Comment by dividuum
4 years ago
Not sure if this is helpful, but I remember reading about the tribes network protocol years ago. IIRC it also UDP based and essentially had a mechanism to request a proof of work depending on server load before accepting any complex packets from a client. You could probably require some proof for their source IP utilizing the HTTPS request already used during server browsing.
Edit: Found it. http://opentnl.sourceforge.net/doxydocs/history.html (the „puzzles“)
The proof of work idea is cute, but at this stage it's not necessary as profiling seems to show attacks don't get too deep into the netcode before getting dropped. It's hard to know without testing but I'm fairly certain any kind of PoW would cost more to check. This reminds me of a blogpost that is at least fun to read: http://ithare.com/udp-for-games-security-encryption-and-ddos...
Regarding the HTTPS request thing, we already did this for an event and I'm currently getting it set up on all servers. The blog post forgot to mention this one :)
> any kind of PoW would cost more to check
Cost more to check than it would for the attacker to generate an _incorrect_ proof. I'm sure that's what you mean, but my brain first went to NP problems.
And actually, now that I think of it, maybe, maybe not. A PoW can be pre-calculated (possibly using off-peak cloud resources for very cheap) and then stored in a lookup table. It can be reused until the attacker actually solves the problem. Then _maybe_ you could offload that verification to a cheaper, harder to DDoS service, like a cloud function that won't charge you for SYN flooding.
But then the hard part is letting legitimate users bypass the check after doing their PoW, but not letting an attacker through.
[removed]
1 reply →
Amusingly every other page on that site is giving me a Cloudflare access denied error, saying "This website is using a security service to protect itself from online attacks."