Recently to help a few chess customers to do penetration testing, found a bizarre phenomenon: the server configuration is obviously not bad, but in the evening rush hour will be stuck into the PPT, a check of the logs are all the CC attacks on the traffic - this bunch of grandsons pick business peak hours to play, clearly do not want you to do business.
A customer said with a crying face that the original use of ordinary high defense, every month was hit through three times, the player dropped to the customer service phone was broken. I took a look at their bills, good guy, monthly small 20,000 spent actually “shared high defense” package, traffic over the amount of money to pay, the cost of the attack directly soared to the ceiling.
The chess industry has long been a DDoS hardest hit areaThe board game is sensitive to latency at the millisecond level. Unlike ordinary websites can still hold out for a while, the board game is sensitive to delay to the millisecond level, a wave of traffic over the light is lagging heavy black hole in the machine room, the player balance data is not synchronized can also lead to disputes. What's more disgusting is that competitors pick you to engage in activities when you order “stress test”, can not prevent directly cool.
I picked up the market seven or eight high-defense service provider's program, found that the board customers are most likely to be pit in two places: one is superstitious “unlimited protection” but do not know that behind the rough traffic cleaning, mistakenly kill normal users; the second is to be greedy for cheap to buy a static acceleration of the CDN, the dynamic request of the defense is virtually null and void.
Let's start with a case of blood and tears: a Texas Hold'em poker platform used a vendor's “100G protection package”, which was directly penetrated by a 30G CC attack. The technical support delayed 4 hours before responding, and finally found that their protection rules did not match the characteristics of the chess protocol - the so-called high defense is only for HTTP general rules, the TCP long connection and UDP protocol almost no defense.
Really useful chess high defense must meet three points: be able to recognize the business logic of the game protocol (such as disconnect and reconnect to deduct money or not), be able to distinguish between the behavioral patterns of real people operating and robots, and the cleaning node has to be close enough to the user or else the latency explodes. Unfortunately, 90% vendors can not do any of these three points.
Tested three vendors specializing in game protection, but it is a bit interesting: CDN5 chess program will deeply analyze the game packets, through the frequency of player operations and mouse trajectory to determine the real person; CDN07 even engaged in a set of AI models to analyze the abnormal behavior of the game (such as robots call the bets in seconds); 08Host is a simple and brutal - - All the traffic first through the self-developed protocol filter and then into the cleaning center. All traffic first through the self-developed protocol filter before entering the cleaning center.
But these things are never written in the quotation. If you ask customer service, “What is the principle of your anti-CC”, you are likely to get a set of standard words: “Our system will automatically identify abnormal traffic”.Don't believe this kind of crap., to really buy it you'd have to force them to come up with a custom rule case for the chess protocol.
Now to disassemble the cost structure. The cost of a high-defense CDN is divided into four main pieces: the basic bandwidth fee, the protection capability fee, the value-added function fee (such as certificates, WAF), and the excess cleaning fee. Shady vendors tend to press the basic bandwidth price very low, and then rely on the last three items to make up for it.
See? Light than the main package price absolutely fall into the pit. Once a customer bought CDN07's flexible billing package on the cheap, as a result, one day was hit with 800G flow, single-day cleaning fee dried up a small ten thousand - the original flexible billing does not set a ceiling!
My advice is to prioritize a fixed bandwidth + protection capped packageThe first is a new version of CDN5, which is a chess-specific version of CDN5. For example, CDN5 chess special edition although the starting price of 25,000, but the commitment to 300G within the attack without another charge, more than 300G directly pull the black hole rather than continue to burn money to clean - this is more real, after all, really encountered more than 300G attack might as well cut the spare room.
Another hidden pothole: many vendors of “chess optimization” is actually TCP parameter tuning + nodes near the access. But if you believe in their evil, really open all the global nodes, Southeast Asian users may be scheduled to the U.S. nodes - latency directly soared to more than 300ms. It is best to let them put the node scheduling strategy written into the contract, such as “mainland China users mandatory scheduling to the domestic nodes, foreign users no more than 3 hops transit”.
Configuration examples for this piece I'll just put a live Nginx rule that specializes in preventing slow CCs for chess:
This set of rules helped a particular client reduce 80%'s bogus requests, but be aware thatDon't apply it directly.After all, each game framework has a different API path, and some heartbeat packet detection requires finer-grained control.
Of course this is all face value, and the actual transaction price can be cut to 70% off. If you pay annually you can still squeeze another 10%, butDon't pay for the whole year at once.--Test it for a month first, focusing on how fast they respond to emergencies at night. The most outrageous vendor I've seen had weekend tech calls go through 6 branches before they got someone, and by that time the server had been in a black hole for 8 hours.
Nowadays, some vendors also engage in “defense effect betting”, such as promising to pay for the cost of the month if they are penetrated. Sounds good, right? But the contract details written in the “only SYN Flood attack” - and now the chess industry 90% is a CC hybrid attack, this word game play fly.
To be honest, these days even CDN have to “defense teammates”. Some vendors“ sales for the performance, will give customers open ”test traffic" to prove the effect of defense, in fact, the attack traffic around to other customers nodes. How to judge? Simple: Suddenly one day the delay soared but the console can not see the attack record, eighty percent into the wrongdoer.
Really want to save money and secure program, I recommend using a hybrid architecture: static resources thrown CDN5 (their overseas nodes cheap), the core business with CDN07 chess dedicated line, database servers front-end and then add a layer of 08Host's WAF - so that even if a certain home is dry through the full paralysis is not. Although the initial configuration trouble point, but in the long run the cost down 30% also more secure.
Forgot to mention the most important thing:Always have a backup plan.The first thing you need to do is to get your hands on a high-defense vendor. I've seen too many customers put all their belongings on a high defense vendor, the result is that the other room fiber optic cables were dug up, the whole staff dry eyes for 12 hours. At least prepare a cold standby server cluster, regularly synchronize data, and at critical moments can cut to the cloud manufacturer's billable high defense IP top for a while.
In short, pick chess high defense can not just look at the price figures, you have to break the rubbing asked clearly: CC protection is not really based on business logic? Node scheduling has no geographical restrictions? Is there any geographical restriction on node scheduling? Is there any charge or black hole after overloading? Emergency response is 7 × 24 or 5 × 8, these terms are written into the contract, than to listen to sales bragging much more real.
After all, this line of water is too deep, some vendors of the “chess special package” is to change the name of the general package expensive 20,000 yuan. If you open your mouth and ask “how do you prevent CC attacks on chess”, and the other side stammers and says business secrets - hurry up and change it, really.
