DDoS mitigation
DDoS mitigation
Hello servers admins,
I wanted to know, what can we do for a better protection against DDoS attacks ? This is so sad that a so awesome game and a so great community can be fucked up this way.
I see that the annual maintenance cost is 699€, for 7 servers. I don't know if donations are the only financial source for DDNet, but if it's the case, for that price I guess servers are simple virtual machines with no real-time DDoS mitigation in front of them, right ?
I work in a cloud company which rents bare-metal game servers, including FPGA-based real-time DDoS mitigation, from 40€/mo (VAT excluded). I'm not an expert in this domain, I'm a devops, not a network engineer ; but maybe I could help somehow ?
Here are the things I can do I think about :
- test one of these servers, by setting up a TW server on it and checking if this protection is sufficient to resist DDoS attacks without further engineering
- ask to my colleagues some technical assist
- assist financially
Let me know if I can help, I'd be glad to.
Good night
I wanted to know, what can we do for a better protection against DDoS attacks ? This is so sad that a so awesome game and a so great community can be fucked up this way.
I see that the annual maintenance cost is 699€, for 7 servers. I don't know if donations are the only financial source for DDNet, but if it's the case, for that price I guess servers are simple virtual machines with no real-time DDoS mitigation in front of them, right ?
I work in a cloud company which rents bare-metal game servers, including FPGA-based real-time DDoS mitigation, from 40€/mo (VAT excluded). I'm not an expert in this domain, I'm a devops, not a network engineer ; but maybe I could help somehow ?
Here are the things I can do I think about :
- test one of these servers, by setting up a TW server on it and checking if this protection is sufficient to resist DDoS attacks without further engineering
- ask to my colleagues some technical assist
- assist financially
Let me know if I can help, I'd be glad to.
Good night
Last edited by Banger on Thu Jan 23, 2020 1:55 am, edited 1 time in total.
- deen
- Posts: 3576
- Joined: Mon May 05, 2014 2:30 pm
- Player profile: https://ddnet.org/players/deen/
- Discord: deen#5910
Re: DDoS mitigation
Hi Banger,
The attacks have been going on for many years. Server costs are indeed just for the cheapest virtual machines we could find that are stable enough.
We also tried a few more fancy DoS protection offerings, but to me the problem always seemed to be that they can't tell legitimate traffic from spoofed traffic. Most of the recent attacks target the serverinfo and join with spoofed ip addresses. So the attacks look exactly like the regular requests and the only way to block them is to also block legitimate requests. I guess the protocol would have to be changed quite a bit to fix these issues.
What locations does your hoster offer servers in? We could certainly try them out and see whether it helps. Thanks a lot for the offer in any case!
Cheers
deen
The attacks have been going on for many years. Server costs are indeed just for the cheapest virtual machines we could find that are stable enough.
We also tried a few more fancy DoS protection offerings, but to me the problem always seemed to be that they can't tell legitimate traffic from spoofed traffic. Most of the recent attacks target the serverinfo and join with spoofed ip addresses. So the attacks look exactly like the regular requests and the only way to block them is to also block legitimate requests. I guess the protocol would have to be changed quite a bit to fix these issues.
What locations does your hoster offer servers in? We could certainly try them out and see whether it helps. Thanks a lot for the offer in any case!
Cheers
deen
Re: DDoS mitigation
Hi deen,
Ok, I don't know if the protection I was talking about can be enough. It offers L3 mitigation and L7 specifics to some popular games and chat applications. But I know filtering rules are customizable and you can establish a custom L7 protection profile somehow. Also, I saw several interesting ideas, for instance making serverinfo served by a cache in front of the server.
Indeed introducing changes in the protocol may be the most efficient solution. Broadly, how does it work ? I got some first ideas, maybe naive I don't know, for instance requiring to solve a challenge to join, something a bit like blockchain challenges, hard to solve but easy and fast as hell to check, so that a join consumes resource from the client before consuming any resource from the server.
The servers I was talking about are these ones :
- https://www.ovh.de/dedicated_server/game/
- https://www.soyoustart.com/de/game-server/
- https://us.ovhcloud.com/products/servers/game-servers
They can be installed in several locations worldwide, but not all the current DDNet locations. It may cover Germany, Russia (server in Poland), USA, China (server in Singapur), but neither Chile, Brazil, Iran nor South Africa.
Good evening
Ok, I don't know if the protection I was talking about can be enough. It offers L3 mitigation and L7 specifics to some popular games and chat applications. But I know filtering rules are customizable and you can establish a custom L7 protection profile somehow. Also, I saw several interesting ideas, for instance making serverinfo served by a cache in front of the server.
Indeed introducing changes in the protocol may be the most efficient solution. Broadly, how does it work ? I got some first ideas, maybe naive I don't know, for instance requiring to solve a challenge to join, something a bit like blockchain challenges, hard to solve but easy and fast as hell to check, so that a join consumes resource from the client before consuming any resource from the server.
The servers I was talking about are these ones :
- https://www.ovh.de/dedicated_server/game/
- https://www.soyoustart.com/de/game-server/
- https://us.ovhcloud.com/products/servers/game-servers
They can be installed in several locations worldwide, but not all the current DDNet locations. It may cover Germany, Russia (server in Poland), USA, China (server in Singapur), but neither Chile, Brazil, Iran nor South Africa.
Good evening
- deen
- Posts: 3576
- Joined: Mon May 05, 2014 2:30 pm
- Player profile: https://ddnet.org/players/deen/
- Discord: deen#5910
Re: DDoS mitigation
Yeah, we tried OVH before and are aware of their game server ddos protection. Didn't have much luck with it. Thanks for the offer though!
-
- Posts: 10
- Joined: Thu Sep 08, 2016 5:03 pm
- Player profile: https://ddnet.tw/players/Xandaros/
- Clan: Motherland
Re: DDoS mitigation
What is actually preventing you from making changes to fix it? Vanilla compatibility?
How many people are actually playing with a vanilla client? Do we need to care?
If a significant number of players do use the vanilla client, what about offering a few servers for ddnet-client only and keeping other servers vanilla-compatible? Then, at least, you can potentially take steps to mitigate the attacks.
And if you have to implement an account system - right now, it's basically unplayable.
On another note: Why is it so hard to tell ddos traffic from legitimate traffic? I doubt that each bot is only sending a single request, surely you can tell if an extraordinary amount of traffic is coming from any single source and drop their packets?
How would protocol changes help to differentiate between attacks and legitimate traffic?
How many people are actually playing with a vanilla client? Do we need to care?
If a significant number of players do use the vanilla client, what about offering a few servers for ddnet-client only and keeping other servers vanilla-compatible? Then, at least, you can potentially take steps to mitigate the attacks.
And if you have to implement an account system - right now, it's basically unplayable.
On another note: Why is it so hard to tell ddos traffic from legitimate traffic? I doubt that each bot is only sending a single request, surely you can tell if an extraordinary amount of traffic is coming from any single source and drop their packets?
How would protocol changes help to differentiate between attacks and legitimate traffic?
- deen
- Posts: 3576
- Joined: Mon May 05, 2014 2:30 pm
- Player profile: https://ddnet.org/players/deen/
- Discord: deen#5910
Re: DDoS mitigation
Compatibility with Vanilla and every single other client out there as well as having no developers active enough to do such a rework.
Only spoofed attacks matter. Blocking all unknown IP addresses also doesn't work since the attacker gets a list of legitimate player IP addresses by running their own server and can then spoof real player IP addresses.
Who is online
Users browsing this forum: No registered users and 0 guests