Guild Wars 2

This is really for fellow techies and not necessarily a help seeking topic. I’m just kind of brainstorming so if it’s in the wrong section I apologize, but it felt appropriate.

What if the game client had an optional input field for entering a secure token? The token is just a string, a random series of characters, and this token would be unique to a user and emailed to each user during a DDOS attack.

By default this field would not be required, but in the event of a large scale attack, it would be flagged on. A different server would handle all requests and check if this token exists, and do the database lookup to match the unique token to an active user account.

Any attempt to connect to the game that did not result in a token match would not even be handled by the auth server, those that did match get forwarded on.

You could even change the name of the input field occasionally when the client updates to make it harder to spoof, and limit the database lookups on your token server.

Anyone have any thoughts on if this would work?

That would only help with server traffic load, not with bandwidth load.

So yes, it would work, but not against all problems caused by DDoS attacks.

Yeah that’s a good point. Do you know how far up the pipe filtering would have to happen for bandwidth to not be an issue?

Like if you filtered traffic at the gateway of the datacenter is that enough, or would the ISP need to be involved, or does it go all the way back to a major backbone provider?

Spartyr.6795:

Yeah that’s a good point. Do you know how far up the pipe filtering would have to happen for bandwidth to not be an issue?

Like if you filtered traffic at the gateway of the datacenter is that enough, or would the ISP need to be involved, or does it go all the way back to a major backbone provider?

Typically, your backbone is going to have a high enough bandwidth (or at least enough alternate paths) to handle DDoS traffic. Everything else could potentially be at risk depending on the size of the zombie net.

What about the token idea including login mirrors?
The mirrors could dissipate bandwidth bottlenecking?

DoS attacks are service interruptions. There are only 2 ways to control and prevent DoS attacks.

1. Have an IPS/IDS that proxy syns the attacks to a faster Internet Pipe (a 400Gbps DoS attack would have to be proxied to a 600Gbps pipe to make the originating pipe function properly). Currently only a few IPS’s do this, Juniper IDP and TippingPoint IPS. And these devices cost hundreds of thousands to install/configure and implement. AND you still need the additional offload pipe to make it work (BW is cheap but not free)

2. Digest the target attack, and load balance your TCP Sessions based on the source of that attack. This would require multiple datacenters across the world, all interlinked on 6+ ISP’s each and load balance all traffic accordingly. Basically, have more BW then any given attacker can source with. That way when an attack happens, and one of your transports is affected, you can change your BGP data to load balance away your servers connections from that transport.

Other then that, nothing else would work. that is how these types of attacks work. Its a flood of data that requires not ack for it to continue.