Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Concerns about Gameserver Protection
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Concerns about Gameserver Protection

JohnMiller92JohnMiller92 Member
edited January 2018 in Help

Hi all, me again :P

I've been doing my gameserver in the Crystal lang (TCP), and have some concerns about protection. I have my gameserver behind cloudflare, which also houses nginx/mysql/a small php forum. So users can create an account, login, etc. However, cloudflare protects WebSockets not native TCP sockets.

So from what I am understanding (correct me if I'm wrong): The forum/login system will be behind cloudflare, but when an attacker connects to the master game server (say port 9300), they will most likely be able to get the IP. Which is kind of worrying.

I've implemented rate limiting with iptables, and rate limiting on nginx to protect php/mysql services. Except, I imagine a DDOS attack will be very damaging. And if an attacker gets the ip, using cloudflare won't be that much help.

One solution I found was reading BuyVM's site, and they had a page about GRE Tunneling. I could use that IP infront of my game server, correct? And If I do that, I should buy their services to minimize the latency as much as possible?

2nd _possible _solution, convert the game server to use WebSockets instead. Which will not be hard at all, because of how the server is structured. However, Cloudflare doesn't have a limit of how many connections they support. If the game grows pretty big, dishing out $200/m for their business plan, when I could use a GRE tunnel from BuyVM for $3/m, seems a bit excessive.

Any other solutions that come to mind? Thanks for the all help in my last thread btw!

Comments

  • Is this a browser game?
    If so you should use websockets.

    I would recommend switching to websockets.
    Cloudflare can filter at layer 7 with websockets and has POPs all over the world.
    With BuyVM you can have 3 pops at max.

    From my experience BuyVM/Voxility has allot of packet drops, shitty routing and extra latency compared to cloudflare.
    These are all things you want to avoid when hosting a game server.

    Thanked by 2JohnMiller92 Xei
  • NeoonNeoon Community Contributor, Veteran

    "I have my gameserver behind cloudflare"

    Wait, TCP and Gameserver? interesting, never heard of such.
    I guess Latency is not a thing you need, otherwise you go UDP.

    Well, get a OVH vps or dedi and you will be fine.

    Thanked by 2pike kmas
  • JohnMiller92JohnMiller92 Member
    edited January 2018

    @Xeniox said:
    Is this a browser game?
    If so you should use websockets.

    Nope, it's done in the Godot engine / will be desktop only. It breaks the HTML 5 exporter :P

    I see. I wonder how many connections cloudflare will let you have then before they ask you to upgrade. I have no problem paying the $20/m package one to be honest (if they gave out real numbers). It's just a matchmaking / chat server. So the throughput won't be high, but the amount of connected users could be.

    With that said, I wonder what the latency lag delta will be compared to:
    Cloudflare protected WebSockets vs a GRE tunnel. I'm only going off your experience, it could better, worse, or negligible for me? That I'm not sure.

    @Neoon said:
    "I have my gameserver behind cloudflare"

    Wait, TCP and Gameserver? interesting, never heard of such.
    I guess Latency is not a thing you need, otherwise you go UDP.

    Well, get a OVH vps or dedi and you will be fine.

    Oh yeah, for sure. For the game instance servers they will most likely communicate by UDP, just not entirely sure / there yet tbh :P

  • Don't use a GRE Tunnel or anything like that for a gameserver, creates un-necessary latency for the end user. Go direct with a DDoS Protected provider (Not BuyVM as they use Voxility and is trash for gameservers). Check out providers like Zare, Psychz etc etc and let them know if your situation and what they say.

    Thanked by 3JohnMiller92 WSS Zare
  • @Neoon said:
    "I have my gameserver behind cloudflare"

    Wait, TCP and Gameserver? interesting, never heard of such.
    I guess Latency is not a thing you need, otherwise you go UDP.

    Well, get a OVH vps or dedi and you will be fine.

    World of Warcraft

  • NeoonNeoon Community Contributor, Veteran

    @stefeman said:

    @Neoon said:
    "I have my gameserver behind cloudflare"

    Wait, TCP and Gameserver? interesting, never heard of such.
    I guess Latency is not a thing you need, otherwise you go UDP.

    Well, get a OVH vps or dedi and you will be fine.

    World of Warcraft

    It uses also UDP, not only TCP.

  • graphicgraphic Member
    edited January 2018

    Just use OVH's game protection and you'll be safe.

    Thanked by 1JohnMiller92
  • @Neoon said:

    @stefeman said:

    @Neoon said:
    "I have my gameserver behind cloudflare"

    Wait, TCP and Gameserver? interesting, never heard of such.
    I guess Latency is not a thing you need, otherwise you go UDP.

    Well, get a OVH vps or dedi and you will be fine.

    World of Warcraft

    It uses also UDP, not only TCP.

    It used TCP for all traffic between clients and worldserver in vanilla,TBC,Wotlk

    Only after Cataclysm, they added UDP for worldserver traffic.

    Also most old RTS games uses TCP only for fault tolerance. Age of Mythology for example.

  • @Zen said:
    Is there any reason you chose Crystal for the serverside?

    After seeing this:
    http://serdardogruyol.com/benchmarking-and-scaling-websockets-handling-60000-concurrent-connections-with-kemal

    Convinced me it'll probably be a good idea to convert my nodejs server over

  • JohnMiller92JohnMiller92 Member
    edited January 2018

    @Zen said:

    @JohnMiller92 said:

    @Zen said:
    Is there any reason you chose Crystal for the serverside?

    After seeing this:
    http://serdardogruyol.com/benchmarking-and-scaling-websockets-handling-60000-concurrent-connections-with-kemal

    Convinced me it'll probably be a good idea to convert my nodejs server over

    If you don't mind me asking, what type of game are you developing?

    Don't mind at all :)

    Diablo/PoE inspired hack n slasher with Chronicon style gameplay (except not pixel art, all HD sprites). Multiplayer/online support similar to how D2 works with battle.net (game instances/lobby)

  • @graphic said:
    Just use OVH's game protection and you'll be safe.

    Wouldn't work. OVH Game Protection is designed for specific gameservers and wouldn't work properly with this game.

  • @6ixth said:

    @graphic said:
    Just use OVH's game protection and you'll be safe.

    Wouldn't work. OVH Game Protection is designed for specific gameservers and wouldn't work properly with this game.

    If the game's not listed you just have to open the needed ports manually.
    Worth a try i think.

  • @graphic said:

    @6ixth said:

    @graphic said:
    Just use OVH's game protection and you'll be safe.

    Wouldn't work. OVH Game Protection is designed for specific gameservers and wouldn't work properly with this game.

    If the game's not listed you just have to open the needed ports manually.
    Worth a try i think.

    You are right but the OVH Game Protection is also made in mind with only allowing specific types of traffic to known ports. It is only more effective than normal OVH DDoS Pro on games they support.

  • FoxelVoxFoxelVox Member
    edited January 2018

    Best way to protect your server is to distribute load (loadbalancers). Yes, even with ddos. Otherwise proxyredirecting would be an option, Just like Minecraft bungeecord.

    EDIT: Just saw this is a TCP-ONLY protocol game? If you find a provider that can block ALL udp traffic and has a 10Gbps connection option, with layer7 ddos protection you’re almost untouchable.

    Why?; TCP attacks aren’t amplification able, and router/IoT botnet devices cant send TCP packets. Only devices like raspberry pi’s, but that wouldn’t reach close to 10Gbit

    Thanked by 1JohnMiller92
  • @FoxelVox said:
    router/IoT botnet devices cant send TCP packets. Only devices like raspberry pi’s, but that wouldn’t reach close to 10Gbit

    You lost me on that part can you enlighten me?

  • @Vinnyletje said:

    @FoxelVox said:
    router/IoT botnet devices cant send TCP packets. Only devices like raspberry pi’s, but that wouldn’t reach close to 10Gbit

    You lost me on that part can you enlighten me?

    Known IoT botnets like mirai, qbot, bitbot etc. Are only built to send UDP attacks with different protocols and headers and HTTPFLOOD GET/POST/AUTH attacks. Some have function like GREETH/GRESTOMP TCP attacks, but 98% of the devices such net infects arent able to send this since its on recieve only mode.

  • 6ixth6ixth Member
    edited February 2018

    @FoxelVox said:
    Best way to protect your server is to distribute load (loadbalancers). Yes, even with ddos. Otherwise proxyredirecting would be an option, Just like Minecraft bungeecord.

    EDIT: Just saw this is a TCP-ONLY protocol game? If you find a provider that can block ALL udp traffic and has a 10Gbps connection option, with layer7 ddos protection you’re almost untouchable.

    Why?; TCP attacks aren’t amplification able, and router/IoT botnet devices cant send TCP packets. Only devices like raspberry pi’s, but that wouldn’t reach close to 10Gbit

    You do realise that there's a difference between Layer 7 & TCP? TCP is still a Layer 4 method and needs to be mitigated as one. Layer 7 is purely application attacks like HTTP GET. (Which can be blocked by just not running a web server).

    Also, DDoS Protection appliances are effectively load balancers however they also allow legitimate traffic through whilst completely blocking dirty at network edge to prevent bandwidth costs etc. This isn't something OP would ever be able to afford as it'd be 10K+ a month as all I'd have to do is just max the bandwidth all the time which would cost him a metric shit load (the point of going with a ddos protected provider).

    In regards to just blocking UDP and mitigating TCP on whatever comes through, you have a valid point. It may not amplify aswell as UDP based methods like SSDP back in 2015 but would be a lot easier (don't get me wrong, booters still have strong methods that will down most servers like TCP-ACK, VSE etc etc).

  • Holyfuck, yet another shitposter comes out as clueful.

  • @WSS said:
    Holyfuck, yet another shitposter comes out as clueful.

    I don't shit post that much :(

  • @6ixth said:

    @WSS said:
    Holyfuck, yet another shitposter comes out as clueful.

    I don't shit post that much :(

    You make me look helpful, according to the numbers.

  • @JohnMiller92

    At the end of the day, it usually comes down to brute force. You can setup 9999 rate limits and whatever else but if some guy comes along with 100Gbps of volumetric power, your server is going offline unless you are with a provider like Voxility but as I said, their methods of blocking are terrible (sometimes they block entire countries).

    You need to go with a provider who will let you provide them with pcap's with ddos data and can build profiles around it to block on top of having some volumetric network power. This is how OVH Game works, they narrow down which traffic on a port is legitimate and block everything else.

    It's increasingly rare to be attacked with such power these days, only rich Chinese people and the people behind the biggest stressers and botnets have the power and the likely hood of them attacking your game is slim. I wouldn't worry about it too much, just focus on your game and look into Zare, Psychz etc.

    Thanked by 1JohnMiller92
Sign In or Register to comment.