I tried to reach you privately over the support email but I was directed to post here.
My TS3 server was DDoS’d last Friday, with a SYN flood with apparently forged IP’s. This lasted for roughly 8 hours and happened while I was away and couldn’t do anything for it during the event.
Due to this my server is now flagged at https://www.abuseipdb.com/ with loads of reports from various sources, with all having common TS 9987 or 10011 as source port. Also received one abuse report from my host, which they did on their side clear with the coinciding attack where they emailed me and said no action is currently required.
I am now a bit worried if this would happen again and am thinking about alternative ways to remove public access to prevent this altogether, which is a bit of a pickle as we do have >100 people joining us on Fridays so has some logistical challenges.
Hello @kummitus and welcome to the TeamSpeak Forum.
Here are 2 Solutions that maybe help you out:
If Your Budget allows, it to have a different IP for every TeamSpeak 3 service (voice, filetransfer, and query). While this isn’t a major security improvement, it can greatly help if one IP is bogged down in traffic, but the others remain working. It can also help you know what parts of your service attackers are targeting when looking at the logs.
Try to use Ports other than the defaults for your servers. For example, changing the query port from the default 10011 to something like 22222 will cause a lot of people looking to exploit you to suddenly lose interest because they have to do a lot more work to find the right place to point their tools and scripts.
So with a big community its such a ux factor that the server runs on the default port, so utilizing defaults and getting people connected is a huge priority for us.
Also so far this has been unique instance of an attack like this and luckily it has not happened again. For chaging ports, am quite sure these public services do get crawled and if there is any interest on these on the black market, such lists ought to be readily available.
But my main concern is not really that our service was down, but it seems to have been used as a platform to stage attack elsewhere. Actually a number I did not check before is that this months incoming traffic is 10tb, the attack was at worst on the tune of million hits a second at least by what our provider reported to us.
Thus if there is something on the server application itself that enables this, would mean that someone somewhere has an interest to do it again.
