Sorry, here's the tcpdump using your arguments & the port of the attacked channel. (tcpdump -i vtnet0 -n -vvv port 20085 in my case)
And here is the tcpdump for every port besides the one of my ssh (in my case is 22 since it's a test server)
I have direct access to the stresser and can always test it, I tried to block it myself but unfortunately failed.
I even tried to install nginx & deny all connections but that didn't worked LOL.
The attack is simply sending requests to [Hidden Content] where the ip is of course, the server's ip and the port being either a channel or the auth, won't matter as it will completely break the whole auth.
Here's a tcpdump (using tcpdump -i vtnet0 tcp) log while attacking for 5 minutes:
[Hidden Content] (pastebin alternative cuz the text is way longer then 500kb)
Every server out there has an attack vector of some sort. Then it's all up to the patience and skill of the attacker.
The real question here is: are you able to figure out what and how is hitting you?
If the answer is yes then you can establish some sort of countermeasure. Even if it involves some discomfort for your users.
There has been layer 7 attacks always, so you need to be more specific or provide tcpdump logs.
As of recently, new methods of ddosing servers have been found out. The problem is, there isn't actually a "way to protect" for everybody.
The new attacks are based on layer 7, which the freebsd's PF and IPFW does not support unfortunately. Other then creating a reverse proxy for the server, which could filter out the ips, is there any alternative method?
After also testing on multiple servers, it seems that even the bigger servers have problems with it, if somebody decides to pay 100 euro for a stresser subscription with layer 7 methods, it can be bad.