Page 1 of 1

DDoS mitigation

Posted: Sun Nov 03, 2019 12:57 am
by Banger
Hello servers admins,

I wanted to know, what can we do for a better protection against DDoS attacks ? This is so sad that a so awesome game and a so great community can be fucked up this way.

I see that the annual maintenance cost is 699€, for 7 servers. I don't know if donations are the only financial source for DDNet, but if it's the case, for that price I guess servers are simple virtual machines with no real-time DDoS mitigation in front of them, right ?

I work in a cloud company which rents bare-metal game servers, including FPGA-based real-time DDoS mitigation, from 40€/mo (VAT excluded). I'm not an expert in this domain, I'm a devops, not a network engineer ; but maybe I could help somehow ?

Here are the things I can do I think about :

- test one of these servers, by setting up a TW server on it and checking if this protection is sufficient to resist DDoS attacks without further engineering
- ask to my colleagues some technical assist
- assist financially

Let me know if I can help, I'd be glad to.

Good night

Re: DDoS mitigation

Posted: Sun Nov 03, 2019 7:32 am
by deen
Hi Banger,

The attacks have been going on for many years. Server costs are indeed just for the cheapest virtual machines we could find that are stable enough.

We also tried a few more fancy DoS protection offerings, but to me the problem always seemed to be that they can't tell legitimate traffic from spoofed traffic. Most of the recent attacks target the serverinfo and join with spoofed ip addresses. So the attacks look exactly like the regular requests and the only way to block them is to also block legitimate requests. I guess the protocol would have to be changed quite a bit to fix these issues.

What locations does your hoster offer servers in? We could certainly try them out and see whether it helps. Thanks a lot for the offer in any case!

Cheers
deen

Re: DDoS mitigation

Posted: Sun Nov 03, 2019 6:46 pm
by Banger
Hi deen,

Ok, I don't know if the protection I was talking about can be enough. It offers L3 mitigation and L7 specifics to some popular games and chat applications. But I know filtering rules are customizable and you can establish a custom L7 protection profile somehow. Also, I saw several interesting ideas, for instance making serverinfo served by a cache in front of the server.

Indeed introducing changes in the protocol may be the most efficient solution. Broadly, how does it work ? I got some first ideas, maybe naive I don't know, for instance requiring to solve a challenge to join, something a bit like blockchain challenges, hard to solve but easy and fast as hell to check, so that a join consumes resource from the client before consuming any resource from the server.

The servers I was talking about are these ones :

- https://www.ovh.de/dedicated_server/game/
- https://www.soyoustart.com/de/game-server/
- https://us.ovhcloud.com/products/servers/game-servers

They can be installed in several locations worldwide, but not all the current DDNet locations. It may cover Germany, Russia (server in Poland), USA, China (server in Singapur), but neither Chile, Brazil, Iran nor South Africa.

Good evening

Re: DDoS mitigation

Posted: Sun Nov 03, 2019 7:33 pm
by deen
Yeah, we tried OVH before and are aware of their game server ddos protection. Didn't have much luck with it. Thanks for the offer though!

Re: DDoS mitigation

Posted: Tue Nov 19, 2019 4:53 am
by Xandaros
What is actually preventing you from making changes to fix it? Vanilla compatibility?
How many people are actually playing with a vanilla client? Do we need to care?

If a significant number of players do use the vanilla client, what about offering a few servers for ddnet-client only and keeping other servers vanilla-compatible? Then, at least, you can potentially take steps to mitigate the attacks.
And if you have to implement an account system - right now, it's basically unplayable.

On another note: Why is it so hard to tell ddos traffic from legitimate traffic? I doubt that each bot is only sending a single request, surely you can tell if an extraordinary amount of traffic is coming from any single source and drop their packets?
How would protocol changes help to differentiate between attacks and legitimate traffic?

Re: DDoS mitigation

Posted: Tue Nov 19, 2019 7:42 am
by deen
Xandaros wrote: Tue Nov 19, 2019 4:53 am What is actually preventing you from making changes to fix it? Vanilla compatibility?
How many people are actually playing with a vanilla client? Do we need to care?
Compatibility with Vanilla and every single other client out there as well as having no developers active enough to do such a rework.
Xandaros wrote: Tue Nov 19, 2019 4:53 amOn another note: Why is it so hard to tell ddos traffic from legitimate traffic? I doubt that each bot is only sending a single request, surely you can tell if an extraordinary amount of traffic is coming from any single source and drop their packets?
Only spoofed attacks matter. Blocking all unknown IP addresses also doesn't work since the attacker gets a list of legitimate player IP addresses by running their own server and can then spoof real player IP addresses.