informed.
FIRST! To understand this document and how our DDoS protection works we suggest you read about our SSAI and how it protects from DDoS attacks.
"A clan member (or a few members) loses connection to my server but all other users are fine"
This is the most reported issue during a DDoS attack. Normally, if not being attacked we would say "Then that user is having internet connection issues" almost 100% of the time if one person has an issue but no one else does; logic dictates it is something on their end. In this case though it is usually a product of both something on their end and the DDoS protection.
We have a sophisticated DDoS protection system that protects our users called the SSAI. It has many levels and is extremely smart. No other hosting provider has this strong of attack protection at our pricing level. That being said while your server is under attack the protection needs to inspect every connection attempt to make sure it is safe, this keeps out smart attackers that are trying to find another way to bring down your server. This results in taking about a second longer to connect. Normally for people that have a properly configured home computer it isn’t a problem that means 99% of our users don’t have a problem. There are a few that do have issues though.
These users are running into issues for 1 of 2 reasons:
1) They have something that is making a lot more connections than is normal: Usually these users are running "Internet Accelerators" that make dozens of connections for each one they make. For example they click on one link and it opens 20 in an attempt to "speed things up." Having these results in the protection system thinking they are attacking. This can also be normal programs making connections as well as browsers or viruses. They also may be button mashing their connection attempts and just need to take a few moments then try again in a bit. These users should try the following
- Scan their computer for viruses
- Make sure no other program that they know about (bots, tools and other items) are not making any attempts to connect.
- Wait a good 30 seconds between connection tries.
2) Something is slowing down their connection times: This can be caused by literally thousands of things and most of the time it is their router or computer sending bad packets, but it can also be: Firewalls, Anti-virus, They could not have enough CPU power, they could not have enough Memory, they could not have enough bandwidth. Their router may have any number of things misconfigured, a VPN may be running slowly ... on and on. There are so many possibilities that it isn't possible for us to list them all.
So how do you pinpoint the problem? You find the issue at the source. What does your user have that you don't? What setting on their computer or program that they use is different from what you use? What you use works, but on his end it doesn't. If you find out what is different you may find out what the issue is.
"Anytime my server has more than 5 players on it kicks anyone above that number and I pay for 15 players. I want this fixed"
This is is a case of misjudged perception. Our Enterprise level DDoS protection is really smart. During a DDoS attack every packet that is sent to the server is inspected. If a person is spamming the server then it blocks the extra connections and if, say 10 people are connecting to your server too quickly (just mashing that connect button) all at the exact same time this can add up to a lot of packets very quickly the DDoS protection will think "Oh no the attackers probing this port now, better protect this for a few moments. So for about 10 seconds it stops any new connections.
So to people in the server it seems that no one else beside who is in there can connect when in fact every just needs to cool their jets. Relax, stop your server from trying to auto-reconnect count to 10 and try to connect again. You will most likely get in and stay in.
While some people have said "It doesn’t seem smart since it is blocking legitimate users" keep in mind that when this issue is taking place there are hundreds of thousands of virus infected computers trying to connect to your server usually on your port (meaning you’re the target). a few more people spamming just like those 500,000+ zombie computers are will end up being lumped as "bad". If you’re chill the DDoS will recognize that and let you connect.
"The Customized hostname stopped working!" (during a DDoS attack)
We are guessing you are getting the (Unable to resolve hostname) error when trying to connect. That error is not isolated to just the customized hostname it is also linked with the default one that we give out. When a connection takes too long to connect that (Unable to resolve hostname) is a common error. It doesn’t mean that it is a server issue usually it is a user’s router or DNS issue but if it is during a DDoS attack it is probably exacerbated by the DDoS protection.
Teamspeak allows for, lets say, 2 seconds to connect to your server before it gives a failed message of some sort.
- Connecting to the customized hostname: At most 0.05 seconds first time and 0.014 seconds after
- Connecting to the default hostname: At most 0.05 seconds first time and 0.014 seconds
- Connecting to the server itself through DDoS protection: Completely depends on the router, type and frequency of packets.
The order that you will always connect is: Custom hostname > Default hostname > Server. The customized hostname points to the default and its port and the default points to the server. During a DDoS attack this is how all users would be connecting Custom hostname > Default hostname > DDoS Protection > Server.
The first time a user connects to the customized hostname teamspeak looks up the record. depending on the quality of their ISP DNS resolvers it can take anywhere between .014 seconds and 0.5 seconds maximum. That is why RARELY someone will get the error since it is their ISP not the hostname or the server (the same thing happens on websites) If they try again a few seconds later it has finished resolving and they are able to connect just fine. Their cache has then saved the connection and they never have an issue again since the connection will be near instant 0.014 seconds.
Your issue connecting during an attack is almost 100% certainly that the users are trying to use the customized hostname with a shoddy ISP (most dsl providers, and even some cable providers) so the hostname resolving takes lets say the maximum of 0.5 seconds. They would get the error but if they tried a few seconds later even though the customized hostname is working they would need to get through the second layer and then the DDoS protection. If they have made 10 connection attempts in the past 5 seconds then that equals quite a few packets from teamspeak alone. Our DDoS protection would delay and inspect every single packet since it is a new connection and the user isn't "Trusted" yet. If they make too many attempts too quickly they may be blocked for a few min to see if they are one of the zombie attackers in the DDoS. If they continue making more and more attempts they will be continuously blocked because there is no way to distinguish them from a zombie computer attacking. This would happen regardless of how they connect.
So in other words what you are perceiving as a problem with the customized domain is just the really strong DDoS protection currently filtering all traffic on your server. Users that connect on the default information get in because they proably stopped trying for a few moments while you got them the information. There was no issue with the customized hostname it was an issue with them flooding the server with connection attempts.
To get your users to connect on your customized hostname for the first time while a DDoS attack is taking place follow these steps:
- Attempt to connect, It's very rare but they might get an error, if they do go to step 2..
- Count to 5 slowly (1 mississippi 2 mississippi 3 mississippi 4 mississippi 5 mississippi)
- Try to connect again, and they will probably connect.
If they have used the customized hostname in the past and it worked but now it isn't it simply means the DDoS is blocking them for a few seconds for sending in way too many connection attempts even if they get a hostname failed error.
If they hit the connect button again and again the connection will never get through and the user will be blocked by the DDoS temporarily for flooding the connection. I'm sure you have even had some reports of spammy users having trouble connecting the during the attack even when not using the customized hostname.
Before you ask, no connecting to the IP will not solve this in fact it will make it worse and when we change the ip it will be without warning. It also does not mean that you should connect just on the default information. The time it takes to connect on the customized hostname is so incredibly small it makes no difference.
So here is the bottom line. Either you can have a few button mashing users with little inconvenience getting into the server or the server wide disconnects of mass flooding from the DDoS. While some angry customers blindly say take off the DDoS protection any level headed person says something along these lines "That makes sense, I’d rather take a few more seconds connecting than have hours of downtime"