"Anycast" DDoS Protection - How many popular servers are manipulating pings - General Discussion

Recently I've wondered why my server list was made up of many american servers (am european) with really good ping, even though when I connected to them I ended up on an actual american server and my ping went up to 150ms+. https://files.perpheads.com/47OEc99mUEXvboZz.png The example I used in this picture is SuperiorServers.co, but there are many others that do the same. All the american servers that appeared with really good ping on my server list were hosted with gmchosting and are using what is called their "Anycast DDoS protection". This is how it works: https://files.perpheads.com/2VBLN9nAHSVcCCNG.png As you can see in this network trace, the traffic to the gameserver is routed through a router in London, controlled by gmchosting. What is also immediately apparent, is that the real ping to rp.superiorservers.co, is actually 150ms, so how does it appear as 40ms in my server list? The reason for that is that this "AnyCast DDoS" protection doesn't just filter out malicious traffic at the London router, it also intercepts certain network packets. In this case the intercepted packet is the A2S_INFO source packet, that is used to query server information but also establish a ping by calculating the time difference from the request being launched and it being received. The router caches an A2S_INFO packet from the upstream server and then just replies directly from the London location. Now some of you might say that caching A2S_INFO packets is perfectly legitimate as those can be used for denial of service attacks. The problem I have with are the following: While GMCHosting is only advertising it as DDoS protection on their site (only hinting at the ping manipulation bit), privately they are obviously using the server list as the main selling point. After all, they are charging more than $700 for this and no one one pay that much for it just for having "better" DDoS protection. After being asked a few questions about AnyCast improving ping, one of their employees furthermore said this, which is just not true and anyone can do the pings themselves to prove this. I don't see any reason that using anycast DDoS protection really gives you much benefit at all, clearly the existing servers at GMCHosting don't have any problems with DDoS attacks (it is their main advertising point after all), so why would anyone pay $700+ a month for this? So I think my two points here have established that the facade of the "Anycast DDoS protection" is exactly that, just a facade. The real reason this exists is to boost servers on the server list. The reason I am even writing this post is because a similar way of gaining a better spot on the server list was using proxy servers and has gotten servers banned before. How is it acceptable that proxy servers are banned, but this way, that is achieving exactly the same (just using a slightly better way) is not? As a side note to the gmod devs: I'd like to point out that in the linked thread SuperiorServer was also being mentioned as one of the bad servers and apparently even got blacklisted for some time. Why do you allow a server (the biggest gmod server there currently is as well, they really don't need this) to act in such bad faith? I can only think of three fixes for this problem. Allow all sorts of ping manipulation, i.e. allow proxy servers and "Anycast DDoS protection" for servers who really want to use this type of manipulation Ban any and all types of ping manipulation Remove the ping aspect from the server list altogether My personal favourite is 2., but I am also open to 3. What do you guys think?

https://www.youtube.com/user/NewDramaAlert

There are legitimate reasons to use anycast for DDoS protection. But in this situation you're probably right about it being mainly used as a selling point. The question is going to boil down to if there is anything the devs can do to prevent this from happening. If not, blanket banning would be the way forward. But I'm not against a new server browser either.

I would like to refer you this thread/page: Redirect / Fake Server Report Megathread. I'd rather not repeat myself every six months because somebody has a random question, concern, inquiry or accusation. If you have any actual concern regarding why the system does what it does then simply ask. Ignoring all the information that I threw out there is just silly. Thanks.

Don't pretend that what you are selling is not intended to fake the ping of the server, we all know that's why people spend $700+ on this. In fact this is the biggest promise you give to server owners, apart from bullshitting about how this anycast crap is supposedly going to give everyone a better ping. In fact your DDoS protection can work perfectly without intercepting A2S_INFO packets. All your servers would still be protected from "some random attacker take[ing] out your upstream providers and leav[ing] you bone dry", since your servers could still only be accessed through your router in london/amsterdam/etc.

The reason I am not complaining about those proxy servers is because there is already a sticky thread at the top of the forum for exactly that, and guess what, if you report them they might get banned. I am complaining about servers like yours, because this method is currently not getting banned even though it is exactly the same type of thing. I hope the $700 a month are worth it.

Thanks, that was my goal. A caching side effect that is clearly specifically there to achieve the better pings. Of course they are going to make it appear as if they can't possibly not have this and it's just part of their "great protection", but that's simply untrue. No one is going to pay $700 for a DDoS protection that is realistically not going to be in any way better than what you had before. Please don't insult our intelligence that that's the reason you or anyone else got this. I agree. Running a community is hard (I am running one myself), but I bet you could invest those $700 a month into developing new features for your servers, rather than trying to cheat the system. Clearly you were upset about that other TTT server using redirect servers (how hypocritical of you btw), so how do you think the community owners of servers that play 100% clean and don't try to gain any sort of unfair advantages through manipulation feel?

The main objective for the Anycast DDoS protection system is to keep clients up from even the most pesky DDoS attacks regardless of the origin and attack type. I feel that if you do not understand the underlying problem here in terms of how filtering engine specific attacks works then we cannot get anywhere or find a proper resolution. How would you recommend to solve the problem which is filtering extremely large engine specific DDoS attacks without causing the network to be unstable or cause saturation. I can't control if some clients get attacked more than others. As you may also imagine, upgrading a relatively new network over and over quickly becomes a nice paperweight. Building a new network from the ground up can get extremely expensive especially when people try to make it a challenge to attempt to take you or your top clients down.

Literally everyone ever has managed to do it without manipulating the ping - you're the only person who "has to do this", and you don't have to do it this way.

DDoS protection my ass. The last time I attacked a server hosted by GMC it kept spoofing players and the playercount slowly decreased from 120 to 60. The main reason why your clientee buys into your is the spoofing meme. https://prnt.sc/iwnepf Like so slow, that within an hour there still were fake players. It is possible to design proxying DDoS protection, that after all is pretty much what Valve does with their new routing system in CSGO and Dota 2 - but u aint doing it. It'll be like yours when I get to updating it, including without the redirect, for less than 1/10th of the price. If yours aren't fake servers (proxying any traffic instead of sending a redirect package, using gay router memes to avoid it from showing up twice) - then mine when they do the same yours do won't be either, right? =9

If ever server was doing this - it would ruin the server browser. Ping in the server browser would no longer be a representation of reality. Another thing that hasn't been addressed is what should happen when this tech becomes mass consumer? Is it going to be allowed? Or is it just allowed currently because the servers doing it are in the backpocket of FP mods & devs?

tbh all servers faking ping are fake servers, this includes GMC - which even superior and moat currently pay thousands a month for https://prnt.sc/iwnepf

I don't know if I'm more shocked that you were attacking my infrastructure especially when it was only a couple of months old or the fact that you managed to find a bug in the system months ago and are using it as "leverage". I had a client report that to me about four months ago to where I found the problem and patched it immediately which I cannot say about some other companies. It's really not all that surprising that you were able to find a bug at the end of the day, you're known for that sort of stuff especially with Valves API. At least I actually take the time to patch issues as quickly as humanly possible. Also, could you elaborate exactly on what you mean by proxying DDoS protection? From what you see in my response four months ago, I'd like to think that I was very in-depth and informative. You really repeat some of my points for me which I thank you for. It makes my job just a little bit easier.

I actually just wanted to test a source engine exploit tbh and stumbled across your anycast spoofing players on accident. I don't think it spoofing players is me leveraging something tho, it profits the server owner but not me. It must've been ~4~6 months ago. Steam now has proxy servers for themselves in Dota 2 and CSGO, if your proxy server gets ddosed you migate to another one iirc. The real server IP is hidden I guess. Basically prevents random people from ddosing your match. They call it relay iirc. The connection becomes your client <=proxy server>= real server. ye idk, I didn't read your posts. I'm personally partially responsible for all the spoofing memes in gmod because I started the trend few years back by making/selling some software

I understand. The more time goes on, the more mature my systems become and the more perks I offer but the more bugs may arise as with any system. I don't appreciate people bringing up things from the past especially if it has been fixed in an extremely fast fashion. While I don't condone people attacking any servers at all, at least it did alert me to a groundbreaking issue. If it wasn't you then it surely would have been some random angry competitor or attacker looking to boast about taking down the top servers. It will only get worse and worse once I release a public graph. From my understanding, Valves Peer-to-Peer system is extremely dynamic which is very cool. The main issue with what Valve implemented for two of their matchmaking based games compared to a client whom has a static IP is that I can't just give them a floating IP or instant redirect based system. Clients expect their server to be in the traditional form since they are used to it. If I were to for example, make something similar to Valves system then there are a lot of potential problems along with it. Valves matchmaking doesn't require that people know the IP:Port or see the server on the master server lists. They simply queue up, find a random IP:port/(P2P session) through Valves systems and join. With Garry's Mod or any other game that isn't directly matchmaking based (custom community servers), that becomes extremely complicated. Not to mention, that doesn't exactly solve the problem of DDoS attacks, it simply redirects players transparently to the new IP when an attack is detected but what if they find the real IP. In my opinion, the best way to solve DDoS related issues is to filter them properly and not keep hopping to different proxy IPs. Valves system may be a cheap workaround since it's a random matchmaking server that nobody will ever fine again but they will still need to gulp up a stupid amount of attacks to their infrastructure and deal with it. All they really have to do is actually look at the networking and do their job since they made the game engine and know what every single packet does.

They also use this to mitigate sub-optimal routing over the general internet. Instead you connect to one of their servers and your traffic is routed to the game server through their pre-optimized routes.

It's almost like that reminds me of a service involving Anycast and DDoS mitigation. I think that somebody should probably look into investing into that if you catch my drift.

Thanks for bringing up another of their bullshit claims that anyone can disprove within seconds: The following is the traceroute to one of their "anycast" DDoS protected servers, you can see this because the traffic is routed through their amsterdam router. https://files.perpheads.com/a2yZmIpgZyAhpOC0.png For comparison, this is the traceroute to one server in the same data center that is not using their "anycast" DDoS service: https://files.perpheads.com/0UuSiucoRRqkHEHy.png As everyone can see, in this case the non anycast DDoS protected server actually has a slightly better ping (just by ~3ms, but consistently so as well), which is caused by Telia being able to actually provide me with a much better route than GMCHosting is, because GMCHosting has to always route it to amsterdam first, even though the optimal route can be very different to that. Furthermore, the claim that they can give you "optimized" routes is simply bullshit. It's not like they have their own underwater fibre cables that were put there specifically for GMCHosting, please give me a break. They use the same (slow) infrastructure everyone else does. Another claim you get from GMCHosting is that their routing service makes it so you don't have to go through inefficient routers at your ISP, which is also simply not true, since every time you access the internet in any way, the traffic will first be routed to the routers of your ISP, and then forwarded to the more general routers, such as from telia. All you can ever do is deflect away by claiming your critics don't understand how your amazing and infallable "anycast" DDoS protection works. Well guess what, I understand how your service works and I think I provided plenty of extremely valid criticism, why not actually respond to the points instead of pretending you are the only one who could possibly understand how it works.

Great thread, I was actually wondering how this keeps happening. Cheers Freddy!

I guess you don't realize that I was talking about Valve's servers, as was the comment I quoted.

What I find confusing is that it's claimed this is because of really super high volume attacks that only a small handful of your clients get - yet your "filtering" nodes have less capacity than your previous host. In a bandwidth sense - you've lowered your mitigation capacity. I don't believe this is intended for what you claim, I think it's intended to lower the servers pings. I don't necessarily take issue with this; it would make a lot of money if made available to the mass market - I just think being dishonest about the intention isn't the best way to go about getting it allowed.

Surprised a facepunch mod hasn't replied to this, one did on the last thread but idk if they're a mod anymore le sigh.

I'm not that surprised. I really would like a more clear answer on these practices. I've become aware of a way to get the same results as anycast without any network prerequisites - and obviously it seems like something people would be interested in as a service. I'm concerned when this stuff becomes mass-market and a lot of people have it, only then will FP act. Once you have Australian servers, American servers, UK & EU servers all with the same ping in the server browser, what now? We need to think about this if we're going to allow it, so we can have a plan in place to replace what the ping used to do. It would be nice to have an actual decision made on this stuff before putting time & money into it.

Rubat is really the only one who has ever dictated on these sort of matters before, so I would ask him directly, personally.

Will do, thanks for the information. (srry for the late reply too) Hopefully something is done about this, it's not that easy to compete when a third or more of the TTT category is taken up by a ping spoofing community tbh.

Please refer to the sticky for the procedure on reporting servers breaking the Garry's Mod Terms of Service. I will leave this thread open for discussion purposes, but please do not use it to report specific servers.

As nice as it would be to see all the spoofed servers disappear, we've known about this for months now and literally nothing has been done about it, so I doubt there's even a point in reporting it now, since from my point of view it looks like the devs don't really care.

Just to back Luna's point up, here is what you'd be getting from the U.K: https://crident.is-fi.re/969d9e.png

Yeah will do, I've contacted him I just wanted to backup my claim about the TTT category being flooded, so I posted two screenshots of me and a friend in a different country.

This is what you should've done in the first place, because then you don't actually manipulate your players into believing the server they are joining has good ping when it does not. Tbh I haven't really found anything special on your servers either. Here's hoping that you can invest those $800 a month into developing some cool features.