DDoS mitigation

Request help for teeworlds-related subjects (mapping, servers, ..).
For client issues, see our repositories (https://github.com/ddnet/ddnet/issues).
Post Reply
Banger
Posts: 2
Joined: Sat Nov 17, 2018 3:44 am
Player profile: https://ddnet.tw/players/Banger/

DDoS mitigation

Post by Banger »

Hello servers admins,

I wanted to know, what can we do for a better protection against DDoS attacks ? This is so sad that a so awesome game and a so great community can be fucked up this way.

I see that the annual maintenance cost is 699€, for 7 servers. I don't know if donations are the only financial source for DDNet, but if it's the case, for that price I guess servers are simple virtual machines with no real-time DDoS mitigation in front of them, right ?

I work in a cloud company which rents bare-metal game servers, including FPGA-based real-time DDoS mitigation, from 40€/mo (VAT excluded). I'm not an expert in this domain, I'm a devops, not a network engineer ; but maybe I could help somehow ?

Here are the things I can do I think about :

- test one of these servers, by setting up a TW server on it and checking if this protection is sufficient to resist DDoS attacks without further engineering
- ask to my colleagues some technical assist
- assist financially

Let me know if I can help, I'd be glad to.

Good night
Last edited by Banger on Thu Jan 23, 2020 1:55 am, edited 1 time in total.
User avatar
deen
TECHNICAL Team
Posts: 3575
Joined: Mon May 05, 2014 2:30 pm
Player profile: https://ddnet.org/players/deen/
Discord: deen#5910

Re: DDoS mitigation

Post by deen »

Hi Banger,

The attacks have been going on for many years. Server costs are indeed just for the cheapest virtual machines we could find that are stable enough.

We also tried a few more fancy DoS protection offerings, but to me the problem always seemed to be that they can't tell legitimate traffic from spoofed traffic. Most of the recent attacks target the serverinfo and join with spoofed ip addresses. So the attacks look exactly like the regular requests and the only way to block them is to also block legitimate requests. I guess the protocol would have to be changed quite a bit to fix these issues.

What locations does your hoster offer servers in? We could certainly try them out and see whether it helps. Thanks a lot for the offer in any case!

Cheers
deen
Banger
Posts: 2
Joined: Sat Nov 17, 2018 3:44 am
Player profile: https://ddnet.tw/players/Banger/

Re: DDoS mitigation

Post by Banger »

Hi deen,

Ok, I don't know if the protection I was talking about can be enough. It offers L3 mitigation and L7 specifics to some popular games and chat applications. But I know filtering rules are customizable and you can establish a custom L7 protection profile somehow. Also, I saw several interesting ideas, for instance making serverinfo served by a cache in front of the server.

Indeed introducing changes in the protocol may be the most efficient solution. Broadly, how does it work ? I got some first ideas, maybe naive I don't know, for instance requiring to solve a challenge to join, something a bit like blockchain challenges, hard to solve but easy and fast as hell to check, so that a join consumes resource from the client before consuming any resource from the server.

The servers I was talking about are these ones :

- https://www.ovh.de/dedicated_server/game/
- https://www.soyoustart.com/de/game-server/
- https://us.ovhcloud.com/products/servers/game-servers

They can be installed in several locations worldwide, but not all the current DDNet locations. It may cover Germany, Russia (server in Poland), USA, China (server in Singapur), but neither Chile, Brazil, Iran nor South Africa.

Good evening
User avatar
deen
TECHNICAL Team
Posts: 3575
Joined: Mon May 05, 2014 2:30 pm
Player profile: https://ddnet.org/players/deen/
Discord: deen#5910

Re: DDoS mitigation

Post by deen »

Yeah, we tried OVH before and are aware of their game server ddos protection. Didn't have much luck with it. Thanks for the offer though!
Xandaros
Posts: 10
Joined: Thu Sep 08, 2016 5:03 pm
Player profile: https://ddnet.tw/players/Xandaros/
Clan: Motherland

Re: DDoS mitigation

Post by Xandaros »

What is actually preventing you from making changes to fix it? Vanilla compatibility?
How many people are actually playing with a vanilla client? Do we need to care?

If a significant number of players do use the vanilla client, what about offering a few servers for ddnet-client only and keeping other servers vanilla-compatible? Then, at least, you can potentially take steps to mitigate the attacks.
And if you have to implement an account system - right now, it's basically unplayable.

On another note: Why is it so hard to tell ddos traffic from legitimate traffic? I doubt that each bot is only sending a single request, surely you can tell if an extraordinary amount of traffic is coming from any single source and drop their packets?
How would protocol changes help to differentiate between attacks and legitimate traffic?
User avatar
deen
TECHNICAL Team
Posts: 3575
Joined: Mon May 05, 2014 2:30 pm
Player profile: https://ddnet.org/players/deen/
Discord: deen#5910

Re: DDoS mitigation

Post by deen »

Xandaros wrote: Tue Nov 19, 2019 4:53 am What is actually preventing you from making changes to fix it? Vanilla compatibility?
How many people are actually playing with a vanilla client? Do we need to care?
Compatibility with Vanilla and every single other client out there as well as having no developers active enough to do such a rework.
Xandaros wrote: Tue Nov 19, 2019 4:53 amOn another note: Why is it so hard to tell ddos traffic from legitimate traffic? I doubt that each bot is only sending a single request, surely you can tell if an extraordinary amount of traffic is coming from any single source and drop their packets?
Only spoofed attacks matter. Blocking all unknown IP addresses also doesn't work since the attacker gets a list of legitimate player IP addresses by running their own server and can then spoof real player IP addresses.
Post Reply

Who is online

Users browsing this forum: Ahrefs [Bot] and 0 guests