Hey everyone!
My server has been growing little by little and we are hitting our player cap of 100 every day now quite conistently. However this has also attracted the likes of assholes who enjoy a good DDOS attack since they lack the real world skills required to get laid. That being said, is there anything I can do to protect my server from these attacks?
Thanks in advance!
The short answer is that you're going to have to pay for it. Expect to pay around $50 - $200 / month per IP for GOOD DDOS protection. Anything less and you're probably not getting good scrubbing, or will see high latency. And because you're sharing a network port with other virtual servers on the same physical server, everyone on the server has to be scrubbed, otherwise a DDOS targeted at your neighbor can take you out as well by saturating the port.
Here's the long answer:
That depends on how complex the DDOS is. You have to be careful when shopping around for DDOS providers, as there's no standard for what "DDOS protection" really means. Keep in mind that anyone can do something stupid, like say drop ICMP at the firewall. Boom - they're now protected from an incredibly weak DDOS (ping floods), and they can now claim to be "DDOS protected". I disagree with this practice because I think it's borderline misleading, but since they're technically correct, there's not much you can do about it other than become an educated consumer.
Providers who DO offer true DDOs protection (as in the ability to stand up to a 10 or 20 gigabit attack) are usually going to charge you around $50 - $200 per IP address. But this presents a problem for games like Rust, where multiple instances are run on the same hardware: if someone else on your node gets attacked and the network port gets saturated, then even if YOUR server is a protected IP, you're still going down. Finally, it's very easy to spoof IPs. Anyone who habitually launches DDOS attacks can easily get their hands on a few thousand (or hundreds of thousands) IPs to use. Then you have things like DNS amplication, which doesn't even require the attacker to have additional IPs.
Bandwidth is expensive. Sure, you can get FIOS at home for $100 / month and get a pretty decent chunk of bandwidth, but that won't cut it for a commercial hosting operation. Not even close. When you're hosting for money, you're looking at a MINIMUM of a full gigabit cross connect -- and that's what dirt-cheap, bargain-basement hosts use. 10 Gb links are common among better providers. And you can't have just one carrier. You're going to want direct hops to the biggest ISPs, plus a few carrier-neutral links. At a bare minimum, you'll probably want bandwidth from Verizon and Comcast, plus a few tier-1 carriers like Zayo, Cogent, and Level(3). Gaming servers require some careful network planning and tuning for latency, so it's not just a matter of randomly picking out a few carriers.
Most carriers sell bandwidth at the 95th percentile model. For example, you might buy "50 megabits burstable to one gigabit". Multiply that by 3-10 carriers, and you've got about 50 TB of usable bandwidth per month with a maximum throughput of around 3 Gb/s. I'm greatly simplifying things here, but this is the gist of it. A very small host can easily burn through a few dozen terabytes of bandwidth every 30 days. For comparison, most home ISPs cap their users at around 300 - 350 GB / month.
All of that bandwidth gets damn expensive real quick. Depending on your negotiating skills, carrier blend, and infrastructure, you'll easily drop a few thousand a month or even tens of thousands per month. That's on bandwidth alone and does not include datacenter lease space, hardware costs, staffing costs, electricity, or anything else. I'm keeping this all very simple, but suffice to say bandwidth is extremely expensive.
So now you've got your bandwidth in play. You've priced your servers to cover your costs and turn a profit. But guess what? Along comes Captain Dickbag and his L33T H4X0R CR3W and turns up a 15 Gb DDOS because you kicked him for spamming chat. A 15 gigabit DDOS will consume roughly 6-7 terabytes of data transfer PER HOUR. You'll blow through your entire 50 TB monthly allocation after just a few hours. And just like those old cell phone plans, once you go over your limits, the overage charges are killer. Expect to pay anywhere from 2x - 10x your commit price for bandwidth. If the attack is severe enough, the carrier may simply drop your connection until the attack dies down. Now you're REALLY screwed because (1) that DDOS alone is going to cost you $$$ - $$$$ in additional bandwidth charges, and (2) you're getting even more customers knocked offline and/or seeing huge lag because (3) all your servers on that connection are now offline.
There are DDOS companies like Black Lotus and CloudFlare that employ a number of techniques to scrub your traffic of attacks. Both of these can handle multi-gigabit attacks (CloudFlare regularly brags about handling 100+ Gb attacks) with ease ... but it's going to cost you. If you're buying in bulk, you can get the cost down a bit. $50 - $100 / month for around 10 gigabits of protection is about right ... but only if you're purchasing massive amounts of protection to resell. If you're just looking to protect a single IP, expect that cost to go up. DDOS protection also increases latency somewhat. You might only be talking about 5 - 20ms, but that can be a big deal in a game.
Attacks in the 10+ Gb range are common, and so are hosts that burn through 50 TB / month in bandwidth transfer. If you're interested in true DDOS protection, talk to your GSP about your concerns. A good, reliable GSP will be able to describe their scrubbing options in great detail, but most "cheap" GSPs will simply tell you that you'll be null routed if DDOSes become a problem. You may want to consider renting your own dedicated server to run the game. This can be very expensive -- expect to spend around $200 / month for a Xeon E3-1230v3 (comparable to a high-end i7) with SSD, a gigabit port, and good DDOS protection -- but gives you maximum performance, reliability, and control. I have used Limestone Networks in the past and can vouch for their awesomeness.
Source: I do network security and DR for a living.
[QUOTE=Maximum Over;47617861]The short answer is that you're going to have to pay for it.[/QUOTE]
can't give you both winner and informative, but i would. great post max.
ok
OVH and SoYouStart are the same company. SYS is like the discount arm of OVH, which is already a discount server company. The problem I've experienced with OVH is that when things go wrong, it takes forever to get help. As in, your server could be offline for a few days until someone gets back to you. Their network isn't exactly blazing fast, either, and you have little if any control over your server location. According to their order form, right now they're currently deploying out of France. So if most of your players are in France, go for it. If most of your players are in the US, you're going to have some major latency problems.
Like I said, you can find service at all kinds of different price ranges. You get what you pay for. By all means give it a shot and report back to us.
Also, I wouldn't recommend running a Rust instance on an OpenVZ VPS. Make sure you go with a provider that uses Xen or KVM. OpenVZ has too many stability issues that go way beyond this forum's purpose in life.
ok
Holy crap Max, that was a ton of awesome info :) I'm glad you found my question. Thanks for the answers and insight!
DDoS protection is a scam.
[QUOTE=Warm;47625984]DDoS protection is a scam.[/QUOTE]
*in a typical mafioso voice*
"it's protection money. you pay us, and your bus-i-nes does not get ddos'd. you don't pay us, and accidents will be bound to happen.."
[QUOTE=almosttactful;47625489]Holy crap Max, that was a ton of awesome info :) I'm glad you found my question. Thanks for the answers and insight![/QUOTE]
Thanks! And you're welcome! An educated consumer is the best consumer.
[QUOTE=Warm;47625984]DDoS protection is a scam.[/QUOTE]
How do you figure? Granted, there are a HUGE number of DDOS providers out there who offer crap-grade "DDOS protection" that consists of something stupid like blocking ICMP, so if that's what you're referring to then I agree 100%. But DDOSes are real, and they can take an entire server or network offline for an extended period of time. Whether or not anyone truly needs DDOS protection is a question only they can answer.
Sorry, you need to Log In to post a reply to this thread.
