No Bullshit - Just Bulletproof.

We're sick of marketing teams generating statements which mis-lead and confuse customers.


The Sales-Pitch / what you want to hear

Mitigation on the network edge

Most large attacks are identified at the network edge before it even gets near your server, with a combination of solutions including but not limited to; Tilera TILEmpowerGX 36's - and are filtered at the network edge using Arbor Peakflow TMS systems.
With a total mitigation capacity sitting at about 3000Gbps, balanced between three locations; Strasburg(France), Roubaix(France) and Beauharnois(USA/Canada).

What is 3000Gbps?

3000Gbps(3Tbps) is a capacity which can be utilised to block some DDoS attacks, and while that sounds great to throw around - the truth is a lot of DDoS attacks wont be mitigated this way. They're too advanced and new. At the same time, they're generally a lot smaller too.

So how much can you handle?

You will often hear companies make claims like "500-600Gbps Protection" - but the truth is that they can only block certain DDoS attacks with this capacity. This means if the DDoS attack that is being launched at your server is new, or they don't know about it, you will still get affected by the DDoS attack. Certain providers are getting good at blocking a large amount of these DDoS attacks, however the truth is they will never be able to keep up with the amount of new attacks and exploits being created every day. Every application has its own types of vulnerability, and new DDoS/DoS attacks are coming out for applications all the time. Trying to block all these attacks on every possible application is simply such a large task there will always be certain methods which work.

How we're different

Our protection has taken the typical way of blocking DDoS attacks - looking for attack traffic and blocking it - and completely inverted it. We only allow traffic we know is legitimate traffic for your application.
We use this technique and we place it behind the typical mitigation methods, to double down on protection, and provide a level of security which is almost un-matched by other providers. We also only focus on what we're good at; game servers. We don't try to take on an impossible task in order to get more customers, because we want to focus on quality first.

The Details / the breakdown

Upstream mitigation:

Pre-Firewall

  1. Check UDP fragmentation
  2. Check packet size
  3. Authorisation of TCP, UDP, ICMP, GRE protocols
  4. Blocking all other protocols

Firewall

  1. Authorise/block an IP or a sub-network of IP's
  2. Authorise/block protocols:
    1. IP (all protocols)
    2. TCP
    3. UDP
    4. ICMP
    5. GRE
  3. Authorise/block TCP/UDP port interval
  4. Authorise/block SYN/TCPs packets
  5. Authorise/block all packets except SYN/TCPs

Tilera

  1. Malformed IP header check
  2. Incorrect IP checksum check
  3. Incorrect UDP checksum check
  4. ICMP limitation
  5. Malformed UDP datagram check
  6. DNS amplification vector check

Arbor

  1. Malformed IP header check
  2. Incomplete fragment check
  3. Incorrect IP checksum check
  4. Duplicated fragment check
  5. Check if fragment is too long
  6. Check if IP/TCP/UDP/ICMP packet too long
  7. Incorrect TCP/UDP checksum check
  8. Invalid TCP flags check
  9. Invalid sequence number check
  10. Zombie detection
  11. TCP SYN authentication
  12. DNS authentication
  13. Badly formed DNS request
  14. DNS limitation

Then our custom DDoS mitigation is applied.

Blocking attacks like

  1. Valve Source Engine Attacks and Exploits
  2. VSE/A2S Attacks including:
    1. A2S GetInfo
    2. A2S GetChallenge
    3. A2S GetRules
    4. VSE Flood Attacks

PlayerGate / pushing ahead

Introducing PlayerGate

PlayerGate works in a new way because it doesn’t look for patterns that are found in attacks like previous systems. Instead, it looks for patterns that would be hard for an attacker to emulate. And because updates constantly change minor details in how games work, attackers will need to keep up with any changes, which is time-intensive.

This makes it much more expensive for attackers to get their foot in the door since they need to accurately emulate a lot of real-game behaviour before they can launch the attack. There are basically no attacks that are currently this advanced for games.

For the very few (private) attacks that do try to emulate the game, we can still identify highly specific abnormalities in how their client behaves, because they can’t perfectly emulate how the game would behave without a huge time investment, and in turn increased resource demand to launch the increasingly complex attacks.

Different attacks, different issues

We categorize attacks into two primary categories. Layer 7 and Layer 4 – which we’ll refer to as L7 and L4 in the rest of this section.

L4: Network Layer

L4 attacks aim to bring a server down by basically overloading its connection to the internet. For example, if a server has a “unprotected” 100Mbps connection to the internet, and an attack of 200Mbps hits that server, it’s internet connection can be saturated and go down.

l4-diagram

Generally, L4 attacks aren’t hard to block. You just need a larger internet capacity than the attacker. We leverage OVH’s over 3Tbps “VAC” system with some custom rules to handle all our layer 4 attacks – and it works really well.

These attacks work universally on any internet-connected service, and they’re very easy to launch. But they’re expensive because you always need more bandwidth than the person you’re attacking.

l4-vac-diagram

L7: Application Layer

L7 attacks are generally a lot smaller than L4 attacks and aim to bring down the server by overloading the server itself. For example, they might try to overload the CPU or a design flaw in the application.

These attacks are generally cheaper to launch and harder to block because they mimic real-user behaviour. However, they’re game/application-specific and require some brains to develop.

While providers like OVH often provide L7 protection, it’s generally only good against the most common types of L7 attacks. New or unusual attacks will bypass these systems.

How we previously handled L7

Previously we use pattern recognition to block layer 7 attacks based on existing attack patterns we’ve observed historically. This is how most mitigation systems work. We were able to do a better job than other companies because we could just focus on Minecraft and Garry’s Mod, and had connections to the people that often developed these attacks.

It’s a situation where being a smaller company is an advantage – as we could be more responsive to emerging threats in these games, rolling out, or rolling back changes almost immediately, because we had greater real-time visibility into how the changes impacted our customers.

In Summary

Traditionally mitigation systems would work as a cat-and-mouse game, with hosting companies responding to emerging threats as they appear. PlayerGate turns traditional mitigation systems on their head, putting ourselves ahead of the attackers, while simplifying our protection stack, making it more cost-effective to run.

Since September 2020 we have been running this system on some customers who previously got targeted frequently by attackers with 100% efficacy.