In the middle of the night received the operation and maintenance alarm text message, the board game of a certain area of the port crazy packet loss, log in to the server to take a look, good guy, UDP Flood traffic has been the export bandwidth burst - this scene is so familiar that people's scalp numb. Chess industry in these years is simply a DDoS attack disaster area, especially UDP Flood this low cost and good effect of the attack, just a few G traffic can make the game experience into a slideshow.
Why do attackers love to use UDP Flood to play board games? The fundamental reason lies in the characteristics of the protocol: UDP itself has no connection, and the server has to process the packet as soon as it receives it, unlike TCP, which has three handshake buffers. Unlike TCP, which has three handshake buffers, the attacker forges a large number of source IPs and sends out garbage UDP packets, which directly hit the game ports. Chess games often need to maintain a long connection, once the port is washed out, light is lagging heavy is the whole line down, the player curses are trivial, the platform reputation collapse is fatal.
I tested and found that relying solely on hardware firewalls in the server room is basically a waste of time. Traditional firewalls based on threshold speed limit, attack traffic mixed in the normal player data can not be distinguished, the result of a sweeping speed limit is to accidentally kill normal players. Last year, a well-known chess platform was continuously penetrated three times, and finally forced to stop service rectification, the loss of at least seven figures to start.
A truly effective program must work in multiple dimensions. First of all, the core idea: not only to be able to clean traffic at the edge of the network, but also at the server level to do the second check. Do not believe those who boast “single node universal protection” of the manufacturer, these days even the CDN have to prevent teammates - some small manufacturers of CDN nodes themselves is the source of the attack.
Let's start with edge cleaning. A reliable high-defense CDN should have the ability to analyze the protocol stack in depth, for example, CDN07's intelligent fingerprinting verification does a good job. Their nodes will first perform protocol compliance checks on UDP packets, discard obviously malformed packets, and then do dynamic baseline analysis on the frequency of consecutive packets. When measured against UDP Flood below 20G, the false positive rate can be controlled within 0.1%:
But edge cleaning alone is not enough. Some advanced attacks will simulate the real game protocol format, which requires additional protection modules at the server level. It is recommended to use the open source fail2ban combined with custom rules to specifically monitor abnormal traffic patterns on game ports. For example, if you detect an IP continuously sending UDP packets with the same content within the same second, you will be directly blacked out:
I also have to spit on the “intelligent learning” function of some vendors. Last year, I tested a CDN vendor that claimed to be able to use AI to identify abnormal traffic, but the result was that the game's heartbeat packets were all blocked as attacks. The real reliable program like 08Host - first let you customize the normal business traffic baseline, protection engine based on this baseline to do dynamic adjustment. They even support sub-regional scheduling, foreign attack traffic directly in foreign nodes to complete the cleaning, domestic players completely senseless.
Bandwidth expansion is not a universal solution. I've seen a platform was 300G traffic penetration, gambling bought 500G bandwidth, the result of the next month's attack into 800G. really effective practice is elastic expansion + traffic scheduling. CDN5 in this regard is very chicken thief, their anycast network can be based on the strength of the attack automatically scheduling traffic to the different cleaning centers, and at the same time, using the BGP Anycast to the attack of the traffic is diluted to a number of nodes! The following is a summary of the results of the study.
Finally give a real suggestion: chess platform selection of high-defense CDN, focus on three points: one is the number of global cleaning nodes (at least 30 +), the second is whether to support the depth of customization of the UDP protocol (to be able to customize the packet checksum rules), the third is the cleaning of the false positive rate there is no third-party audit report. Never trust those who blow zero kill manufacturers, I have tested three head manufacturers, normal business traffic kill rate can do 0.5% below even excellent.
After all, the protection program is to prevent the gentleman not to prevent the villain. When you really encounter massive attacks, you still need to cooperate with the threat intelligence traceability to fight a protracted battle. Last year, we successfully located the IP of a competitor's server room through the traffic logs of our partner vendors, and only stopped after a direct warning letter from a lawyer. Doing chess these days, technical defense and legal means must be hard.
In the end, there is no silver bullet for UDP Flood defense. You have to use CDNs to carry the traffic, scripts to supplement the detection, and manpower to do the monitoring. Multiple layers of defense are stacked up in order to allow players to draw and deal cards with peace of mind - after all, no one wants to see themselves out of the straight, the network for you to card into a single.
