Comment by debian3
4 years ago
You should look into OVH. They have those gaming server and they handle the DDOS protection. I was getting hit by DDOS before, but since I moved there, nothing (except an email from OVH to let me know that my server is being attacked and that they are filtering my trafic). On the server itself you just don't feel anything.
Edit: I should add that the DDOS protection is included with the server rental and there is no limit on the size or duration of the attack.
We've had several servers with OVH, including their kimisufi line, So You Start GAME line, their standard GAME line and their standard servers. While I'm sure these are great for common games their DDoS protection seems to get confused by our very non-standard protocol, ending up blocking most if not all traffic from non-connected players.
Might sound strange, but you could always contact @olesovhcom on Twitter. He is the CEO of OVH and he made change to their DDOS filter base on what we reported to him. He is always interested in improving is offering. But that was maybe 5 years ago, now maybe he will put you in contact with someone else, but back then they were actively looking for feedback to improve their filter.
Edit: you could always contact their support as well. Fighting DDOS on your own it's an expensive/difficult battle. But their DDOS filter is fully custom (mostly Asic and some Arbor as well).
A shot in the dark but maybe implement a wrapper for the protocol in something that looks more like http? Websockets perhaps? Otherwise I think you will have to build your own countermeasures specific to your protocol.
The blog post does mention this possibility. In a similar vein we can also try to mimic a protocol that is well supported by hosters, like source or minecraft but I'm fairly certain that would be the single most ugliest piece of code ever written :)
> Instead of cheap VPS servers we have tried getting dedicated servers at larger European hosters like OVH, Hetzner, ihor and NFOrce. The idea is that we have exclusive resources, so the chances of us impacting other customers is lower, and thus we won’t get nullrouted so easily. Largely this works, but the available network bandwidth (usually 1-10 Gbit/s) as well as CPU usage become the limit.
I don't think OVH is viable in this case, they do mitigate the attack but in my personal experience they also mitigate legit traffic during the attack.
Mind you, this is a process using a single port, with only around 100 active connections. You'll easily see half if not more lose connection during a DDoS attack.
I feel like I have to throw OVH a bone here.
From running a service with 50-100k concurrently active connections on a single VPS on OVH that has shrugged off a lot of attempted DOS attacks over multiple years, I have the impression that OVH handles DOS attacks exceptionally well. Specifically I've never seen it drop (a lot) of legitimate traffic.
In comparison to OVH, Hetzner (which this game seems to be using), is utter garbage when it comes to responding to any kind of incident well, or at least predictably. Their responses range from doing absolutely nothing, to nullrouting you, to terminating your service. With OVH I at least know how they'll respond to various things and they're (with few exceptions) professional about it, even if I don't like it.
I'd say you get what you pay for, but OVH (when comparing dedicated servers) aren't much more expensive.
Funnily enough our experience has been much the reverse. Hetzner will let us use the 1g dedicated link they promise however we want. Most other hosters will put blanket filters that are too broad or their smart ddos filtering will kick in, which it turns out is not smart enough to learn an arbitrary protocol :)
OVH has consistently been filtering legitimate traffic for us each time we tried them and we’ve tried almost every tier of service they offer.
I did notice that a few years back, but now when the filter activate I no longer see any drop in bandwidth usage or any customer complaints. How long ago did you experimented with their filter?
Hmm good point, I haven't had any complaints for awhile. Maybe I'll look into it again see what happens.
Thanks for the heads up :)