Facing a community's largest challange: Tackling DDoS attacks without a lot of budget

It's nothing new that the internet is a harsh, unforgiving place. Phishing attacks are waiting for unsuspecting victims, worms are spamming your mail inbox, and worst of all: The website you're trying to access is not responding.
The most frustrating part about websites, apps etc. not being able to load is, however, likely not the poor infrastructure, but usually the result of Distributed Denial of Service attacks.

What is a DDoS attack?

Distributed Denial of Service attacks (short: DDoS) are a nasty type of attack you can find on the internet. By overloading either application processing power or the network itself, this type of attacks slows down the system to a near-halt. Most common attacks include volumetric amplified UDP floods and Synfloods.

How does a DDoS attack work?

Depending on which resource the attack is supposed to exhaust, the approach is chosen. If the target is the victim's bandwidth, then usually a lot of requests are sent to lesser secured servers offering some sort of database, for example DNS servers. Since UDP does not perform a handshake like TCP does, this causes the lookup server to send the reply to another server. Since servers serving DNS lookups usually have a large bandwidth to offer (so they can serve a lot of clients). This allows a fairly small request to cause a lot of traffic on the victim's end, and also grants another layer of anonymity.

Synfloods work slightly different. Since they require a handshake, it is incredibly hard to properly spoof an IP address when targeting someone. Instead, a Synflood does exhaust the target's computing resources. By sending the opening message of a TCP connection (SYN - "I want to establish a connection!"), this makes the server assume that a new client wants to connect, so it responds with Syn-ACK ("Yes, I've heard that you want a new connection. What would you like to tell me?"). This is where the attacker, instead of responding, stalls the connection, and the more connections you have open, the more computing cycles a connection wastes.

Why are small communities being attacked?

This is... a rather weird question that I cannot really answer. The internet is a cruel place. The community servers that we are hosting are for the game SCP: Secret Laboratory, a game built 100% free to play by Northwood Studios. They finance themselves purely from donations and volunteers working for them, so it doesn't even make sense to target them in the first place. Our dedicated servers have always been our bottleneck, and are likely to remain one, since mitigating DDoS attacks with a small budget is near impossible.

How did we solve the problem?

The solution to the problem came from an unexpected side. Since our hosting provider, MyLoc, refused to offer some sort of ddos protection and instead decided to ridicule us, telling us to "get a firewall" (despite us having one) and only offering us 300 MBit/s throughput for our server, we decided to call it a day and switched over to OVH. During a limited-time server sellout, we were able to get a new server that has roughly less power than our old one, but way better connectivity and a dedicated firewall layer that is not counted to our quota. This, in itself, is awesome as it does grant us fine-tuned control without another third party charging us ridiculous amounts of money for scrubbing our terrabytes of attacks. We might not be able to solve the issue ourselves because we can't get a scrubbing endpoint with enough connectivity, but we surely can use one that is included for fairly cheap. Especially considering most services, like Cloudflare, only protect TCP applications.

This change wrapped up the chapter of common spooks and waking up to see multiple terabyte of data having been sent to our servers over night to an end. An end we wish we could've achieved earlier than this. Let's just hope the new servers keep up with our demands.

I want to help communities to make this cut, just like we did. If you have any questions, feel free to contact me directly. Everyone who pours their heart and soul into their projects should be rewarded with attention, not attacks.

Add a comment

Next Post