Answer the question
In order to leave comments, you need to log in
Game server traffic proxying
There is a dedicated server with DDOS protection in the first data center. (server #1)
There is another dedicated server without DDOS protection in the second data center. (server #2)
There is a game server on server #2. It is necessary that traffic to server #2 go through server #1, thereby filtering the traffic. Also, so that users cannot connect to server #2 directly, but only through server #1. Both servers have CentOS, it is possible to install Debian.
Answer the question
In order to leave comments, you need to log in
1. What kind of traffic? http\https?
2. Server #1 only performs the function of protecting against ddos and is not a game server itself?
You mentioned that a hoster provides you with some kind of "DDoS protection" (by the way, can you clarify the model of the hardware solution?). Assuming that your services use UDP (which, I think, is correct for the case with CS-like game servers without additional traffic wrappers), then the thoughts are as follows.
I believe that the maximum that a hoster can do is to limit traffic to the server during DDoS attacks (policing, and it’s good if policies take into account destination ports, and not just IP addresses) or completely block traffic to one server, saving the infrastructure from excessive traffic (bgp blackhole to uplinks, effectively attacked server will still be inaccessible).
When using UDP, there is a traffic authentication problem. When using TCP, it is possible to separate those who really establish a connection from those who send SYN segments with fake addresses - the latter will not be able to respond with an ACK segment with the correct acknowledgement value to our SYN-ACK segment (well, or there are options with specially generated with a crooked SYN-ACK response, the legitimate host will respond with a RST with the correct acknowledgment and resend the SYN after about 3 seconds). In the case of UDP, we don't have that luxury. We cannot determine by means of UDP itself who is spoofing addresses and who is a legitimate host. I suppose it would be a good solution to maintain a list of client IP addresses on the server and somehow transfer it to the host, so that in the event of an attack, it would block all traffic that does not satisfy the list.
Further, with regard to traffic proxying. The most naive option is udp proxy , i.e. the socket on server 1 receives the data and copies it to a socket that sends data to server 2. Packets containing the appropriate datagrams will arrive on server 2 with the source address field equal to the address of server 1. From the side of server 2, it will appear that all players have one and the same address (if no action is taken at the application level, for example, adding an additional address header to the datagrams). Sometimes this is unacceptable.
A more intelligible option is nating . Approximate scheme in the illustration.
A similar scheme is often implemented in load balancing using solutions like F5. It uses Destination NAT of packets from the client to the server and Source NAT of packets from the server to the client. All traffic from S2 will need to be routed through S1, which may require some sort of (eg GRE) tunnel to be up. It should also be noted that IP addresses can be used within the L7 protocol (the most well-known case is FTP), which may raise new questions.
Generally speaking, your task is a wide minefield for experiments.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question