Game Server DDoS Protection Strategies
DDoS attacks are a growing threat to game server infrastructure. Esta guía cubre practical DDoS protection strategies including iptables-based rate limiting, SYN cookie configuration, connection tracking, traffic filtering, and monitoreo techniques. Proper DDoS mitigation can protect against volumentric, protocol, and application-layer attacks while maintaining legitimate player access.
Tabla de contenidos
- Understanding DDoS Attacks
- Rate Limiting with iptables
- SYN Cookie Protection
- Connection Tracking
- Network-Level Filtering
- Geolocation Filtering
- Reverse Proxy Protection
- Monitoring and Detection
- DDoS Mitigation Services
- Incident Response
- Conclusion
Understanding DDoS Attacks
DDoS attack types:
- Volumetric: Flood attacks consuming bandwidth (UDP floods, DNS amplification)
- Protocol: Attacks exploiting protocol weaknesses (SYN floods, Fragmented packets)
- Application-layer: Attacks targeting game logic (Slowloris, player exploit)
Game servers are vulnerable due to:
- UDP protocols (most games)
- Limited bandwidth
- High player count requirements
- Continuous operation
Protection strategies must balance seguridad with legitimate gameplay.
Rate Limiting with iptables
Basic Rate Limiting
Limit connection attempts per IP:
# Limit new connections to 25 per minute per IP
sudo iptables -A INPUT -p tcp --dport 27015 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 27015 -j DROP
# Limit UDP packets to 1000 per second per IP
sudo iptables -A INPUT -p udp --dport 27015 -m limit --limit 1000/second --limit-burst 2000 -j ACCEPT
sudo iptables -A INPUT -p udp --dport 27015 -j DROP
Limit per-IP bandwidth:
# Allow 100 Mbps per IP (rough approximation)
sudo iptables -A INPUT -p udp --dport 27015 -m hashlimit --hashlimit-name gamelimit --hashlimit 100kb/s --hashlimit-burst 200kb/s -j ACCEPT
sudo iptables -A INPUT -p udp --dport 27015 -j DROP
Create rate limiting script:
sudo tee /home/steam/setup_rate_limits.sh > /dev/null <<'EOF'
#!/bin/bash
# Game server ports
PORTS=(2456 7777 27015 28015 34197 8211 16261 26900)
for PORT in "${PORTS[@]}"; do
# TCP rate limiting (50 connections per minute per IP)
sudo iptables -A INPUT -p tcp --dport $PORT -m limit \
--limit 50/minute --limit-burst 200 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport $PORT -j DROP
# UDP rate limiting (1000 packets per second per IP)
sudo iptables -A INPUT -p udp --dport $PORT -m limit \
--limit 1000/second --limit-burst 2000 -j ACCEPT
sudo iptables -A INPUT -p udp --dport $PORT -j DROP
done
# Save rules
sudo iptables-save | sudo tee /etc/iptables/rules.v4
echo "Rate limiting rules applied"
EOF
sudo chmod +x /home/steam/setup_rate_limits.sh
Connection-Based Rate Limiting
Limit concurrent connections per IP:
# Maximum 20 concurrent connections per IP to game server
sudo iptables -A INPUT -p tcp --dport 27015 -m connlimit --connlimit-above 20 -j REJECT
# Maximum 50 concurrent UDP connections per IP
sudo iptables -A INPUT -p udp --dport 27015 -m connlimit --connlimit-above 50 -j DROP
SYN Cookie Protection
SYN cookies prevent SYN flood attacks:
# Enable SYN cookies
sudo sysctl -w net.ipv4.tcp_syncookies=1
# SYN flood protection thresholds
sudo sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sudo sysctl -w net.ipv4.tcp_synack_retries=2
sudo sysctl -w net.ipv4.tcp_syn_retries=2
# TCP timeout settings
sudo sysctl -w net.ipv4.tcp_fin_timeout=15
sudo sysctl -w net.ipv4.tcp_keepalive_time=300
# Make permanent
echo "net.ipv4.tcp_syncookies=1" | sudo tee -a /etc/sysctl.conf
echo "net.ipv4.tcp_max_syn_backlog=4096" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
Monitor SYN attacks:
# Check for high number of SYN packets
netstat -an | grep SYN_RECV | wc -l
# Monitor in real-time
watch -n 1 'netstat -an | grep SYN_RECV | wc -l'
# Check with ss command
ss -an | grep -i syn | wc -l
Connection Tracking
Optimize connection tracking:
# Increase connection tracking table size
sudo sysctl -w net.netfilter.nf_conntrack_max=1000000
sudo sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=600
sudo sysctl -w net.netfilter.nf_conntrack_tcp_timeout_time_wait=60
# UDP timeouts
sudo sysctl -w net.netfilter.nf_conntrack_udp_timeout=30
sudo sysctl -w net.netfilter.nf_conntrack_udp_timeout_stream=180
# Optimize TCP parameter
sudo sysctl -w net.ipv4.tcp_tw_reuse=1
# Apply settings
sudo sysctl -p
Monitor connection tracking:
# Current connections
cat /proc/net/nf_conntrack | wc -l
# Maximum connections
sysctl net.netfilter.nf_conntrack_max
# Real-time tracking
watch -n 1 'echo "Connections: $(cat /proc/net/nf_conntrack | wc -l) / $(sysctl -n net.netfilter.nf_conntrack_max)"'
# Per-state breakdown
ss -an | awk '{print $2}' | sort | uniq -c | sort -rn
Network-Level Filtering
Blacklist Obvious Attacks
# Drop packets with invalid flags
sudo iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j ACCEPT
sudo iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j DROP
# Drop packets with unusual combinations
sudo iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
sudo iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# Drop fragments
sudo iptables -A INPUT -f -j DROP
# Drop invalid packets
sudo iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
Whitelist Known Good Traffic
# Whitelist specific IPs (admin/friendly networks)
sudo iptables -A INPUT -p tcp --dport 27015 -s 203.0.113.0/24 -j ACCEPT
sudo iptables -A INPUT -p udp --dport 27015 -s 203.0.113.0/24 -j ACCEPT
# Whitelist established connections
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
Crea undvanced filtering script:
sudo tee /home/steam/advanced_filtering.sh > /dev/null <<'EOF'
#!/bin/bash
# Game server ports
GAME_PORT=27015
# Flush existing rules (careful!)
# sudo iptables -F INPUT
# Drop invalid packets
sudo iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
# Drop packets with bad TCP flags
sudo iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
sudo iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
sudo iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
# Allow established connections
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Protect against port scanning
sudo iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j ACCEPT
sudo iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j DROP
# Game server protection
sudo iptables -A INPUT -p tcp --dport $GAME_PORT -m limit --limit 50/minute -j ACCEPT
sudo iptables -A INPUT -p udp --dport $GAME_PORT -m limit --limit 1000/second --limit-burst 2000 -j ACCEPT
# Connection limits per IP
sudo iptables -A INPUT -p tcp --dport $GAME_PORT -m connlimit --connlimit-above 20 -j REJECT
echo "Advanced filtering rules applied"
EOF
sudo chmod +x /home/steam/advanced_filtering.sh
Geolocation Filtering
Block traffic from specific countries (if needed):
# Download geolocation database
sudo apt-get install -y geoip-database
# Query geolocation
geoiplookup 192.168.1.1
# Create script to block countries
sudo tee /home/steam/geoblock.sh > /dev/null <<'EOF'
#!/bin/bash
# Example: Block traffic from specific countries
# Get IP ranges from MaxMind or similar
# China ASN blocks (example)
for CIDR in 1.0.1.0/24 1.0.2.0/23; do
sudo iptables -A INPUT -s $CIDR -j DROP
done
echo "Geolocation filtering applied"
EOF
sudo chmod +x /home/steam/geoblock.sh
Nota: Use geolocation filtering carefully as legitimate players may be affected.
Reverse Proxy Protection
Use Nginx as reverse proxy for servidores de juegos:
# Create Nginx upstream for game servers
sudo tee /etc/nginx/conf.d/gameserver.conf > /dev/null <<'EOF'
upstream gameserver {
server localhost:27015;
server localhost:27016;
server localhost:27017;
}
server {
listen 27015 udp;
location / {
proxy_pass gameserver;
proxy_buffer_size 32k;
proxy_buffers 8 32k;
# Rate limiting
limit_req_zone $binary_remote_addr zone=gamelimit:10m rate=100r/s;
limit_req zone=gamelimit burst=200 nodelay;
}
}
EOF
Create HAProxy-based DDoS protection:
sudo apt-get install -y haproxy
sudo tee /etc/haproxy/haproxy.cfg > /dev/null <<'EOF'
global
log stdout local0
maxconn 100000
defaults
mode tcp
timeout connect 5000
timeout client 50000
timeout server 50000
frontend game_frontend
bind *:27015
default_backend game_backend
# Rate limiting
stick-table type ip size 1m expire 60s store http_req_rate(10s)
http-request track-sc0 src
http-request reject if { sc_http_req_rate(0) gt 10 }
backend game_backend
balance roundrobin
server gs1 localhost:27016 check
server gs2 localhost:27017 check
EOF
sudo systemctl restart haproxy
Supervisión and Detection
Attack Detection
Monitor for attack signs:
# Check for SYN flood
watch -n 1 'netstat -an | grep SYN_RECV | wc -l'
# Monitor packet drops
watch -n 1 'cat /proc/net/snmp | grep Ip | head -5'
# Check for high packet rate
sudo iftop -i eth0
# Monitor UDP flood
watch -n 1 'netstat -s | grep "UDP packets"'
Crea unttack detection script:
sudo tee /home/steam/detect_attack.sh > /dev/null <<'EOF'
#!/bin/bash
# Thresholds for attack detection
SYN_THRESHOLD=1000
UDP_THRESHOLD=50000
CONN_THRESHOLD=5000
# Check for SYN flood
SYN_COUNT=$(netstat -an | grep SYN_RECV | wc -l)
if [ $SYN_COUNT -gt $SYN_THRESHOLD ]; then
echo "ALERT: Possible SYN flood detected ($SYN_COUNT SYN_RECV)"
# Trigger automated response
fi
# Check connection count
CONN_COUNT=$(netstat -an | wc -l)
if [ $CONN_COUNT -gt $CONN_THRESHOLD ]; then
echo "ALERT: High connection count detected ($CONN_COUNT)"
fi
# Check for port-specific attacks
for PORT in 2456 7777 27015 28015; do
PORT_CONNS=$(netstat -an | grep ":$PORT " | wc -l)
if [ $PORT_CONNS -gt 1000 ]; then
echo "ALERT: High traffic on port $PORT ($PORT_CONNS connections)"
fi
done
echo "Attack detection check completed at $(date)"
EOF
sudo chmod +x /home/steam/detect_attack.sh
Schedule detection:
sudo crontab -e
# Check every minute
* * * * * /home/steam/detect_attack.sh >> /var/log/ddos-detect.log 2>&1
Detailed Logging
Enable detailed packet registro:
# Log dropped packets
sudo iptables -A INPUT -p tcp --dport 27015 -j LOG --log-prefix "GAMESERVER_DROP: " --log-level 7
sudo iptables -A INPUT -p tcp --dport 27015 -j DROP
# View logs
tail -f /var/log/syslog | grep GAMESERVER_DROP
# Analyze attack patterns
grep "GAMESERVER_DROP" /var/log/syslog | awk '{print $NF}' | sort | uniq -c | sort -rn | head -20
DDoS Mitigation Services
Consider professional DDoS protection:
# Popular services:
# - Cloudflare DDoS Protection
# - Akamai Prolexic
# - AWS Shield Advanced
# - Google Cloud Armor
# - OVH DDoS Protection
# Setup with Cloudflare (example):
# 1. Point DNS to Cloudflare nameservers
# 2. Enable DDoS protection in dashboard
# 3. Configure game port forwarding to origin IP
# 4. Set cache rules and rate limiting
Benefits:
- Absorbs large-scale attacks
- 24/7 monitoreo
- Automatic mitigation
- No self-hosting burden
- Geo-distributed protection
Incident Response
Create incident response plan:
sudo tee /home/steam/ddos_response_plan.sh > /dev/null <<'EOF'
#!/bin/bash
# DDoS Incident Response
LOG_FILE="/var/log/ddos-incident.log"
ALERT_EMAIL="[email protected]"
respond_to_ddos() {
{
echo "DDoS Attack Detected: $(date)"
echo "Initiating response plan..."
# Step 1: Analyze attack
echo "Attack Analysis:"
netstat -an | grep -E "SYN_RECV|ESTABLISHED" | wc -l
# Step 2: Enable aggressive rate limiting
echo "Enabling aggressive rate limiting..."
sudo iptables -F INPUT
sudo iptables -A INPUT -p tcp --dport 27015 -m limit --limit 10/minute --limit-burst 20 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 27015 -j DROP
# Step 3: Drop non-essential traffic
echo "Dropping non-essential traffic..."
sudo iptables -A INPUT -p icmp -j DROP
# Step 4: Alert administrators
echo "Alert sent to $ALERT_EMAIL"
mail -s "DDoS Attack in Progress" "$ALERT_EMAIL" << MSG
Your game server is under DDoS attack.
Attack started: $(date)
Current connections: $(netstat -an | wc -l)
SYN_RECV states: $(netstat -an | grep SYN_RECV | wc -l)
Check /var/log/ddos-incident.log for details
MSG
# Step 5: Notify players
echo "Notifying players of attack..."
echo "Response plan executed"
} | tee -a "$LOG_FILE"
}
respond_to_ddos
EOF
sudo chmod +x /home/steam/ddos_response_plan.sh
Manual incident response:
# 1. Declare incident
echo "DDoS incident declared at $(date)" | tee /tmp/ddos_incident.txt
# 2. Gather information
netstat -an > /tmp/ddos_state_$(date +%s).txt
iptables -L -n -v > /tmp/iptables_state_$(date +%s).txt
ss -s >> /tmp/ddos_state_$(date +%s).txt
# 3. Implement immediate mitigation
sudo iptables -A INPUT -p tcp --dport 27015 -m limit --limit 10/minute -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 27015 -j DROP
# 4. Scale horizontally if possible
# Activate backup servers
# Distribute traffic across multiple IPs
# 5. Contact DDoS protection service if using one
# 6. Monitor response
watch -n 5 'netstat -an | grep -c ESTABLISHED'
Conclusión
DDoS protection requires a multi-layered approach combining red-level filtering, rate limiting, and monitoreo. No single solution is foolproof, but proper implementation can significantly reduce attack impact.
Key takeaways:
- Implement rate limiting at kernel and application levels
- Enable SYN cookies and connection tracking
- Monitor for attack signatures continuously
- Have incident response procedures documented
- Consider professional DDoS mitigation servicios for large infrastructure
- Test protection measures regularly
- Keep logs for post-incident analysis
- Communicate with player community during attacks
Comprehensive DDoS protection ensures stable, reliable game server operations.