1 Topic by Schwertspize

  • Schwertspize
  • Member
  • Offline

Topic: DDoS

DDoS is a big problem for server hoster. this is a known fact. I want to show my idea how to reduce that.

every connection has a key which gets sent with every package. packages without a key gets in a queue, any package with a key has a direct route to the server (if the key is the right one). every package without a key gets delayed if there is too much load, and the server reserves ressources for known traffic, for packages with a key. free ressources are used for not known traffic. you get a key if you connect and can approve that you are a real Player. you cannot use a key to DDoS the server because every packages above a limit gets dropped (basically rate limiting per key). so if you keep your key private, you can only DDoS the connecting queue and you cannot touch already playing people.

so we have to decide whether to encrypt all packages (so that the key cannot get stolen), or being vulnerable to man in the middle and don't encrypt packages for speed.

why is it important to keep your key private? because if someone gets your key easily, he could flood the server with packages with that key and your packages get dropped too. -> lags and/or kick because of abusing the key.

basically we reserve ressources for approved connections so those can't get hit by DDoS, only new connecting players

your opinion, please

Having troubles finding servers in the serverlist? Go to Pastebin (its a referer cause there is daily a new pastebin) and add the lines to your settings.cfg (in %APPDATA%\teeworlds). Then open teeworlds and go to the favorites tab. (Note however, standard teeworlds client can only show 256 favorites, use ddnet instead)

2 Reply by rand()

  • rand()
  • Member
  • Offline

Re: DDoS

Is this related to that? https://github.com/teeworlds/teeworlds/pull/986

3 Reply by TT <3

  • TT <3
  • Member
  • Offline

Re: DDoS

Does not works. If an attacker can not attack the teeworlds-server, then he will attack the whole server. This is anyway mostly the "standard". For example with massive traffic to overload your connection.

packages without a key gets in a queue

Next vulnerability. Then there will just be spam until your memory runs out. Furthermore, checking for your keys also demands cpu-power.

There is simply no way to avoid a (D)DoS attack.

zCatch Mod  |  TW+ Mod
big_smile

4 Reply by xush

  • xush
  • Member
  • Offline

Re: DDoS

What you suggested would only work on the application layer, other layers are still attackable.
I even imply that this would work find for Layer 7.

Real programmers don't comment their code - it was hard to write, it should be hard to understand.
Proudly verkeckt since 2010.

5 Reply by heinrich5991

  • heinrich5991
  • heinrich5991
  • Moderator / Donor
  • Offline

Re: DDoS

In my experience the attacks weren't on the Teeworlds protocol layer, but rather worked by just saturating the server's network connection. You wouldn't be able to block such an attack on the software level on the machine that is being attacked.

That being said, if you know that there are people targeting the Teeworlds protocol layer, then such a solution would work. For example in 0.7 we already have something like that implemented, but it's kind of hard to do it for 0.6 in a backward-compatible fashion.