As internet access becomes more widely available, more devices get connected to the internet and faster speeds become more widespread and cheaper, DDoS (or Distributed Denial of Service) attacks have also become more common. Such a simple attack, despite not being able to leak data or infect machines with viruses, can still cause a lot of damage, as studies show that having your service offline for even a few minutes will lead to losses in revenue and make clients unsatisfied. In this article, I’ll go through some ways to protect your servers, be it game, website or otherwise, from those kinds of attacks.
Website servers
This is one of the easiest. Although some companies still struggle with how to defend their websites, fending off DDoS attacks from your website is simple and takes a few minutes to do: CDNs.
CDNs, short for Content Delivery Networks, usually come with multiple tools to both protect your website against DDoS and also lower legitimate load on your servers. The most popular one for example, CloudFlare, which I use to protect and speed up this website, provides DDoS protection by verifying each request to your page first. If the request is suspicious, if there are too many of them or if they fail a captcha, it gets denied access before ever reaching your servers. And on top of that, they cache automatically any pictures, videos, static pages, zip files, etc for you.
To ensure that no one will get around this, what you can also do is block any incoming request that doesn’t go through Cloudflare, or whatever CDN you pick, first. This way even if anyone tries to DDoS your website’s IP directly, all the requests will be denied and not get processed at all, saving a lot of processing power and bandwidth.
Finally, if your web server has Rest APIs, its recommended that you add rate limiters to them. The best way to do this is creating a second server, that will receive all requests then send them to the main server, just to check the amount of requests per second a given IP is making. If it is above a certain amount, block that IP temporarily. On CloudFlare you can do this by going into Your website > Security > WAF > Rate Limiting rules and creating a new rule.
Game/Cloud Servers
Servers dedicated for games are a bit more complicated. You can’t have a CDN between them and the players, as communication between those two happen a lot faster and more often than websites, so either there will be a latency increase, legitimate connections being closed/blocked or both.
Luckily, majority of VPS(Virtual Private Servers) and other cloud servers nowadays come with at very least DoS protection or very basic DDoS defenses. While this helps, there are some other things that can be done such as limiting amount of messages per second per IP/Connection. If the connection has been made in the correct way to the server(say, sending identifications and whatnot first, before other messages) give that connection a limit of, for example, 50 “tickets”. Then for each interaction, discount a given value, depending on how hard on your servers it is to process that. Example: does it go through your database? Then it costs 5 tickets. Does it require lots of processing? 10 tickets. Is it something simple such as chat message? 1 or 2 tickets. Then reset the amount left back to 50 each second. If the connection wasn’t made properly, limit it to a lower amount of “tickets”. Then If a connection/IP consumes more than its quota in a given second, disconnect/block it from connecting for a while. This is an example of a technique called “rate limiting“.
Another way, though more expensive, is buying a second server and using it as a filter and queue. This way any incoming connections would go to the filter server, which would then communicate with the main one to check whether there are open slots for players, and the main server would block any IPs trying to connect without being previously given permission to. This way, the players are far less likely to have any issues even if someone is trying to DDoS the game.
Other ideas
While the above ideas can help, they are ideas for mitigation and won’t stop a DDoS attack large enough on their own. Fortunately, there are several more things that you can do still that should help:
- Keep everything updated. Operational system, softwares installed, firewall, PHP/Node.js/any framework you use version, etc. Those receive constant updates for security, not just for DDoS, but also other things such as MySQL injection.
- Develop with scalability in mind. Even if not with DDoS in mind, scalability is important, as sometimes you’ll get more traffic than others, and you’ll want to ensure that everything is stable when many clients want to do business with you, by making efficient use of your resources.
- Monitor traffic. Be it automatically or manually, always keep an eye on the amount of traffic your servers are receiving. It’s best to at least let your users know something is going on as soon as possible if nothing can be done about it than leaving them in the dark.
- Backup data regularly. DDoS attacks can cause your servers to go offline for a few moments or make them restart. Make sure to constantly backup important information to ensure that nothing is lost because of it.
- Use network segmentation to separate the game server from other parts of the network. This can help prevent DDoS attacks from spreading to other parts of the network.
- Use a secure protocol, such as SSL/TLS, to encrypt traffic between your game server and clients. This can help prevent attackers from intercepting and manipulating traffic to launch DDoS attacks.