Results 1 to 24 of 24
  1. #1
    Join Date
    Nov 2013
    Posts
    182

    DDoS Attack Prevention

    Was speaking to an old friend about how he used to protect his gaming servers against DDOS attacks.

    He told me he created his own software to proxy the UDP requests along with a curl cronjob every 5 minutes to announce it to the game serverlist.

    The higher attacks he got, the more capacity he put up through scaling up proxies using lowend VPSes in mutiple countries around the world.

    Players would connect to these VPSes which would connect them to the main game server, effectively hiding the true game server IP from being known using reverse proxy.

    Is this ingenious or what?
    Last edited by A Goat; 12-22-2013 at 04:13 PM.

  2. #2
    Join Date
    Jul 2012
    Posts
    188
    A lot of people will use a similar option to deal with DDoS, its somewhat out of the box but it can work.

    The problem with this can be scalability; depending on how fast the providers nullroute the low end VPS they might get knocked down just as fast as you put them up, if you have a determined attacker.

  3. #3
    This may also increase latency (lag), which is quite important for gamers, so game servers usually need ddos protection to be located at the same location as the datacenter itself...
    WooServers OpenStack Private Cloud
    30% Cheaper than any Public Cloud
    Instances, Floating IPs, Load Balancers, Databases and More!

  4. #4
    Join Date
    Nov 2013
    Posts
    182
    Quote Originally Posted by YDomer View Post
    A lot of people will use a similar option to deal with DDoS, its somewhat out of the box but it can work.

    The problem with this can be scalability; depending on how fast the providers nullroute the low end VPS they might get knocked down just as fast as you put them up, if you have a determined attacker.
    he's telling me he had an nagios monitoring incoming traffic and if something was detected people were automatically merged 99% of the cases this went right and didnt cause people to drop out.

    during the ddos attack, the node just gets jammed meaning it cannot accept or send out data thus not having any impact on the server except a few people having to reconnect to another node. nullrouting would occur after an hour apparently

  5. #5
    Join Date
    Nov 2013
    Posts
    182
    Quote Originally Posted by WooServers View Post
    This may also increase latency (lag), which is quite important for gamers, so game servers usually need ddos protection to be located at the same location as the datacenter itself...
    depends. have a VPS in US, germany, UK, NL, france and a few more locations. the players would be connected inbound to the proxy and the proxy would be connected close to the ix that left the country. some people would gain a slight better ping.

  6. #6
    Join Date
    Sep 2012
    Location
    Estonia
    Posts
    164
    Not sure that this is an efficient solution. How many 'proxies' are involved?

  7. #7
    Join Date
    Nov 2013
    Posts
    182
    8 proxies and it was very effective.

  8. #8
    I am also trying to setup something like this for my game server. I was thinking of getting a DDos protected VPS from Trentahost and run a TCP proxy through it to my main server. Because most kiddie booters will usually have many users, the most I will expect to hit my pseudo-game server is 5Gb/s. The problem is, I am unsure how to add more VPS's to guard my game server / create a system where if a VPS is hit, another one will take it's place.

  9. #9
    Join Date
    Aug 2010
    Location
    Belgium
    Posts
    657
    Well, that's one way, but still not very smart - what if your 8 VPS get overloaded?

    Let's take a look at it from another standpoint: if someone wants you down then you're going down, there's no way to get around this. There will never be enough bandwidth to deflect a person that's REALLY mad. We're not talking about kids with a booter here.

    The main point is, UDP is really hard to deflect attacks from currently due to the popularity of UDP reflection.. You cannot just disable UDP traffic from your server because you're utilizing an UDP server, so there's no way to do that.

    The only way to really protect your UDP server is analyze incoming packets (which we do for some customers) and this is very resource intensive, but still effective. Especially when you're being hit by a layer 7 UDP attack.

    So what we did is (because we have lots of Camfrog customers) is dissect the Camfrog protocol and investigate how it works. Someone that has bad intentions will never send the correct packages to correctly connect to such server, so we will only allow connection of those packets when you're for example going > 1000Mbit. Other than that you can only block every DNS server except 8.8.8.8.

    That's one of the most effective ways to achieve 'protection'. But no pipe is inpenetrable if you're dealing with pure evil.

    Merry christmas.
    AssetGateway
    █ Skype da_arco

  10. #10
    Join Date
    Jul 2011
    Location
    Buffalo, UK
    Posts
    161
    OVH VPS's have their excellent DDoS protection included.

  11. #11
    Join Date
    Feb 2005
    Location
    UK
    Posts
    554
    Sounds like a decent system, although I'm not entirely sure whether or not the price required for an effective number of VPSs would actually be cheaper than just getting a proper DDoS mitigation host/service?

    Also, going through VPSs is almost certainly going to introduce latency — a big deal when it comes to game servers. At the very least you'd want to make sure that if your game server is EU-based, all of the VPSs are also EU-based so that an EU-based player isn't having to hop through the US to get to your server.

  12. #12
    This is a great system, we've used similar approach for years and it truly works wonder. 3 things you want to add:

    - put a geo dns traffic director to minimize delay, so user will be directed through proxy server nearest to his geo location.
    - put a dns failover so when one of the rp server went down, your users will be directed to another one.
    - always check local peering and routing, find the best available route between rp <-> main server and rp <-> user's location. Every ms counts!
    -

  13. #13
    Join Date
    Feb 2014
    Posts
    168
    I guess the best way to prevent a DDoS is to not attract the kind of crowed that would DDoS you.

    Ultimatly there is no way to dodge or recude a DDoS attack. You'll just have to take it and sustain it.

  14. #14
    Just buy an OVH server and never think about DDoS attacks again lol. From my experience every ddos attack never did something to the performance of my game servers, and when you receive an attack ovh automatically sends you an e-mail. It's way better trust me. I tried ddosing my server with 12gb/s and it didn't do absolutely nothing to the server.

  15. #15
    Join Date
    Feb 2012
    Posts
    2,103
    I agree with the above, some of the best DDoS Protection for an affordable price is most definitely OVH by far.
    Clouveo - SSD/NVMe Cloud VPS & Web Hosting
    Cloud VPS Servers | DDoS Protected | Snapshots | Auto Backups | One Click Apps | Custom ISOs
    clouveo.com | Locations: [UK] London, [NL] Amsterdam, [US] Los Angeles

  16. #16
    Join Date
    Feb 2014
    Posts
    168
    Does OVH accept bitcoin?

  17. #17
    Join Date
    May 2013
    Posts
    84
    Quote Originally Posted by bitmarket View Post
    Does OVH accept bitcoin?
    no they only accept human money

  18. #18
    Diverting bad traffic to excess capacity. A few players are doing this now. And they still experience intermittent downtime when pushing the attack to the excess capacity.

    In regards to gaming, the more "points of contact" that are added, the higher the latency. It's important to keep things as effective as possible.

  19. #19
    Join Date
    Aug 2012
    Location
    Long Island, NY
    Posts
    488
    Filtering the traffic before it hit your production servers is key. It's really about how bad of a DDoS you want your site to be able to withstand.
    BitronicTech Affordable Hosting and VPS Since 2007. Check out my Blog.
    99.99% Uptime Guarantee. 30 Day Money-Back Guarantee. 24/7/365 Support.
    cPanel/WHM - CloudLinux - Varnish - CloudFlare - Softaculous - Daily Shared Hosting Backups

  20. #20
    I advise you not to use reverse proxies with game servers, since all players joining your server will have the same IP as the proxy. It would be much better (and cheaper) to setup a GRE tunnel between your box and a single DDoS protected VPS.

  21. #21
    Join Date
    Aug 2002
    Location
    Seattle
    Posts
    5,525
    Quote Originally Posted by VoodooServers View Post
    I advise you not to use reverse proxies with game servers, since all players joining your server will have the same IP as the proxy. It would be much better (and cheaper) to setup a GRE tunnel between your box and a single DDoS protected VPS.
    GRE tunnels are great, but really for gaming it is preferable to have a server directly on the protected network which has on site mitigation.

  22. #22
    Quote Originally Posted by ddosguru View Post
    GRE tunnels are great, but really for gaming it is preferable to have a server directly on the protected network which has on site mitigation.
    Yes, or at least in the same state/directly connected and not through a tunnel.

    However, yes, we've also seen attacks with >100G against single gameservers. It's extreme nowadays.

    For the protection Staminus, Blacklotus, Voxility, CNservers (minecraft only) are good companies.

  23. #23
    Dam DDOS is pretty expensive i would go with a dedicated OVH Server [with protection] using it to create TCP + HTTP Proxies yourself most cheapest way

  24. #24
    Join Date
    Feb 2013
    Posts
    657
    Quote Originally Posted by SimpleRichard View Post
    Yes, or at least in the same state/directly connected and not through a tunnel.

    However, yes, we've also seen attacks with >100G against single gameservers. It's extreme nowadays.

    For the protection Staminus, Blacklotus, Voxility, CNservers (minecraft only) are good companies.
    You can add hyperfilter to the list
    IT
    Is Nice.

Similar Threads

  1. Ddos attack prevention
    By GlennRadZ in forum Hosting Security and Technology
    Replies: 13
    Last Post: 05-02-2012, 11:11 PM
  2. how can i prevention from ddos attack?
    By deutschland in forum Hosting Security and Technology
    Replies: 3
    Last Post: 05-22-2007, 03:09 AM
  3. Prevention of DDos attack?
    By herrien11 in forum Hosting Security and Technology
    Replies: 19
    Last Post: 10-19-2004, 01:02 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •