DDraceNetwork - developer

DDraceNetwork

Development / developer

Development discussion. Logged to https://ddnet.tw/irclogs/ Connected with DDNet's IRC channel, Matrix room and GitHub repositories — IRC: #ddnet on Quakenet | Matrix: #ddnet-developer:matrix.org GitHub: https://github.com/ddnet

Between 2018-11-12 00:00:00Z and 2018-11-13 00:00:00Z

formated pc and dl newest version of ddnet and i had mini lags/fps drops. dl version 10.8.6 no lags and no problem

12:32

am i stuck with 10.x forever now? =/

idk, what's the current technique for preventing DDoS? or how do they attack? random or chosen ips for spoofing?

@Lexin Can you describe / show the drops? are they visible in ctrl-shift-d ctrl-shift-g? with opengl3 off?

@deen you know that you have less FPS too, don't you? i asked you to profile, but you never did xD (edited)

Nope, I just noticed that the old fps counter was really bad

14:39

if you change the counter then of course the numbers look different

i said, the counter might be strange, but it's unlikely that its completly wrong

14:39

so you changed the fps counter in the old version?

how do you want it profiled?

and then it was same?

nope, I just noticed that the counter kept increasing all the time

well easiest is just use some external fps meassurement

no idea how to do that

mhh, but if you want just use any common cpu profiler.. the problem is most probably a CPU problem anyway

14:41

i also did profiling, but didnt find anything suspecious

well, if I use valgrind then you're unlikely to see anything interesting, since it slows down execution by a factor of 100-1000

yeah probs the best to test

@deen can you confirm that the new client exports all function symbols? atleast it seems so, dunno if that can affect runtime

@deen

Hell_1_V2_2018-11-12_17-50-35.demo

719.94 KB

16:54

i can do another one with ctrl+shift+d if u want/need (edited)

16:54

this pretty much shows the drops, its a drop in fps aswell

Virus. never saw such an strange name for a file. It even ends in .demo wth. troll

troll

16:56

@Learath2 is it you or heinrich who was/is working on anti ddos software stuff? Blindhero was wondering and i dunno if his message wil be burried.

anti ddos software? There is no such thing

Well you reduce packages and stuff or idk what. I am no specialist

16:59

But you can read his message up there

@15:29

There is no solution to ddos at our price range. Best we can do is to get a server with more bandwidth and more cores to drop garbage quicker

17:01

It'd maybe help with the current weak ddos, but when the actually serious attackers come by it's way more then what we can hope to process anyways

@Blindhero here is your answer.

hm..

17:04

i mean, usually incoming packets are dropped at a specific layer for a given filter

17:04

the lower the layer, the more efficient is it i think, right?

so you made up some witchcraft to monitor all players 24/7 but u cant whitelist ips?

At nfoservers we have a very sophisticated firewall at a low layer. So I can go in and filter attacks on a case by case basis. But not all attacks actually have a pattern, nor can you employ proper protocol parsing at the router level (not at this price anyways) to check if packets are actually valid.

17:06

Even if all the attacks had a pattern someone would need to sit in front of a computer 7/24 to write up the filters

those packets still have to get filtered ( eg analysed )

Now there is hardware that can actually do the parsing and even employ machine learning to filter stuff but they are like 500 euros a month at a more expensive host like leaseweb

:(

When/if the attacks get more serious I might get GER2 again. I couldn't test it the last time around because I wasn't here. Want to see how a quad core with a gigabit link handles the load. But people really don't seem to want to play on anything except GER

i have a ping of 6-8 there, would be a reason enough

What type of ddos is usually happening ? i'll try to ddoss my vps to see how to included protection handles it

hmm, not sure if I really want to say which type is the most effective

17:12

but we get synfloods, spoofed protocol packets (these aim to drown the teeworlds server itself), udp garbage

couldn't you filter "not connected ips" for the spoofed protocol packets?

Also a quick note, even if the included protection "handles" it it's bad for us. We need legit packets to get through. Automated filters usually see a pattern and block it. The pattern doesn't have to be invalid

and just let some of them in? i mean with certain rules (edited)

@Blindhero this is exactly what I was thinking but then we need a better way to whitelist ips then using the game servers themselves

rgr, yeah those automated ddos protection thingy often blocks entire coutrys and so on ^^

glad to hear, that it's not a dumb idea

or we get spoofed connect flood, even with challange response it still drowns the server

oh..

I was thinking of a fake teeworlds server that just emulates the connection, put it behind a load balancer and run it on a couple virtual machines on digitalocean or sth. But then you'd first have to connect to that before being able to connect normal ddnet servers

17:16

which might be weird

17:16

and it wouldn't work on any host except GER, as only nfoservers has a proper firewall

isn't there a possibilty to forward the client to another server? i think i've seen it on some blocker servers (edited)

might get laggy but that's a good idea and pretty straigtforward

not possible

hm.. how did they do it then? there was something like a teleporter, and as soon as you passed it, the client connected to somewhere

they employ hacks such as a front facing proxy, you don't actually connect to a new server, you only get packets from a different backend server, very unreliable solution under ddos

17:18

or they just run multiple maps on one server, I've seen them aswell

hm.. okay

there is however no way to force the client to connect to a new ip (it'd be a security issue :P)

i bet you will find a good solution

17:18

yeah sure

I doubt I'll find any good solution tbh

17:19

Best I can come up with is a clunky gatekeeper server you have to connect to before you connect to other servers

17:19

might work if we only do it under attack

17:19

but it's an ugly solution at best

why is it actually UDP and not TCP? because of the latency?

17:21

or would it have any effect on ddos?

Overhead, the game is pretty timing sensitive tcp might add way too much overhead

i thought so

even if it's just a couple ms it'll throw off people that have been training for years

17:23

besides I doubt tcp would help much in this case tbh

okay then

The recent attacks are mostly small scale, around 10-20M, a serious attack gets pretty ridiculous. Like Sum 65.506.000 packets/300s (218.353 packets/s), 3.530 flows/300s (11 flows/s), 27,752 GByte/300s (757 MBit/s)

wow

That's around 100M/s

yeah i know

Just didn't want to leave the units different

@Deleted User Nope, the version we release says "no symbols"

20:26

but the executable certainly has grown in size

20:27

@heinrich5991 Are we linking in too much stuff? File size changes: DDNet: 4.1 MB -> 6.9, DDNet-Server: 0.8 MB -> 5.3 MB, etc

well my mapres is going to be over 400mb so what damage could it make?

@heinrich5991 11.1.9 was still fine-ish, 11.2 is huge

[quakenet] <Learath2> that message didn't go to discord either

20:32

[quakenet] <Learath2> but this one did ^^ huh

20:33

[quakenet] <heinrich5991> ah yea, we link curl for modhelp stuff

@heinrich5991 yeah, curl was added, sounds like a probable culprit

[quakenet] <heinrich5991> that can be removed I guess

20:34

[quakenet] <heinrich5991> however we'll probably link to curl in the long term

20:34

[quakenet] <heinrich5991> so we might also figure out a solution to this instead

20:34

[quakenet] <heinrich5991> e.g. by not linking to libcrypto (I think) statically

but why is the client also bigger?

20:34

didn't it always link curl?

20:35

ah, client already was bigger in 11.1.9, so that's something else

20:36

anyway, that's probably not what's causing the fps drops, I'll try getting @Deleted User's fps fix into 10.8.6 and see what it does

20:38

Not moving in the correct direction generally :/

Image attachment

[quakenet] <Learath2> hmm, is there a tool that shows up what takes space in a binary?

yes

20:46

there's a way to tell the linker to warn about unused library linkages

20:46

you can use bloaty to see what's in the binary: https://github.com/google/bloaty

Bloaty McBloatface: a size profiler for binaries. Contribute to google/bloaty development by creating an account on GitHub.

20:46

and we could also use LTO and --gc-sections to get rid of useless stuff

@Deleted User so what should I cherry-pick?

21:05

With https://github.com/ddnet/ddnet/pull/1055 cherry-picked on top of 10.8.6 i get the exact same FPS numbers as in current client

Keep track of lost frames and update time by Jupeyy · Pull Reques...

The problem a friend was occuring was, that on a fresh Windows install settings like cl_refresh_rate are set to 480. Since the render calls take longer time than no render calls, it happened that c...

deen, did u see my post above?^^

@Lexin yes, but for me there is no difference, so I can't debug it

@deen but that does only affect cl_refresh_rate and gfx_refresh_rate anyway

21:42

the guy in general chat said it happens regardless of the settings

21:47

@deen gdb -> info functions clearly shows that the binary exports symbols. to be precise it doesn't strip the fvisbility= effect from gcc. when i add fvisbility=hidden and strip the client it's insanly much smaller.(i also added -s and -g0 to be safe) but i don't know if that can affect runtime, since it's just some symbols the possibilities are:

something doesnt compile like with bam, which was still the case in 10.8.6

the new text renderer, however unluckely to affect a GTX 1060, like from the guy in gen chat

some changes from heinrcih bcs of the async tasks that were removed

other code i don't know, that was added to the loop, i'd need your memory and insight to know

(edited)

yeah, i tried different settings, didnt rly change anything. I'll stick with 10.8.6 for now

i have a 1060, working fine @Deleted User

yeah it's more likely that he has a worse CPU than you

probably

and then it's more likely to be some code fault

ohh

i just looked at the demo from the other client and it doesnt lag? wat xd

22:34

teeworlds is too weird man

Exported 119 message(s)