DDoS mitigation

Issues with the DDNet servers.
See the already reported problems on Github.

Post Reply
Banger
User
Posts: 2
Joined: Sat Nov 17, 2018 3:44 am
Player profile: Banger

DDoS mitigation

Post by Banger » Sun Nov 03, 2019 12:57 am

Hello servers admins,

I wanted to know, what can we do for a better protection against DDoS attacks ? This is so sad that a so awesome game and a so great community can be fucked up this way.

I see that the annual maintenance cost is 699€, for 7 servers. I don't know if donations are the only financial source for DDNet, but if it's the case, for that price I guess servers are simple virtual machines with no real-time DDoS mitigation in front of them, right ?

I work in a cloud company which rents bare-metal game servers, including FPGA-based real-time DDoS mitigation, from 40€/mo (VAT excluded). I'm not an expert in this domain, I'm a devops, not a network engineer ; but I'm in touch every day with the DDoS experts who developed this protection. Maybe I could help somehow ?

Here are the things I can do I think about :

- test one of these servers, by setting up a TW server on it and checking if this protection is sufficient to resist DDoS attacks without further engineering
- ask to my colleagues some technical assist
- assist financially

Let me know if I can help, I'd be glad to.

Good night

User avatar
deen
Retired Administrator
Posts: 3292
Joined: Mon May 05, 2014 2:30 pm
Player profile: deen

Re: DDoS mitigation

Post by deen » Sun Nov 03, 2019 7:32 am

Hi Banger,

The attacks have been going on for many years. Server costs are indeed just for the cheapest virtual machines we could find that are stable enough.

We also tried a few more fancy DoS protection offerings, but to me the problem always seemed to be that they can't tell legitimate traffic from spoofed traffic. Most of the recent attacks target the serverinfo and join with spoofed ip addresses. So the attacks look exactly like the regular requests and the only way to block them is to also block legitimate requests. I guess the protocol would have to be changed quite a bit to fix these issues.

What locations does your hoster offer servers in? We could certainly try them out and see whether it helps. Thanks a lot for the offer in any case!

Cheers
deen

Banger
User
Posts: 2
Joined: Sat Nov 17, 2018 3:44 am
Player profile: Banger

Re: DDoS mitigation

Post by Banger » Sun Nov 03, 2019 6:46 pm

Hi deen,

Ok, I don't know if the protection I was talking about can be enough. It offers L3 mitigation and L7 specifics to some popular games and chat applications. But I know filtering rules are customizable and you can establish a custom L7 protection profile somehow. Also, I saw several interesting ideas, for instance making serverinfo served by a cache in front of the server.

Indeed introducing changes in the protocol may be the most efficient solution. Broadly, how does it work ? I got some first ideas, maybe naive I don't know, for instance requiring to solve a challenge to join, something a bit like blockchain challenges, hard to solve but easy and fast as hell to check, so that a join consumes resource from the client before consuming any resource from the server.

The servers I was talking about are these ones :

- https://www.ovh.de/dedicated_server/game/
- https://www.soyoustart.com/de/game-server/
- https://us.ovhcloud.com/products/servers/game-servers

They can be installed in several locations worldwide, but not all the current DDNet locations. It may cover Germany, Russia (server in Poland), USA, China (server in Singapur), but neither Chile, Brazil, Iran nor South Africa.

Good evening

User avatar
deen
Retired Administrator
Posts: 3292
Joined: Mon May 05, 2014 2:30 pm
Player profile: deen

Re: DDoS mitigation

Post by deen » Sun Nov 03, 2019 7:33 pm

Yeah, we tried OVH before and are aware of their game server ddos protection. Didn't have much luck with it. Thanks for the offer though!

Xandaros
User
Posts: 10
Joined: Thu Sep 08, 2016 5:03 pm
Player profile: Xandaros
Clan: Motherland

Re: DDoS mitigation

Post by Xandaros » Tue Nov 19, 2019 4:53 am

What is actually preventing you from making changes to fix it? Vanilla compatibility?
How many people are actually playing with a vanilla client? Do we need to care?

If a significant number of players do use the vanilla client, what about offering a few servers for ddnet-client only and keeping other servers vanilla-compatible? Then, at least, you can potentially take steps to mitigate the attacks.
And if you have to implement an account system - right now, it's basically unplayable.

On another note: Why is it so hard to tell ddos traffic from legitimate traffic? I doubt that each bot is only sending a single request, surely you can tell if an extraordinary amount of traffic is coming from any single source and drop their packets?
How would protocol changes help to differentiate between attacks and legitimate traffic?

User avatar
deen
Retired Administrator
Posts: 3292
Joined: Mon May 05, 2014 2:30 pm
Player profile: deen

Re: DDoS mitigation

Post by deen » Tue Nov 19, 2019 7:42 am

Xandaros wrote:
Tue Nov 19, 2019 4:53 am
What is actually preventing you from making changes to fix it? Vanilla compatibility?
How many people are actually playing with a vanilla client? Do we need to care?
Compatibility with Vanilla and every single other client out there as well as having no developers active enough to do such a rework.
Xandaros wrote:
Tue Nov 19, 2019 4:53 am
On another note: Why is it so hard to tell ddos traffic from legitimate traffic? I doubt that each bot is only sending a single request, surely you can tell if an extraordinary amount of traffic is coming from any single source and drop their packets?
Only spoofed attacks matter. Blocking all unknown IP addresses also doesn't work since the attacker gets a list of legitimate player IP addresses by running their own server and can then spoof real player IP addresses.

Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests