We already have a token in the protocol and this is indeed a viable way to help drop invalid traffic. However, none of us are really experienced enough with the networking stack of the linux kernel (nor are these things very well documented) to craft a conntrack module or an XDP program to parse the header and keep track of the assigned tokens. Dropping these any later than the nftables stage is just not enough as we already do that.
We have a small team who work on this project during our free times and most of us just don’t currently have the time to dig into conntrack/nftables/xdp.
I found this tutorial [0] and example [1] how to read/update BPF hashtable data from python bcc module. If UDP packet structure is not too complex, it might be not too hard to implement I guess.
Funnily enough our experience has been much the reverse. Hetzner will let us use the 1g dedicated link they promise however we want. Most other hosters will put blanket filters that are too broad or their smart ddos filtering will kick in, which it turns out is not smart enough to learn an arbitrary protocol :)
OVH has consistently been filtering legitimate traffic for us each time we tried them and we’ve tried almost every tier of service they offer.
Documentation seems to say that they let you use the network from any platform as long as you have a Steam release. The bigger concern is that this requires linking with a closed source library, which means the open source version of the client could no longer connect to our servers without linking to a closed source blob.
That is sort of a non starter for us without some workaround like maybe hosting our own relays for the open source clients.
The proof of work idea is cute, but at this stage it's not necessary as profiling seems to show attacks don't get too deep into the netcode before getting dropped. It's hard to know without testing but I'm fairly certain any kind of PoW would cost more to check.
This reminds me of a blogpost that is at least fun to read: http://ithare.com/udp-for-games-security-encryption-and-ddos...
Regarding the HTTPS request thing, we already did this for an event and I'm currently getting it set up on all servers. The blog post forgot to mention this one :)
Cost more to check than it would for the attacker to generate an _incorrect_ proof. I'm sure that's what you mean, but my brain first went to NP problems.
And actually, now that I think of it, maybe, maybe not. A PoW can be pre-calculated (possibly using off-peak cloud resources for very cheap) and then stored in a lookup table. It can be reused until the attacker actually solves the problem. Then _maybe_ you could offload that verification to a cheaper, harder to DDoS service, like a cloud function that won't charge you for SYN flooding.
But then the hard part is letting legitimate users bypass the check after doing their PoW, but not letting an attacker through.
Prime numbers are expensive to generate and writing a reasonably efficient factorization algorithm isn't that easy either. It's far faster on the server side to just spit out a nonce and have the client generate a partial hash collision up to an arbitrary number of bits (ie, the same proof of work many cryptocurrencies use)
It is indeed possible for ISPs to stop this, but my guess is that it's cheaper not to :) Large ISPs could require egress filtering for peering with them.
I could see this argument maybe 10+ years ago, but we are almost at a crises level with internet security with all the stuff happening. Legislation should be passed if needed to mandate this technology.
100% agree with you. We gave the ISPs more than enough time to get this under control, yet they don't seem to want to bear any cost in preventing what are essentially crimes (though as shown in the blog post cybercrimes are seen as a bit of a joke unless they cause monetary damages) taking place on their networks. If they are not willing to self-regulate it's the governments job to regulate them.
It's also telling that ISP's are fine with charging you per GB data you consume but apparently don't care about multi 10's GBS+ attacks that presumable consume tremendous amounts of bandwidth? I guess it says something about the true cost of data...
As the blogpost mentions TCP is not exactly desirable for our project. Moreover, if you contact Cloudflare about those products you'll get a monthly quote that is far beyond what an open source project run by donations can sustain :)
We've had several servers with OVH, including their kimisufi line, So You Start GAME line, their standard GAME line and their standard servers. While I'm sure these are great for common games their DDoS protection seems to get confused by our very non-standard protocol, ending up blocking most if not all traffic from non-connected players.
Might sound strange, but you could always contact @olesovhcom on Twitter. He is the CEO of OVH and he made change to their DDOS filter base on what we reported to him. He is always interested in improving is offering. But that was maybe 5 years ago, now maybe he will put you in contact with someone else, but back then they were actively looking for feedback to improve their filter.
Edit: you could always contact their support as well. Fighting DDOS on your own it's an expensive/difficult battle. But their DDOS filter is fully custom (mostly Asic and some Arbor as well).
A shot in the dark but maybe implement a wrapper for the protocol in something that looks more like http? Websockets perhaps? Otherwise I think you will have to build your own countermeasures specific to your protocol.
The blog post does mention this possibility. In a similar vein we can also try to mimic a protocol that is well supported by hosters, like source or minecraft but I'm fairly certain that would be the single most ugliest piece of code ever written :)
We have a small team who work on this project during our free times and most of us just don’t currently have the time to dig into conntrack/nftables/xdp.