Recently, several game company's operation and maintenance brothers to find me spit bitter, said the server every day by the DDoS hit life can not take care of themselves, the player card to curse, customer service phone are almost busted. They asked me the first question is always: “you use high defense CDN in the end can carry how many G? can not penetrate a bottom?” This question sounds simple, but in fact the water is quite deep. Like you ask a car can run how fast, the manufacturer labeled a 300km / h, but the actual ability to go on, it depends on the road conditions, the driver and the fuel tank is not the real thing.
The game industry is now the hardest hit by DDoS, especially those who have a little flow of hand travel and end game, simply become a hacker's “ATM”. I have seen the most outrageous week was hit more than a hundred times, the peak of the attack traffic soared to more than 800G, a variety of types of attacks in turn: UDP Flood, ICMP Flood, TCP SYN Flood, and CC attacks specifically for the game logic layer. To be honest, these days there is no reliable high-defense CDN, the game simply do not dare to open the service.
First of all, a conclusion: the market mainstream high defense service providers, defense peak from 100G to 1T ranging, but here is a lot of catnip. Some vendors labeled “T-level defense”, the actual may be a shared pool, really encountered a large-scale attack directly to you to throw a black hole; there are real independent resources, but the price can be expensive to you meat pain. I have tested several, summarized in one sentence: do not just look at the numbers, you have to look at the actual performance.
For example, CDN5 this, the official standard is 500G defense peak, but the actual pressure test found that their Anycast network scheduling is really powerful, last year, a secondary game was played 700G + mixed attacks, actually hard to carry down no downtime. Later realized that they have a “dynamic expansion” mechanism, sudden traffic exceeds the contract value will be automatically triggered, although after the fact to make up the difference, but better than the server crash. However, the configuration of his family have to toss their own, the default strategy is more conservative, you have to manually adjust the cleaning threshold.
Another CDN07 is more radical, directly labeled “1T guaranteed defense”, but the actual use of down found that their TCP protection is a little weak, especially for the game long connection SYN Flood, have to work with the optimization of their own protocol stack. The advantage is that there are many global nodes, overseas anti-D effect is good, suitable for international service games. Price, I can only say that a penny a penny, the bosses have to cover the wallet to order.
There is also a biased technical flow of 08Host, defense peak standard 400G, but the measured cleaning accuracy is ridiculously high. Their family is good at using machine learning algorithms to identify abnormal packets in the game protocol, such as false connection requests for the Unity engine, and can accurately discard malicious traffic without affecting normal players. The disadvantage is that the number of nodes is small, and the domestic latency fluctuation is slightly large, which is suitable for turn-based games with high requirements for precision.
In fact, the peak defense is only the threshold, the real test is the cleaning ability and scheduling strategy. I've seen too many companies just look at the G number of cases to lose - a vendor commitment to 300G defense, the results of 200G CC attacks directly penetrated, because the cleaning rules are not optimized for the game protocol. Later found that the attacker completely simulated the real player's login and operation requests, the traditional IP frequency-based rules are simply ineffective.
This is the time to offer deep protocol analysis + behavioral models. For example, to protect against game login services, we have to bury custom rules in the CDN configuration:
It's not enough to be technical, you have to understand the attacker's brain circuitry. Last year, a competitive game was targeted to play TCP retransmission attack, the attacker specialized in forging RST packets to interrupt the player connection. Conventional CDN simply can not prevent, and finally in the edge nodes to do the TCP sequence number verification to solve. This kind of dirty routine, no battle vendors simply can not think of.
So when picking a high-defense CDN, I generally recommend that customers first ask these questions: defense peak is an independent resource or a shared pool? What is the handling mechanism of the super peak? Is there any protection case in the game industry? How many milliseconds is the cleaning delay? Does it support customized TCP protocol policy? These are all lessons learned from experience.
In terms of price, the 100G base protection probably starts at 20,000 to 30,000 dollars per month, and the budget is increased by 10,000 to 20,000 dollars for each additional 100G. But if you want to customize the game protocol protection, the price directly doubled. Some vendors also engage in the “insurance model”, the basic package is cheap, but really hit the big by the traffic billing, accidentally can brush out astronomical figures. Don't believe in the “unlimited defense” nonsense, there is no Thunderbolt in this business, only business logic.
Finally, the truth: peak defense is actually a dynamic concept. Real professional vendors will not be stupid waiting for the traffic rushed in hard to carry, but through the Anycast network to spread the attack traffic to the global cleaning center. Like CDN5 that architecture, the Asian nodes were hit automatically scheduling the traffic to the European nodes to clean, and then through the internal tunnel back to the source, the user is almost imperceptible. This global scheduling capability is much more important than simply stacking hardware.
In short, the game of high defense CDN is a systematic project, not simply buy a number on the high peace of mind. Have to combine their own game type, player distribution, protocol characteristics to select the type. It is best to first engage in a live-action pressure test, see for yourself how the console alarm pops, how the traffic scheduling, customer service response speed. After all, there is no panacea in this world, only the armor that fits.
(Suddenly remembered that there is still a pit to fill: many vendors of the peak defense does not include CC attacks, you have to buy additional WAF package. Next time anyone quotes you a number, remember to ask a follow-up question: “This package does not include layer 7 attacks?” (Guaranteed to see a wonderful change of expression.)
