Results 1 to 24 of 24
Thread: DDoS Attack Prevention
-
12-22-2013, 04:02 PM #1Junior Guru
- Join Date
- Nov 2013
- Posts
- 182
DDoS Attack Prevention
Was speaking to an old friend about how he used to protect his gaming servers against DDOS attacks.
He told me he created his own software to proxy the UDP requests along with a curl cronjob every 5 minutes to announce it to the game serverlist.
The higher attacks he got, the more capacity he put up through scaling up proxies using lowend VPSes in mutiple countries around the world.
Players would connect to these VPSes which would connect them to the main game server, effectively hiding the true game server IP from being known using reverse proxy.
Is this ingenious or what?Last edited by A Goat; 12-22-2013 at 04:13 PM.
-
12-22-2013, 04:15 PM #2Junior Guru
- Join Date
- Jul 2012
- Posts
- 188
A lot of people will use a similar option to deal with DDoS, its somewhat out of the box but it can work.
The problem with this can be scalability; depending on how fast the providers nullroute the low end VPS they might get knocked down just as fast as you put them up, if you have a determined attacker.
-
12-22-2013, 04:26 PM #3Junior Guru Wannabe
- Join Date
- Nov 2009
- Posts
- 93
This may also increase latency (lag), which is quite important for gamers, so game servers usually need ddos protection to be located at the same location as the datacenter itself...
█ WooServers OpenStack Private Cloud
█ 30% Cheaper than any Public Cloud
█ Instances, Floating IPs, Load Balancers, Databases and More!
-
12-22-2013, 04:29 PM #4Junior Guru
- Join Date
- Nov 2013
- Posts
- 182
he's telling me he had an nagios monitoring incoming traffic and if something was detected people were automatically merged 99% of the cases this went right and didnt cause people to drop out.
during the ddos attack, the node just gets jammed meaning it cannot accept or send out data thus not having any impact on the server except a few people having to reconnect to another node. nullrouting would occur after an hour apparently
-
12-22-2013, 04:33 PM #5Junior Guru
- Join Date
- Nov 2013
- Posts
- 182
-
12-22-2013, 04:58 PM #6Disabled
- Join Date
- Sep 2012
- Location
- Estonia
- Posts
- 164
Not sure that this is an efficient solution. How many 'proxies' are involved?
-
12-22-2013, 05:02 PM #7Junior Guru
- Join Date
- Nov 2013
- Posts
- 182
8 proxies and it was very effective.
-
12-24-2013, 08:51 PM #8Newbie
- Join Date
- Dec 2013
- Posts
- 16
I am also trying to setup something like this for my game server. I was thinking of getting a DDos protected VPS from Trentahost and run a TCP proxy through it to my main server. Because most kiddie booters will usually have many users, the most I will expect to hit my pseudo-game server is 5Gb/s. The problem is, I am unsure how to add more VPS's to guard my game server / create a system where if a VPS is hit, another one will take it's place.
-
12-25-2013, 02:53 PM #9dd if=/dev/null of=/dev/sda
- Join Date
- Aug 2010
- Location
- Belgium
- Posts
- 657
Well, that's one way, but still not very smart - what if your 8 VPS get overloaded?
Let's take a look at it from another standpoint: if someone wants you down then you're going down, there's no way to get around this. There will never be enough bandwidth to deflect a person that's REALLY mad. We're not talking about kids with a booter here.
The main point is, UDP is really hard to deflect attacks from currently due to the popularity of UDP reflection.. You cannot just disable UDP traffic from your server because you're utilizing an UDP server, so there's no way to do that.
The only way to really protect your UDP server is analyze incoming packets (which we do for some customers) and this is very resource intensive, but still effective. Especially when you're being hit by a layer 7 UDP attack.
So what we did is (because we have lots of Camfrog customers) is dissect the Camfrog protocol and investigate how it works. Someone that has bad intentions will never send the correct packages to correctly connect to such server, so we will only allow connection of those packets when you're for example going > 1000Mbit. Other than that you can only block every DNS server except 8.8.8.8.
That's one of the most effective ways to achieve 'protection'. But no pipe is inpenetrable if you're dealing with pure evil.
Merry christmas.█ AssetGateway
█ Skype da_arco
-
01-04-2014, 01:17 PM #10WHT Addict
- Join Date
- Jul 2011
- Location
- Buffalo, UK
- Posts
- 161
OVH VPS's have their excellent DDoS protection included.
-
01-04-2014, 01:54 PM #11Web Hosting Master
- Join Date
- Feb 2005
- Location
- UK
- Posts
- 554
Sounds like a decent system, although I'm not entirely sure whether or not the price required for an effective number of VPSs would actually be cheaper than just getting a proper DDoS mitigation host/service?
Also, going through VPSs is almost certainly going to introduce latency — a big deal when it comes to game servers. At the very least you'd want to make sure that if your game server is EU-based, all of the VPSs are also EU-based so that an EU-based player isn't having to hop through the US to get to your server.
-
02-22-2014, 12:04 AM #12Aspiring Evangelist
- Join Date
- Oct 2010
- Posts
- 446
This is a great system, we've used similar approach for years and it truly works wonder. 3 things you want to add:
- put a geo dns traffic director to minimize delay, so user will be directed through proxy server nearest to his geo location.
- put a dns failover so when one of the rp server went down, your users will be directed to another one.
- always check local peering and routing, find the best available route between rp <-> main server and rp <-> user's location. Every ms counts!-
-
02-22-2014, 12:43 AM #13Temporarily Suspended
- Join Date
- Feb 2014
- Posts
- 168
I guess the best way to prevent a DDoS is to not attract the kind of crowed that would DDoS you.
Ultimatly there is no way to dodge or recude a DDoS attack. You'll just have to take it and sustain it.
-
02-22-2014, 09:55 PM #14Newbie
- Join Date
- Feb 2014
- Posts
- 5
Just buy an OVH server and never think about DDoS attacks again lol. From my experience every ddos attack never did something to the performance of my game servers, and when you receive an attack ovh automatically sends you an e-mail. It's way better trust me. I tried ddosing my server with 12gb/s and it didn't do absolutely nothing to the server.
-
02-22-2014, 10:12 PM #15Web Hosting Master
- Join Date
- Feb 2012
- Posts
- 2,103
I agree with the above, some of the best DDoS Protection for an affordable price is most definitely OVH by far.
█ Clouveo - SSD/NVMe Cloud VPS & Web Hosting
█ Cloud VPS Servers | DDoS Protected | Snapshots | Auto Backups | One Click Apps | Custom ISOs
█ clouveo.com | Locations: [UK] London, [NL] Amsterdam, [US] Los Angeles
-
02-23-2014, 12:29 AM #16Temporarily Suspended
- Join Date
- Feb 2014
- Posts
- 168
Does OVH accept bitcoin?
-
02-23-2014, 04:23 AM #17Junior Guru Wannabe
- Join Date
- May 2013
- Posts
- 84
-
02-23-2014, 10:56 AM #18WHT Addict
- Join Date
- Jun 2012
- Posts
- 130
Diverting bad traffic to excess capacity. A few players are doing this now. And they still experience intermittent downtime when pushing the attack to the excess capacity.
In regards to gaming, the more "points of contact" that are added, the higher the latency. It's important to keep things as effective as possible.Robert - Lead Systems Engineer
Unmetered 1Gbps Virtual Servers with DDoS protection
www.javapipe.com
-
02-23-2014, 07:24 PM #19Web Hosting Evangelist
- Join Date
- Aug 2012
- Location
- Long Island, NY
- Posts
- 488
Filtering the traffic before it hit your production servers is key. It's really about how bad of a DDoS you want your site to be able to withstand.
██ BitronicTech Affordable Hosting and VPS Since 2007. Check out my Blog.
██ 99.99% Uptime Guarantee. 30 Day Money-Back Guarantee. 24/7/365 Support.
██ cPanel/WHM - CloudLinux - Varnish - CloudFlare - Softaculous - Daily Shared Hosting Backups
-
04-12-2014, 10:53 AM #20Newbie
- Join Date
- Mar 2014
- Posts
- 10
I advise you not to use reverse proxies with game servers, since all players joining your server will have the same IP as the proxy. It would be much better (and cheaper) to setup a GRE tunnel between your box and a single DDoS protected VPS.
-
04-12-2014, 12:50 PM #21CISSP-ISSMP, CISA
- Join Date
- Aug 2002
- Location
- Seattle
- Posts
- 5,525
-
04-12-2014, 07:22 PM #22Newbie
- Join Date
- Apr 2014
- Posts
- 26
Yes, or at least in the same state/directly connected and not through a tunnel.
However, yes, we've also seen attacks with >100G against single gameservers. It's extreme nowadays.
For the protection Staminus, Blacklotus, Voxility, CNservers (minecraft only) are good companies.
-
04-18-2014, 03:19 PM #23Newbie
- Join Date
- Feb 2014
- Location
- London
- Posts
- 12
Dam DDOS is pretty expensive i would go with a dedicated OVH Server [with protection] using it to create TCP + HTTP Proxies yourself most cheapest way
-
04-18-2014, 06:55 PM #24Technology Consultant
- Join Date
- Feb 2013
- Posts
- 657
Similar Threads
-
Ddos attack prevention
By GlennRadZ in forum Hosting Security and TechnologyReplies: 13Last Post: 05-02-2012, 11:11 PM -
how can i prevention from ddos attack?
By deutschland in forum Hosting Security and TechnologyReplies: 3Last Post: 05-22-2007, 03:09 AM -
Prevention of DDos attack?
By herrien11 in forum Hosting Security and TechnologyReplies: 19Last Post: 10-19-2004, 01:02 PM