I'am a Developer of an larger custom modded GTA Server (Roleplay Server), with 500-700 online users in peak hours. The community is very toxic. In the beginning, we received several DDoS Attacks daily, so we decided to build our own protection. We are working with IPtables and IPSets, as you are. But we dont bother ispecting the contents of a packet:
Our users are logging in to the Server over HTTPS to a dedicated Server, which is protected by Cloudflare. Once they verified their identify, the Server sends a Request to the Main Game-Server, which then adds the User's IP (from which the Login Request came) to an IPSet. We setup IPTables to only accept packets from IP Adresses in this IPSet. When the IPSet is updated, the Login requests finishes and the User is connecting to the Main Gameserver. Also we are unsing UDP only for Game related traffic, so we completly blocked SYN and TCP related packets in our Hardware Firewall on the Gameserver Port (its a Hetzner Feature).
Since then, we had no more major outage, besides sometimes some clients are dropping, because an attacker clogs our 10GB line. Of corse, this can't hold against every attack, but so far this is enought to protect us.
I worked on a mid-sized online game a few years ago and we experienced several DDoS attacks. I recall one employee tracking down the specific botnet that was rented for the attack against us and we calculated the attacker probably spent a couple of hundred dollars based on the rates.<p>IIRC, we eventually used AWS Elastic Load Balancer to just soak up the attack, which was a pretty basic SYN flood. Then we waited the attacker out until he got sick of spending money. That temporary redirect definitely impacted performance and cost us some money but it pretty well mitigated the issue. We also spent a bit of time optimizing our servers to drop obvious nonsense requests as quickly as possible but in the end the ELB handled most of the issue for us.
Not sure if this is helpful, but I remember reading about the tribes network protocol years ago. IIRC it also UDP based and essentially had a mechanism to request a proof of work depending on server load before accepting any complex packets from a client. You could probably require some proof for their source IP utilizing the HTTPS request already used during server browsing.<p>Edit: Found it. <a href="http://opentnl.sourceforge.net/doxydocs/history.html" rel="nofollow">http://opentnl.sourceforge.net/doxydocs/history.html</a> (the „puzzles“)
You should look into OVH. They have those gaming server and they handle the DDOS protection. I was getting hit by DDOS before, but since I moved there, nothing (except an email from OVH to let me know that my server is being attacked and that they are filtering my trafic). On the server itself you just don't feel anything.<p>Edit: I should add that the DDOS protection is included with the server rental and there is no limit on the size or duration of the attack.
DoS attacks are something I’ve had to put up with too while hosting game servers since 2008. I run fshost[1] and we see attacks almost weekly. Even though we host mainstream games, we still see legitimate traffic being filtered.<p>Do you modify any kernel options? net.ipv4.conf.all.rp_filter=1<p>[1] <a href="https://fshost.me" rel="nofollow">https://fshost.me</a>
Sounds like modern-day “protection rackets.”<p>I know that, if you own a gambling site, you can look forward to meeting exciting slavs. I didn’t realize they were taking it to other types of games, but I guess that makes sense. Wiseguys coerce Grandma’s Bake Shop, just as they do Moneybags National Bank.
If you received anyone asking whether you need services that defend against DDOS, and if you refused, those are probably the guys who initiated the DDOS attack.
I don't know much about DDoS protection, but wouldn't it be possible to add token to UDP packets? So the client first connects to a TCP server and gets 4 bytes token unique per IP. Every UDP packed should start with that token. Since an attacker with spoofed IP can't get a valid token, their packets can be ignored with a cheap check. Might be even possible to use iptables/XDP for it?
<i>"For the individual server infos the client currently has to communicate with each game server by UDP, thus revealing its own IP address without having connected to a server. Since one of the known attackers is running their own DDNet server, they can use this method to collect legitimate player IP addresses and spoof them in their attacks."</i><p>Interesting. I wonder if running an overlay network would help there. More choices today for userspace overlay networks. Rogue server owners would still see an IP, but they could only attack it from their connected server, not the internet at large. And you could do some kind of ingress/egress filtering.<p>Some sort of periodic coordinated switching from UDP port A to port B might help too, like a control message that tells the game client to switch ports. Or randomized initial port assignments combined with filters/firewalling or just in-band 'you're not supposed to send here, bye'.
A few suggestions:<p>1. Cloudflare offer TCP based DDoS protection too, see their Magic Transit or Spectrum product<p>2. This sucks, but put your servers behind WireGuard or Tailscale VPN so that in order to connect you need to have authenticated
I've no idea how complex this is to code or if it will work for you<p>but I'll throw the idea out to see if anyone else could improve on it etc..<p>initial strawman draft idea: have a front door service that just verifies your gamers (eg log on server) This will need to be protected by a Ddos but the throughput shouldn't be large. once authenticated your clients IP address is then passed to some sort of software based firewall protecting each of the main game servers
I worked in games for a few years. We constantly got DoS'd. Probably twice a week. Luckily our content was extremely cachable, so once it happened a few times we just black holed stuff through Fastly. The attacks weren't super sophisticated, mostly just hitting a public endpoint a ton of times or trying to crawl API endpoints.
EDIT: Cloudflare already made a game demo on Workers... multiplayer Doom: <a href="https://blog.cloudflare.com/doom-multiplayer-workers/" rel="nofollow">https://blog.cloudflare.com/doom-multiplayer-workers/</a> that was written using WASM + WebSockets, porting over an open-source Doom and shimming in a UDP-over-Websockets networking layer. Despite all that, it's still fast enough for a first person shooter.<p>Original post:
Have you looked into using a serverless pub/sub model, like Cloudflare's Workers KV? The example they give is a simple IRC-like distributed chatroom (<a href="https://github.com/cloudflare/workers-chat-demo" rel="nofollow">https://github.com/cloudflare/workers-chat-demo</a>), but theoretically it may work for games too.<p>Player state can be stored in a decentralized key-value store that Cloudflare manages (Cloudflare Durable Objects). They absorb all the DDoS and handle replication between edge nodes. You don't see any of that. <a href="https://developers.cloudflare.com/workers/learning/using-durable-objects" rel="nofollow">https://developers.cloudflare.com/workers/learning/using-dur...</a><p>Then each game client uses a worker to access that KV on a subscription basis, and Cloudflare will route that worker to its nearest edge node and retrieve the state from there (which was previously replicated a moment ago, internal to Cloudflare's infrastructure). Changes to state are replicated across the edge network and pushed to client workers.<p><a href="https://workers.cloudflare.com/" rel="nofollow">https://workers.cloudflare.com/</a><p>I don't know if this would result in acceptable latency, but it could help with DDOS at least. The main benefit is that it's incredibly affordable, especially when you're only talking about thousands of players.
Why is ddos still possible? It is possible for isp’s to stop this. There is a proposal for isp level blocking if spoofed source addresses. Also there should be something like an api where I can tell my isp that I don’t want to receive anymore packets from a given source and it should be propagated up the chain.
Player should be authenticated first to be able to to talk to the gameserver ( I'm talking about the accept() syscall ).<p>1h timeout is way too long, you should not have more than a couple of minutes max.<p>I worked on some popular online games and it was a combination of 1) + some IP tables rules ( to allow the traffic ).<p>Too many login would block the IP etc ...<p>With proper auth ( based on TCP ), IPtables, kernel tuning you can get a lot of good results without doing some complicated things like UDP proxy / relay / load balancing.
>> we are a free online game and thus have no measurable economic damage, the public prosecutor left it at a sternly worded warning.<p>The prosecutor is a #@*&%! : your time costs money. Working outside normal office hours is costly.<p>Maybe you need to setup a contract between the "organization" that runs the servers and yourself that states how much time (and money) does it cost to run the game.
In the US, Cogent offered $900 per month promotion for 10G commit on a 100G burstable circuit. If you rent several rack units and put a used Juniper hardware firewall from eBay in front, that may be one of the cheapest solutions to absorb 100Gbps attacks