How to protect against DDOS ?

[SaddamAWP01]

Hello, I want to open a public gameserver for my discord community and first I want to open it from my home network which is very good and fast and I wonder how I can protect myself against DDOS attacks.

[Eigenvektor]

For a server, upstream is generally more important than downstream. So even if your download speed is good, it doesn't mean it'll make a good server. You need good upload speed.

 

Ideally, do not use your home connection. If, for whatever reason, someone thinks to take down your server through a DDOS, you won't be able to do anything because your own network connection is now also affected. Use an external server, so that your own connection still works in case the server doesn't.

 

There's no real protection against DDOS, other than having more network resources than your attacker, more compute power than they do and to have more than one location. The typical solution to this is to "hide" your server behind something like Cloudflare.

 

Of course you also need to ask yourself: Why would someone target your server specifically? If it's just a small server whose address is only shared within your community, the risk should be fairly minimal.

[Donut417]

13 minutes ago, SaddamAWP01 said:

it from my home network

Just be aware it could be against the TOS of your ISP. Generally they dont bitch as long as you dont have too much traffic. So if its a relatively small community you could be OK, but if its a larger one, you might want to consider a paid hosting solution.

[SaddamAWP01]

 DOWNLOAD Mbps
529.24
 UPLOAD Mbps
117.59

 

I will have for example arround 150-200 players, I used to open this server from my home and everything was perfect, the problem comes when I am under DDOS attack. If I purchase a host from OVH for example, I will have the same internet speed and the server will run the same, thier DDOS protection is also weak, I got DDOS attacks on OVH servers too and the server became down.

 

What I can do?

[Alex Atkin UK]

5 hours ago, SaddamAWP01 said:

 DOWNLOAD Mbps
529.24
 UPLOAD Mbps
117.59

 

I will have for example arround 150-200 players, I used to open this server from my home and everything was perfect, the problem comes when I am under DDOS attack. If I purchase a host from OVH for example, I will have the same internet speed and the server will run the same, thier DDOS protection is also weak, I got DDOS attacks on OVH servers too and the server became down.

 

What I can do?

You can't do anything!

 

DDoS protection has to happen as far upstream as possible to absorb the traffic where there is enough bandwidth for it not to cause congestion.  Once the traffic has hit your Internet connection, the damage is already done.

 

All you can really do is reduce the impact of a single person trying to DoS your server (not DDoS) by having something block suspicious traffic patterns from ever reaching the server.  This only protects against overloading the server, not overloading the Internet connection.

[SaddamAWP01]

And the answer for my question is? I only see what I already know. I need a program to filter the internet traffic in order to block connections which sends too many packets per second.

[Lurick]

5 minutes ago, SaddamAWP01 said:

And the answer for my question is? I only see what I already know. I need a program to filter the internet traffic in order to block connections which sends too many packets per second.

You can't, those do NOT exist in the way you want. The packets still come down the pipe to your home.

You either have more bandwidth than you're being flooded with or you're choked out.

 

Either move to a host with better DDOS protection with more resources/bandwidth or deal with DDOS, that's about it.

[Needfuldoer]

3 hours ago, SaddamAWP01 said:

I need a program to filter the internet traffic in order to block connections which sends too many packets per second.

Nothing you set up on your own network will be effective, because by the time it can see the traffic it's too late. That DDOS traffic flood has to come down your Internet connection in order to reach your network so you can filter it. You can prevent it from hitting your server, but you can't prevent it from clogging up your Internet connection.

 

You would have to switch to a "real" hosting provider, or set up a service like Cloudflare. 

[Alex Atkin UK]

4 hours ago, SaddamAWP01 said:

And the answer for my question is? I only see what I already know. I need a program to filter the internet traffic in order to block connections which sends too many packets per second.

If you're trying to prevent someone flooding the server then generally the best you can do is geoblocking and manually ban any IPs that try making too many connections to your server.  This is what I use pfSense for, I only allow incoming traffic from the US and UK, it prevents log spam from Russian hackers, etc.  But as we said before, it doesn't prevent their attempts from taking up bandwidth on the Internet connection, if someone is trying to DDoS you then only your ISP can block that.

 

Trying to automatically detect suspect traffic patterns on the other hand requires a lot of CPU power on your router and the odds of it false flagging genuine traffic is pretty high.  We'd be talking Deep Packet Inspection and that's a deep rabbit hole to go down, far beyond what I'm willing to learn myself and also would require a beastly router to do.

The only other alternative is a use some sort of tunnel/VPN between your server and the Internet that can block the traffic, such as what Cloudflare offer.  But that's going to add latency to your game servers traffic.

[jh01]

You cannot protect your home network from DDoS attacks as the bandwidth that is available to you generally is not enough to deal with the load of such attacks and ISPs generally do not provide any form of protection.

 

Your best bet would be to get a cheap DDoS protected VPS and setup HAProxy to forward connections from your protected VPS to your home network - this while hide your own IP while also providing mitigation before traffic reaches your home network.

[jh01]

On 10/25/2023 at 7:33 PM, Alex Atkin UK said:

 We'd be talking Deep Packet Inspection and that's a deep rabbit hole to go down, far beyond what I'm willing to learn myself and also would require a beastly router to do.

You can't mitigate DDoS attacks with consumer routers. 

[Alex Atkin UK]

2 hours ago, jh01 said:

You can't mitigate DDoS attacks with consumer routers. 

You can't really mitigate against DDoS period.  The only mitigation for DDoS is to be able to redirect the traffic away from your tiny bandwidth home connection to a black hole much closer to the source where there is enough bandwidth you can effectively waste to absorb the attack.

 

This is part of why people use services like Clouldflare who can detect this sort of thing and do just that.  But when it comes to game traffic, there is no general purpose way of doing it.  This is why even Xbox and PSN have been taken down before by large attacks, as it takes manual intervention and becomes a cat and mouse game to keep blocking the hosts attacking.

[jh01]

18 hours ago, Alex Atkin UK said:

You can't really mitigate against DDoS period.  The only mitigation for DDoS is to be able to redirect the traffic away from your tiny bandwidth home connection to a black hole much closer to the source where there is enough bandwidth you can effectively waste to absorb the attack.

It's not really accurate to say you can't mitigate DDoS attacks - especially with current advancements. There are various techniques on mitigating DDoS attacks, such as but not limited to using a scrubbing network, edge mitigation and even a more recent approach which involves stateful mitigation.

 

Take stateful mitigation, where each connection is inspected based on its state. It allows you to analyse the context of network packets, distinguishing between legitimate and malicious traffic. By maintaining a stateful connection table, you can make more accurate decisions about which packets to allow or block.

 

Would recommend reading this article: https://blog.path.net/stateful-mitigation/

 

And with regards to your final statement about "keep blocking the hosts".  Blocking hosts != DDoS mitigation - that's where stateful mitigation comes in place. 

[LIGISTX]

14 minutes ago, jh01 said:

It's not really accurate to say you can't mitigate DDoS attacks - especially with current advancements. There are various techniques on mitigating DDoS attacks, such as but not limited to using a scrubbing network, edge mitigation and even a more recent approach which involves stateful mitigation.

 

Take stateful mitigation, where each connection is inspected based on its state. It allows you to analyse the context of network packets, distinguishing between legitimate and malicious traffic. By maintaining a stateful connection table, you can make more accurate decisions about which packets to allow or block.

 

Would recommend reading this article: https://blog.path.net/stateful-mitigation/

 

And with regards to your final statement about "keep blocking the hosts".  Blocking hosts != DDoS mitigation - that's where stateful mitigation comes in place. 

This topic is related to home internet connections. You can do all the host filtering you want, but if someone is hitting your pipe with gigabits worth of traffic, and your consumer connection is in the hundreds of mb, there is 0 you can do as the end user. Your pipe is being flooded, and nothing you do on the LAN side can impact this. You’d need filtering at the ISP or above level, and that isn’t something you have the ability to influence….. unless you route through something like Cloudflare or migrate away from at home hosting. 

[Alex Atkin UK]

21 minutes ago, jh01 said:

It's not really accurate to say you can't mitigate DDoS attacks - especially with current advancements. There are various techniques on mitigating DDoS attacks, such as but not limited to using a scrubbing network, edge mitigation and even a more recent approach which involves stateful mitigation.

 

Take stateful mitigation, where each connection is inspected based on its state. It allows you to analyse the context of network packets, distinguishing between legitimate and malicious traffic. By maintaining a stateful connection table, you can make more accurate decisions about which packets to allow or block.

 

Would recommend reading this article: https://blog.path.net/stateful-mitigation/

 

And with regards to your final statement about "keep blocking the hosts".  Blocking hosts != DDoS mitigation - that's where stateful mitigation comes in place. 

But at best all you can do from your home network is try to avoid amplification of the traffic by not responding to ACKs on that traffic.  You can't prevent a DDoS that saturates your incoming bandwidth without a device further inside your ISP network to absorb the traffic instead.

 

Sure you can potentially have a public IP somewhere that can do this mitigation and tunnel the traffic back to your real IP, but that adds latency and likely costs money which kinda negates the point of hosting the game server at home.

[jh01]

13 minutes ago, LIGISTX said:

This topic is related to home internet connections. You can do all the host filtering you want, but if someone is hitting your pipe with gigabits worth of traffic, and your consumer connection is in the hundreds of mb, there is 0 you can do as the end user. Your pipe is being flooded, and nothing you do on the LAN side can impact this. You’d need filtering at the ISP or above level, and that isn’t something you have the ability to influence….. unless you route through something like Cloudflare or migrate away from at home hosting. 

I know - see my previous response. You can simply setup a reverse proxy from a DDoS protected VPS to your home connection. You hide your own IP and only allow legitimate traffic to connect.

[jh01]

13 minutes ago, Alex Atkin UK said:

Sure you can potentially have a public IP somewhere that can do this mitigation and tunnel the traffic back to your real IP, but that adds latency and likely costs money which kinda negates the point of hosting the game server at home.

Latency depends on the provider and its routes. I only have 4ms added latency to the Amsterdam location of GlobalSecureLayer from my home connection. If latency is that low, you won’t notice a difference in overal performance.

[LIGISTX]

2 minutes ago, jh01 said:

I know - see my previous response. You can simply setup a reverse proxy from a DDoS protected VPS to your home connection. You hide your own IP and only allow legitimate traffic to connect.

Yes. Agreed, that would work. But you are adding latency and VPN costs. Which I argue is well worth it (or just host the server in a VPS instead of tunneling back to yourself, this way at least you don’t take the latency hit). But, to the point of filtering at the home server, there is nothing you can do there. The only solution is stopping it upstream, whatever solution you use, it must be upstream of the home internet connection. 

[jh01]

 

9 minutes ago, LIGISTX said:

Yes. Agreed, that would work. But you are adding latency and VPN costs. Which I argue is well worth it (or just host the server in a VPS instead of tunneling back to yourself, this way at least you don’t take the latency hit). But, to the point of filtering at the home server, there is nothing you can do there. The only solution is stopping it upstream, whatever solution you use, it must be upstream of the home internet connection. 

 

11 minutes ago, jh01 said:

Latency depends on the provider and its routes. I only have 4ms added latency to the Amsterdam location of GlobalSecureLayer from my home connection. If latency is that low, you won’t notice a difference in overal performance.

See above message. 
 

and yes, you can’t do any mitigation on your home network since no home ISP wants to deal with attacks at their upstream