Website protection from DDoS?

S

SKEPTIC2020-01-08 03:07:07

DDoS Protection

SKEPTIC, 2020-01-08 03:07:07

Before completing the creation of a gaming project, I cannot help but ask about protection against DDoS attacks.
Very concerned that the site will be subject to DDoS attacks. As the saying goes: it's better to put on a condom and be at least somehow protected than not to put it on and then regret it. (I'm talking about DDoS and protection against it)
What do you recommend for protection?
It is clear that in the yard of 2020 and most are being saved by reverse proxies or whatever they are called like Cloudflare, etc.
I would like to reduce the possibility of falling resources to a minimum.
So what do you recommend anyway? I heard about many services: CloudFlare, DDoS-Guard, StormWall, Incapsula, etc. Of course, I haven't tried anything myself. And don't say don't put up a defense, no one will attack you. Even if it is. The saying above explains my desire to defend myself.
By the way. Keep in mind that not so long ago, new methods for bypassing protection from CloudFlare appeared. The so-called CloudFlare js bypass. Is it worth it to be afraid of them and how to protect yourself when there are so many methods of attacks and bypasses of even large defense systems around?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

T

tostpypy, 2020-01-31
@tostpypy

Hello. I can give advice as a person who has been involved in game projects for 4-5 years. DDoS is a common thing, competitors and schoolchildren will easily flood you with at least 10 Gbps a couple of times, so you need to immediately take hosting with integrated high-quality hardware protection.
I, like thousands of others like me, keep servers in OVH, where, in my opinion, the best free defense with Arbor complexes and others that repel any L3-L4 attacks.
Since OVH is a solution for hundreds of thousands of clients, you need to finish the protection yourself, for this you need a specialist, or gain experience yourself, as I did.
That is, OVH/Hetzer/Online.net and other large companies do not protect against Layer 7 attacks, but these are game bots or HTTP bots for websites.
What are the basic things you can do?
- If your game is running over TCP, in OVH you can completely block UDP from the Internet, while other OVH servers will get you over UDP. Many attacks by schoolchildren go through UDP.
- We put protection against SynFlood on any hosting and generally optimize the system by disabling conntrack and tweaking Iptables SynProxy or SynCookied . Also at this stage, you can distribute interrupts across cores, use netutils . Other optimizations are more subtle.
- We set Nginx as a web face, while reading optimization guides, in general, if this is a onepage for buying services, then this is almost enough on a powerful machine. In other cases, you already need a lot of knowledge, for example, I made protection through a bunch of nginx + lua.
Just at this stage, unless problems arise, you can look at companies like ddosguard / stormwall, which mainly implement banal protection through checking for JS. But.. we can do it ourselves by building nginx with the testcookie module, which is done in 5 minutes, or ask your system administrator to do it.
And all these CloudFlare, this is complacency before real attacks. Just like I don’t trust our companies, unlike European ones, which repel attacks of any caliber for free, while ours may well die from a couple of hundred gigabits, or they will almost always make you pay fabulous money for a 100 Mbps bandwidth, which is excluding for a game project little beginners. Also, many of our defenders are resellers from OVH/Voxility and other big foreigners.