Comment by python273
4 years ago
I don't know much about DDoS protection, but wouldn't it be possible to add token to UDP packets? So the client first connects to a TCP server and gets 4 bytes token unique per IP. Every UDP packed should start with that token. Since an attacker with spoofed IP can't get a valid token, their packets can be ignored with a cheap check. Might be even possible to use iptables/XDP for it?
We already have a token in the protocol and this is indeed a viable way to help drop invalid traffic. However, none of us are really experienced enough with the networking stack of the linux kernel (nor are these things very well documented) to craft a conntrack module or an XDP program to parse the header and keep track of the assigned tokens. Dropping these any later than the nftables stage is just not enough as we already do that.
We have a small team who work on this project during our free times and most of us just don’t currently have the time to dig into conntrack/nftables/xdp.
I found this tutorial [0] and example [1] how to read/update BPF hashtable data from python bcc module. If UDP packet structure is not too complex, it might be not too hard to implement I guess.
[0] https://duo.com/labs/tech-notes/writing-an-xdp-network-filte...
[1] https://lwn.net/Articles/747640/
It is a standard practice to have a "login server" and a separate "game server". The login server generates the token, and notifies the game server to accept it. The login server handles a queue, and can throttle login attempts. The login server can handle load balancing for multiple game servers, redirecting logged in players to different game servers. Its possible to run multiple login servers too, and restrict the access to specific login servers geographically and to run them with different providers.