Post on 28-Jan-2018
GAME DDOS PREVENTION
BY WALTER LIU
SOLUTIONS THAT ARE ONLY APPLICABLE TO WEB
▸ CDN
▸ WAF
▸ Some vendors only do anti-DDOS business on web.
ATTACK SURFACE
▸ DNS level
▸ Network level
▸ 1st level (You)
▸ 2nd level (ISP)
▸ Application level
▸ Like Challenge Collapser
SOLUTION - DNS LEVEL
▸ Just purchase/host DNS service with DDoS protection
▸ DIY - not economical for small company
SOLUTION - NETWORK 1ST LEVEL
▸ Purchase Anti-DDoS service (Infra/IP, aka. clean pipe)
▸ ISP (Hinet) ASN Blacklisting (other regions)
▸ ACL blacklist non-TCP packet
▸ Black Hole + short DNS TTL + IP change
▸ Black Hole + IP change (every 5~45 minutes)
▸ cloud server (GRE VPN tunnel) + IP change (every 5~45 minutes)
▸ Packet marking and filtering (RD support required)
SOLUTION - NETWORK 2ND LEVEL
▸ Purchase Anti-DDoS service (Infra/IP, aka. clean pipe)
▸ Ask ISP for help
SOLUTION - APPLICATION LEVEL (DESKTOP GAME)
▸ Some way to identify your client, like
▸ Network encryption with frequent changing key
▸ Black list possible CC attack IPs
▸ IPs with high number of concurrent connections
ANTI-DDOS SERVICE
▸ Choice
▸ Always on
▸ Active switch
▸ Reactive switch
▸ Cloud/Hardward/Hybrid
▸ Increased Latency for Scrubbing Centre (How much?)
▸ Own a C class or only several IPs
FURTHER TO DO
▸ Virtual DDOS Protection Team
▸ Roles in the team
▸ Sense the DDOS, Troubleshooting, Decision making, Solution Deployment
▸ Tasks
▸ Sensor
▸ Announcement preparation
▸ Customer Compensation
▸ Good customer communication channel
▸ Financial support
▸ DDOS Escalation Chain
References
ANTI-DDOS SERVICE
▸ Hinet http://www.cht.com.tw/enterprise/ddos.html
▸ NexusGuard
▸ Arbor Networks
▸ F5
▸ Prolexic of Akamai (IP based game servers), Fast DNS (DNS-based DDoS)
▸ Neustar https://www.neustar.biz/services/ddos-protection/ddos-mitigation-technology
▸ Version https://www.verisign.com/en_US/security-services/ddos-protection/index.xhtml
▸ Incapsula
▸ https://www.incapsula.com/ddos/anti-ddos-protection.html
▸ https://www.incapsula.com/ddos-protection-services.html
▸ https://lp.incapsula.com/guide-to-protecting-gaming-servers-from-ddos-attacks.html
PRICING REFERENCE
▸ https://hb.nss.com.tw/index.php?/cart/&step=3
▸ https://www.yunaq.com/kangdbao/
▸ https://www.qcloud.com/product/ddos.html (qcloud only)
▸ https://www.newdefend.com/service/index
TEXT
PACKET MARKING AND FILTERING
▸ Mark
▸ Linux C socket(7)
▸ Use “SO_MARK”, root privilege(CAP_NET_ADMIN) needed.
▸ http://man7.org/linux/man-pages/man7/socket.7.html
▸ Windows raw socket :(
▸ Drop the non-marked packet
▸ ACL drop
▸ iptable drop http://andys.org.uk/bits/2010/01/27/iptables-fun-with-mark/