All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Concerns about Gameserver Protection
Hi all, me again :P
I've been doing my gameserver in the Crystal lang (TCP), and have some concerns about protection. I have my gameserver behind cloudflare, which also houses nginx/mysql/a small php forum. So users can create an account, login, etc. However, cloudflare protects WebSockets not native TCP sockets.
So from what I am understanding (correct me if I'm wrong): The forum/login system will be behind cloudflare, but when an attacker connects to the master game server (say port 9300), they will most likely be able to get the IP. Which is kind of worrying.
I've implemented rate limiting with iptables, and rate limiting on nginx to protect php/mysql services. Except, I imagine a DDOS attack will be very damaging. And if an attacker gets the ip, using cloudflare won't be that much help.
One solution I found was reading BuyVM's site, and they had a page about GRE Tunneling. I could use that IP infront of my game server, correct? And If I do that, I should buy their services to minimize the latency as much as possible?
2nd _possible _solution, convert the game server to use WebSockets instead. Which will not be hard at all, because of how the server is structured. However, Cloudflare doesn't have a limit of how many connections they support. If the game grows pretty big, dishing out $200/m for their business plan, when I could use a GRE tunnel from BuyVM for $3/m, seems a bit excessive.
Any other solutions that come to mind? Thanks for the all help in my last thread btw!
Comments
Is this a browser game?
If so you should use websockets.
I would recommend switching to websockets.
Cloudflare can filter at layer 7 with websockets and has POPs all over the world.
With BuyVM you can have 3 pops at max.
From my experience BuyVM/Voxility has allot of packet drops, shitty routing and extra latency compared to cloudflare.
These are all things you want to avoid when hosting a game server.
"I have my gameserver behind cloudflare"
Wait, TCP and Gameserver? interesting, never heard of such.
I guess Latency is not a thing you need, otherwise you go UDP.
Well, get a OVH vps or dedi and you will be fine.
Nope, it's done in the Godot engine / will be desktop only. It breaks the HTML 5 exporter :P
I see. I wonder how many connections cloudflare will let you have then before they ask you to upgrade. I have no problem paying the $20/m package one to be honest (if they gave out real numbers). It's just a matchmaking / chat server. So the throughput won't be high, but the amount of connected users could be.
With that said, I wonder what the latency lag delta will be compared to:
Cloudflare protected WebSockets vs a GRE tunnel. I'm only going off your experience, it could better, worse, or negligible for me? That I'm not sure.
Oh yeah, for sure. For the game instance servers they will most likely communicate by UDP, just not entirely sure / there yet tbh :P
Don't use a GRE Tunnel or anything like that for a gameserver, creates un-necessary latency for the end user. Go direct with a DDoS Protected provider (Not BuyVM as they use Voxility and is trash for gameservers). Check out providers like Zare, Psychz etc etc and let them know if your situation and what they say.
World of Warcraft
It uses also UDP, not only TCP.
Just use OVH's game protection and you'll be safe.
It used TCP for all traffic between clients and worldserver in vanilla,TBC,Wotlk
Only after Cataclysm, they added UDP for worldserver traffic.
Also most old RTS games uses TCP only for fault tolerance. Age of Mythology for example.
After seeing this:
http://serdardogruyol.com/benchmarking-and-scaling-websockets-handling-60000-concurrent-connections-with-kemal
Convinced me it'll probably be a good idea to convert my nodejs server over
Don't mind at all
Diablo/PoE inspired hack n slasher with Chronicon style gameplay (except not pixel art, all HD sprites). Multiplayer/online support similar to how D2 works with battle.net (game instances/lobby)
Wouldn't work. OVH Game Protection is designed for specific gameservers and wouldn't work properly with this game.
If the game's not listed you just have to open the needed ports manually.
Worth a try i think.
You are right but the OVH Game Protection is also made in mind with only allowing specific types of traffic to known ports. It is only more effective than normal OVH DDoS Pro on games they support.
Best way to protect your server is to distribute load (loadbalancers). Yes, even with ddos. Otherwise proxyredirecting would be an option, Just like Minecraft bungeecord.
EDIT: Just saw this is a TCP-ONLY protocol game? If you find a provider that can block ALL udp traffic and has a 10Gbps connection option, with layer7 ddos protection you’re almost untouchable.
Why?; TCP attacks aren’t amplification able, and router/IoT botnet devices cant send TCP packets. Only devices like raspberry pi’s, but that wouldn’t reach close to 10Gbit
You lost me on that part can you enlighten me?
Known IoT botnets like mirai, qbot, bitbot etc. Are only built to send UDP attacks with different protocols and headers and HTTPFLOOD GET/POST/AUTH attacks. Some have function like GREETH/GRESTOMP TCP attacks, but 98% of the devices such net infects arent able to send this since its on recieve only mode.
You do realise that there's a difference between Layer 7 & TCP? TCP is still a Layer 4 method and needs to be mitigated as one. Layer 7 is purely application attacks like HTTP GET. (Which can be blocked by just not running a web server).
Also, DDoS Protection appliances are effectively load balancers however they also allow legitimate traffic through whilst completely blocking dirty at network edge to prevent bandwidth costs etc. This isn't something OP would ever be able to afford as it'd be 10K+ a month as all I'd have to do is just max the bandwidth all the time which would cost him a metric shit load (the point of going with a ddos protected provider).
In regards to just blocking UDP and mitigating TCP on whatever comes through, you have a valid point. It may not amplify aswell as UDP based methods like SSDP back in 2015 but would be a lot easier (don't get me wrong, booters still have strong methods that will down most servers like TCP-ACK, VSE etc etc).
Holyfuck, yet another shitposter comes out as clueful.
I don't shit post that much
You make me look helpful, according to the numbers.
@JohnMiller92
At the end of the day, it usually comes down to brute force. You can setup 9999 rate limits and whatever else but if some guy comes along with 100Gbps of volumetric power, your server is going offline unless you are with a provider like Voxility but as I said, their methods of blocking are terrible (sometimes they block entire countries).
You need to go with a provider who will let you provide them with pcap's with ddos data and can build profiles around it to block on top of having some volumetric network power. This is how OVH Game works, they narrow down which traffic on a port is legitimate and block everything else.
It's increasingly rare to be attacked with such power these days, only rich Chinese people and the people behind the biggest stressers and botnets have the power and the likely hood of them attacking your game is slim. I wouldn't worry about it too much, just focus on your game and look into Zare, Psychz etc.