Ask HN: Best practices against DDoS attacks in game servers

toast0 · on May 1, 2023

If you're getting hit by DDoS reflection, you've got two concerns:

a) packet volume: is the traffic overwelming your host's interface (and maybe udp/ip stack) or your edge firewall

b) userspace processing: is the traffic overwelming your userspace process

For a: the answer is always get a bigger interface. But if your edge firewall has a big interface, you can probably get a lot by dropping traffic to your port from well known ports. Probably clients won't connect from port 53 (DNS), 19 (chargen), port 11211 (memcached) and you wouldn't lose much dropping all client ports < 1024. But if your service needs DNS to function, be sure to leave a hole for replies to outgoing requests (alternatively, configure a caching dns server that uses tcp to make outgoing requests)

For b: if DDoS reflection is targeted to your listening port, and you filtering client ports isn't enough; make sure you've got a dead simple way to identify that requests are likely from your software, and drop it with minimal processing if not. I guess you can't really do this if this isn't your own game, not quite sure of the context?

LinuxBender · on May 1, 2023

From my experience running a Garry's Mod server a slow methodical and tedious approach is to capture some of the abuse traffic and see what is different from it and legit game traffic using tcpdump and wireshark as you mentioned. It's not the most efficient way to stop it but one can use assorted iptables modules to block the traffic if it sticks out from legit gaming traffic. Some would argue it will look the same but I have never found that to be the case. Look for things like packet length and burst rates of legit traffic then apply xt_recent or limit per second rules for different packet lengths using the iptables length module in combination with the other modules. Use your own game client IP as the normal traffic. Play aggressively.

e.g. Normal traffic may have a rate of {n} packets of 22:66 length in {t} time window. And then perhaps 67:80 length in another interval, and so on... Combine the length module with the limit module to allow normal traffic. This won't help with volumetric attacks but skiddies rarely do volumetric. It's usually just a handful of VPS nodes from some angry gamer. In those cases one could even create ipset hash tables of the attacker IP's or CIDR blocks and just silently drop them in the iptables raw table. In some cases the abuse traffic scripts will fixate on a particular string. This can be leveraged by the iptables string modules.

First use logging rules before using DROP rules so that you can see if your tuning is going to affect legit players.

The ideal solution would be to work with the game developer and show them the abuse traffic and have the game code start ignoring nonsensical traffic. I did not have this option with Garry's Mod as the SRCDS server it runs on is abandonware for all intents and purposes.

hayst4ck · on May 1, 2023

To answer the question, first we have to understand the context of your game server. Is it public or private?

What is the behavior of the DDOS. Is it overloading the game application, the server, or the network?

Are you making money from your server?

Wireshark is probably the best tool to get a greater understanding.

xeonmc · on May 1, 2023

If it doesn't need to be a public server, you can use Tailscale so that only people you've given access to the Tailnet can access it.

PaulHoule · on May 1, 2023

You could try having your friends log in with Tailscale.