Does this look like a DDoS attack?

Been running Minecraft servers for over 2 years and have never seen something like this. I was getting the same thing on my bukkit and spigot server with multiple 'lost connections' in the console.

I started up a vanilla server for a few minutes so I could get a clean log of the lost connection with their timestamps. Does this look like a DDoS ?

Server was running for 3 minutes.

Code:

2013-04-03 19:44:23 [INFO] Starting minecraft server version 1.5.1
2013-04-03 19:44:23 [INFO] Loading properties
2013-04-03 19:44:23 [WARNING] server.properties does not exist
2013-04-03 19:44:23 [INFO] Generating new properties file
2013-04-03 19:44:25 [INFO] Default game type: SURVIVAL
2013-04-03 19:44:25 [INFO] Generating keypair
2013-04-03 19:44:25 [INFO] Starting Minecraft server on *:25565
2013-04-03 19:44:25 [WARNING] Failed to load operators list: java.io.FileNotFoundException: ./ops.txt (No such file or directory)
2013-04-03 19:44:25 [WARNING] Failed to load white-list: java.io.FileNotFoundException: ./white-list.txt (No such file or directory)
2013-04-03 19:44:25 [INFO] Preparing level "world"
2013-04-03 19:44:26 [INFO] Preparing start region for level 0
2013-04-03 19:44:27 [INFO] Preparing spawn area: 17%
2013-04-03 19:44:28 [INFO] Preparing spawn area: 41%
2013-04-03 19:44:29 [INFO] Preparing spawn area: 63%
2013-04-03 19:44:30 [INFO] Preparing spawn area: 88%
2013-04-03 19:44:30 [INFO] Done (5.345s)! For help, type "help" or "?"
2013-04-03 19:44:31 [INFO] /94.225.102.114:50223 lost connection
2013-04-03 19:44:31 [INFO] /94.225.102.114:50219 lost connection
2013-04-03 19:44:31 [INFO] /109.252.23.135:53339 lost connection
2013-04-03 19:44:31 [INFO] /86.11.244.11:50131 lost connection
2013-04-03 19:44:31 [INFO] /94.225.102.114:50225 lost connection
2013-04-03 19:44:31 [INFO] /71.119.63.62:50797 lost connection
2013-04-03 19:44:31 [INFO] /99.26.122.44:54129 lost connection
2013-04-03 19:44:33 [INFO] RossLovesCats[/92.17.57.139:53386] logged in with entity id 291 at (-230.5, 71.0, 261.5)
2013-04-03 19:44:39 [INFO] ben37940[/86.11.244.11:50174] logged in with entity id 2421 at (-245.5, 72.0, 245.5)
2013-04-03 19:44:44 [INFO] <ben37940> ???
2013-04-03 19:44:48 [INFO] /166.87.160.219:49206 lost connection
2013-04-03 19:44:49 [INFO] <ben37940> aww
2013-04-03 19:44:50 [INFO] /92.4.214.80:54023 lost connection
2013-04-03 19:44:51 [INFO] /5.82.81.161:58924 lost connection
2013-04-03 19:44:56 [INFO] <ben37940> :(
2013-04-03 19:44:56 [INFO] /93.202.85.188:3186 lost connection
2013-04-03 19:44:56 [INFO] /91.22.109.93:59062 lost connection
2013-04-03 19:44:57 [INFO] /93.202.85.188:3187 lost connection
2013-04-03 19:44:59 [INFO] biekongen[/84.212.197.109:46405] logged in with entity id 6327 at (-232.5, 84.0, 257.5)
2013-04-03 19:44:59 [INFO] LadiesMan415[/109.252.23.135:53340] logged in with entity id 6365 at (-245.5, 72.0, 245.5)
2013-04-03 19:44:59 [INFO] /87.248.24.142:63483 lost connection
2013-04-03 19:44:59 [INFO] /87.248.24.142:63044 lost connection
2013-04-03 19:45:04 [INFO] Unknown command. Try /help for a list of commands.
2013-04-03 19:45:08 [INFO] <biekongen> hey?
2013-04-03 19:45:12 [INFO] /85.23.40.154:61834 lost connection
2013-04-03 19:45:13 [INFO] ben37940 was slain by RossLovesCats
2013-04-03 19:45:15 [INFO] /199.7.156.130:46119 lost connection
2013-04-03 19:45:21 [INFO] /96.225.159.77:58050 lost connection
2013-04-03 19:45:22 [INFO] /37.47.171.250:57253 lost connection
2013-04-03 19:45:23 [INFO] /108.80.188.117:52193 lost connection
2013-04-03 19:45:24 [INFO] Coolconor98[/86.40.215.3:57141] logged in with entity id 6725 at (-242.5, 83.0, 250.5)
2013-04-03 19:45:29 [INFO] /108.3.215.163:31445 lost connection
2013-04-03 19:45:29 [WARNING] Can't keep up! Did the system time change, or is the server overloaded?
2013-04-03 19:45:29 [INFO] /108.3.215.163:31119 lost connection
2013-04-03 19:45:29 [INFO] /80.167.178.80:52249 lost connection
2013-04-03 19:45:30 [INFO] <biekongen> good to know....
2013-04-03 19:45:36 [INFO] <biekongen> hi
2013-04-03 19:45:37 [INFO] /87.154.114.109:50928 lost connection
2013-04-03 19:45:38 [INFO] /37.24.149.43:12508 lost connection
2013-04-03 19:45:39 [INFO] /5.71.29.235:54484 lost connection
2013-04-03 19:45:41 [INFO] /88.217.24.84:62022 lost connection
2013-04-03 19:45:42 [INFO] <Coolconor98> Where am I?
2013-04-03 19:45:43 [INFO] <ben37940> lol
2013-04-03 19:45:44 [INFO] /5.71.29.235:54541 lost connection
2013-04-03 19:45:44 [INFO] /5.71.29.235:54980 lost connection
2013-04-03 19:45:51 [INFO] /37.24.157.128:37524 lost connection
2013-04-03 19:45:55 [INFO] <biekongen> ross kill
2013-04-03 19:45:56 [INFO] <biekongen> me
2013-04-03 19:45:59 [WARNING] Can't keep up! Did the system time change, or is the server overloaded?
2013-04-03 19:45:59 [INFO] Disconnecting /87.154.114.109:50486: Took too long to log in
2013-04-03 19:46:00 [INFO] /71.170.237.83:53455 lost connection
2013-04-03 19:46:05 [INFO] <ben37940> you have nothing anyway
2013-04-03 19:46:07 [INFO] /95.88.242.1:57247 lost connection
2013-04-03 19:46:09 [INFO] biekongen was doomed to fall by RossLovesCats
2013-04-03 19:46:14 [INFO] /79.85.212.180:53638 lost connection
2013-04-03 19:46:14 [INFO] /24.196.141.154:56547 lost connection
2013-04-03 19:46:17 [INFO] <biekongen> HELP
2013-04-03 19:46:22 [INFO] /82.241.216.1:54565 lost connection
2013-04-03 19:46:24 [INFO] /92.247.207.101:64289 lost connection
2013-04-03 19:46:24 [INFO] <biekongen> ross killed me
2013-04-03 19:46:25 [INFO] /82.241.216.1:54981 lost connection
2013-04-03 19:46:26 [INFO] /174.0.34.73:56217 lost connection
2013-04-03 19:46:26 [INFO] /91.97.78.240:61241 lost connection
2013-04-03 19:46:31 [INFO] /67.43.7.19:58837 lost connection
2013-04-03 19:46:32 [INFO] /188.246.111.65:62901 lost connection
2013-04-03 19:46:34 [INFO] /109.189.75.119:54645 lost connection
2013-04-03 19:46:36 [INFO] <ben37940> he kills everyone
2013-04-03 19:46:38 [INFO] /82.241.216.1:54623 lost connection
2013-04-03 19:46:38 [INFO] /174.0.34.73:56392 lost connection
2013-04-03 19:46:39 [INFO] /174.0.34.73:56602 lost connection
2013-04-03 19:46:42 [INFO] /212.191.132.42:14310 lost connection
2013-04-03 19:46:43 [INFO] <ben37940> get used to it
2013-04-03 19:46:43 [INFO] RossLovesCats was slain by LadiesMan415
2013-04-03 19:46:45 [INFO] <biekongen> team?
2013-04-03 19:46:46 [INFO] /46.129.74.95:6087 lost connection
2013-04-03 19:46:47 [INFO] /85.51.178.93:62668 lost connection
2013-04-03 19:46:48 [INFO] /85.51.178.93:62669 lost connection
2013-04-03 19:46:49 [INFO] <Coolconor98> I killed him once.
2013-04-03 19:46:51 [INFO] <LadiesMan415> yeah!!
2013-04-03 19:46:53 [INFO] <biekongen> what should our team be named!
2013-04-03 19:46:56 [INFO] /68.33.203.76:63773 lost connection
2013-04-03 19:46:56 [INFO] /68.33.203.76:64006 lost connection
2013-04-03 19:47:03 [INFO] <biekongen> i make a treehouse
2013-04-03 19:47:10 [INFO] robertlewis5633[/24.5.220.232:49434] logged in with entity id 8643 at (-234.5, 73.0, 250.5)
2013-04-03 19:47:14 [INFO] <RossLovesCats> biekongen Yo8 noobs this isnt the perm map
2013-04-03 19:47:17 [INFO] /109.189.75.119:55099 lost connection
2013-04-03 19:47:18 [INFO] /173.252.45.203:58614 lost connection
2013-04-03 19:47:20 [INFO] <LadiesMan415> hi robert
2013-04-03 19:47:20 [INFO] <biekongen> i know
2013-04-03 19:47:21 [INFO] /173.252.45.203:59052 lost connection
2013-04-03 19:47:22 [INFO] /83.23.165.118:59141 lost connection
2013-04-03 19:47:25 [INFO] <robertlewis5633> hi
2013-04-03 19:47:27 [INFO] <biekongen> i miss the boat river
2013-04-03 19:47:28 [INFO] /91.19.154.133:57364 lost connection
2013-04-03 19:47:30 [INFO] /88.64.26.132:11754 lost connection
2013-04-03 19:47:30 [INFO] <RossLovesCats> biekongen Your a double noob becasue you had nothing xD
2013-04-03 19:47:30 [INFO] nonam01[/85.227.204.72:62533] logged in with entity id 8801 at (-247.5, 79.0, 261.5)
2013-04-03 19:47:31 [INFO] <biekongen> long time ago...
2013-04-03 19:47:32 [INFO] /83.163.184.234:49232 lost connection
2013-04-03 19:47:34 [INFO] /83.163.184.234:49561 lost connection
2013-04-03 19:47:34 [INFO] <Coolconor98> Thanks.
2013-04-03 19:47:35 [INFO] /83.163.184.234:64510 lost connection
2013-04-03 19:47:40 [INFO] <biekongen> yea realy
2013-04-03 19:47:41 [INFO] Disconnecting /37.105.138.100:53111: Took too long to log in
2013-04-03 19:47:44 [INFO] <Coolconor98> Is the server restarted forever?
2013-04-03 19:47:51 [INFO] Stopping server
2013-04-03 19:47:51 [INFO] Saving players

 

DDOS attacks do not spam a console. So no, it's not an attack.

 

When I restart my server, people who were trying to login while it was down will sometimes show like that in console. So could be people taking too long to connect for various reasons.

 

This is not a Ddos attack you are fine, This is the result of people who have added your server to their servers list and have gone to multiplayer were all their servers are pinged to see what servers are online.
After its pinged it says to your console Lost connection
There is nothing wrong there are just people who have added your server on their multiplayer list and are refreshing the list. You are fine.

 

Wouldn't be a DDoS attack. Sounds like somebody is trying to join with an older client (Not sure, but I've had a similar problem in the past), or your network/server is just struggling.

 

If it's a ddos attack, you won't even get to see your console. What you're trying to explain is called a "bot" attack, it's common for offline mode servers.

 

That's what I meant yes. Getting sleepy @ 2:19am

 

Hm DDoS attack or not, would anybody have any tips on how to circumvent this short of changing the server IP/hostname?
I'm not sure if it's causing any performance issues with the server but it can't be doing any good.


A more recent log after 7 hours of uptime

Just to clarify it's not an offline server

Code:

2013-04-04 22:58:25 [INFO] /188.51.24.212:64239 lost connection
2013-04-04 22:58:26 [INFO] /188.51.24.212:64467 lost connection
2013-04-04 22:58:26 [INFO] /188.51.24.212:63522 lost connection
2013-04-04 22:58:32 [INFO] /89.245.21.118:49835 lost connection
2013-04-04 22:58:34 [INFO] /186.106.22.117:54089 lost connection
2013-04-04 22:58:35 [INFO] Disconnecting /173.65.76.187:1357: Took too long to log in
2013-04-04 22:58:38 [INFO] /76.164.114.239:52415 lost connection
2013-04-04 22:58:38 [INFO] /81.17.27.234:62999 lost connection
2013-04-04 22:58:40 [INFO] /81.17.27.234:63497 lost connection
2013-04-04 22:58:41 [INFO] Disconnecting /71.90.140.118:57070: Took too long to log in
2013-04-04 22:58:42 [INFO] /75.161.175.30:52246 lost connection
2013-04-04 22:58:44 [INFO] /88.76.151.101:58372 lost connection
2013-04-04 22:58:45 [INFO] /124.184.243.107:57775 lost connection
2013-04-04 22:58:45 [INFO] ^[[0;37;1m^[[m<^[[0;33;22mkewldood1000^[[m^[[0;37;1m>^[[0;37;1m Selling slendermans head msg me^[[m
2013-04-04 22:58:48 [INFO] /199.119.209.249:49448 lost connection
2013-04-04 22:58:52 [INFO] /75.161.175.30:53054 lost connection
2013-04-04 22:58:52 [INFO] /75.161.175.30:52486 lost connection
2013-04-04 22:58:53 [INFO] /24.151.106.105:50421 lost connection
2013-04-04 22:58:55 [INFO] JREDD16 lost connection: disconnect.genericReason
2013-04-04 22:59:05 [INFO] /82.47.57.47:60135 lost connection
2013-04-04 22:59:15 [INFO] /98.127.240.20:59589 lost connection
2013-04-04 22:59:16 [INFO] /98.127.240.20:59590 lost connection
2013-04-04 22:59:16 [INFO] /98.127.240.20:59591 lost connection
2013-04-04 22:59:24 [INFO] malachi32 [/82.46.244.110:50687] lost connection
2013-04-04 22:59:33 [INFO] /89.245.21.118:50352 lost connection
2013-04-04 22:59:38 [INFO] /142.3.87.179:50174 lost connection
2013-04-04 22:59:38 [INFO] /176.9.111.125:33923 lost connection
2013-04-04 22:59:39 [INFO] /186.106.22.117:54533 lost connection
2013-04-04 22:59:42 [INFO] /184.5.62.234:15374 lost connection
2013-04-04 22:59:42 [INFO] /176.9.111.125:33929 lost connection
2013-04-04 22:59:42 [INFO] /176.9.111.125:33928 lost connection
2013-04-04 22:59:45 [INFO] /186.106.22.117:54974 lost connection
2013-04-04 22:59:46 [INFO] /62.216.197.48:56763 lost connection
2013-04-04 22:59:49 [INFO] /176.9.111.125:33938 lost connection
2013-04-04 22:59:57 [INFO] /86.130.164.228:52648 lost connection
2013-04-04 23:00:04 [INFO] TommyGreif02[/24.185.160.117:64551] logged in with entity id 66078 at ([world] 468.30000001192093, 51.0, 989.33640678241)
2013-04-04 23:00:17 [INFO] yahya32 [/82.46.244.110:50705] lost connection
2013-04-04 23:00:22 [INFO] /176.9.111.125:33973 lost connection
2013-04-04 23:00:32 [INFO] /66.78.104.238:51584 lost connection
2013-04-04 23:00:34 [INFO] silkraven[/89.242.87.97:13304] logged in with entity id 68845 at ([world] 504.30000001192093, 70.0, 3505.6961036387293)
2013-04-04 23:00:37 [INFO] /2.91.131.52:52101 lost connection
2013-04-04 23:00:37 [INFO] /2.91.131.52:52223 lost connection
2013-04-04 23:00:39 [INFO] /2.91.131.52:52523 lost connection
2013-04-04 23:00:39 [INFO] /50.129.158.244:51305 lost connection
2013-04-04 23:00:41 [INFO] /50.71.216.85:49480 lost connection
2013-04-04 23:00:48 [INFO] /46.10.15.164:55564 lost connection

 

Seems like a spambot attempt more however best way is to determine if those ips are all the same retrying and count the new ips if its to much I recommend change a port if those ips arent that much you should look carefully to whois, tracert to determine the geolocation and nullblock them also try a ping to your server and if the ms are around 1500 or higher you might need contact your host

Im not 100% sure but I think I see some server ips there just check the ips which starts with 46,91 seems a ripe range but I might be wrong

 

Pinging the server is arond 50-60 ms

Just noticed the IP address 176.9.111.125 is in there. That is my servers IP address. I can't imagine it's trying to connect to itself... :S However my website does query how many players are connected to it.

If this persists I'll try pointing my servers hostname at a different IP address and see if it continues.

 

Hmm probally thats the cause, I only had a few ips in my console but that seems a rare situation because the player is in his favorite serverlist pinging to servers

 

DDoS attacks don't pint 50-60ms. There is nothing wrong just third parties sending you 'Magic-Bytes' that let a user ping a server. If you want this to stop simply disable query in server.properties.