DDraceNetwork - developer

heinrich5991

it's 1 for me, I think it's from old configs or so

same xd

oh shoot, my root partition is full xd

05:50

Vacuuming done, freed 2.1G of archived journals from /var/log/journal/a503a8916b0c464887abc56e8a5782a1

05:50

05:50

time to add SystemMaxUse=100M to systemd

05:52

ok what was taking most of my root partition was pacman cache

05:52

freed 30gb xd

05:54

it would be more useful if the pacman cache were located in my home partition which is way bigger tho

05:54

but im 2 lazy to do anything rn monkalaugh

@Deleted User i have *** No rule to make target '/usr/lib/x86_64-linux-gnu/libGL.so' error on linux after adding ur fng scoreoard : (

07:33

and i have no clue how to deal with libs errors

Delete build directory and try again

Who do you think will take the german chancellory? I don't see a clear lead for either CDU or SPD from outside. Greens would probably prefer SPD but I don't see FDP backing SPD. Nor do I see Greens backing CDU

spd

spd probs

12:12

You think FDP will change their stance?

why u look at German politics xd

Well germany has an extreme amount of influence in the eu

SPD and CDU dont wanna work together, they will take a third one

12:16

probs greens

12:16

anyways its shit that cdu got so much again

Tho I'm a bit of a politics person, so I follow a lot of different countries politics

fucking 60+ age people

lol everywhere its 60+ age ppl

Well SPD got great results in the older demographics. Afaik they actually lost a fair bit of young peoples votes (probably shifted to the greens)

@Ryozuki germany has too many of them, + we got 24% not voting at all

?

The issue also is, the old cdu voters dont care whats good, they are voting cdu because its always been like that

fokkonaut

SPD and CDU dont wanna work together, they will take a third one

SPD can take the Greens but is that enough? I think they need the FDP aswell to have the votes

Learath2

SPD can take the Greens but is that enough? I think they need the FDP aswell to have the votes

If they completely wanna work without cdu, yes

fokkonaut

The issue also is, the old cdu voters dont care whats good, they are voting cdu because its always been like that

thats how it works here too

12:19

xd

only 76% of all voters voted

12:19

like of people who are allowed to

thats a lot

no

12:19

its not

it is

Ah you think they will take CDU too, hmm. How would they ever agree tho. I doubt CDU wants to give up the chancellory

xd no

Learath2

Ah you think they will take CDU too, hmm. How would they ever agree tho. I doubt CDU wants to give up the chancellory

Ye, I think they will work with cdu tho, cdu got a lot of votes

12:20

But:

for reference here last elections only 66% ppl voted

12:20

76 is a lot

they wont work together just as cdu and SPD, they will take another one if that will happen

Ryozuki

for reference here last elections only 66% ppl voted

probs smaller country?

u know how percentages work?

ofc

12:21

but still

Ryozuki

thats a lot

It's always above 70% in turkey because compulsory voting :P

12:22

But even in turkey with punishment for not voting we couldnt get above 90%

76% is rly good lets not be retardeds xd

I think it's fairly decent, especially with how desensitized people are from voting nowadays

12:24

I see it especially in younger people. Older generation seems to appreciate their right to vote much more. Which is partly why conservative ideas are so overrepresented

i can feel why younger ppl dont want to vote, u simply dont find anyone good enough

12:25

i felt that last elections

12:25

but still voted a meh one

12:25

idk what i will do in the future

Well if you dont vote at all you get situations like the US. Where the 25% christian evangelists control a whopping 35% of the congress

when the elections basically get reduced to "lets vote this so this racist far-right doesnt get it"

10% overrepresented

u know things are fucked up

Ryozuki

76% is rly good lets not be retardeds xd

its not because most of the non voters are young people

Or in the UK, where ukip votes just went to the trash

Learath2

Well if you dont vote at all you get situations like the US. Where the 25% christian evangelists control a whopping 35% of the congress

in the us voting is hardere

I wonder if there are statistics about non-voters demographics

u have to do some tax thing or smth

12:27

harder*

Afaik you just need to register and not be puerto rican

12:28

Imagine being a us citizen and not being allowed to vote on president lmao

Democracy gang

if CDU goes into the government, all 3 parties, CDU, FDP and green will loose alot of votes bcs nobody likes laschet xD

what is laschet like

even CDU doesnt want him xD

aka what he wants to do

How did laschet even get to be their candidate. Stupidest decision I've seen in years

that says everything xD

12:29

the moment he lost the election

12:29

laughing like a clown when ppl died bcs of the water catastrohpy

@Deleted User i found this, is it funny?

12:30

idk what it means

12:30

xdd

They so should have picked söder, he was the much better candidate imo

Learath2

How did laschet even get to be their candidate. Stupidest decision I've seen in years

yeah he never was the most famous, but also as bad as he is now he fucked up the campaign xD

12:30

not as bad*

12:31

@Learath2 did u know merkel has been in charge longer than putin

Learath2

They so should have picked söder, he was the much better candidate imo

im not that sure tbh, söder is bayern first, germany second

xd

Now all that remains is for SPD to go a little back to it's roots and embrace workers and trade unions. Then we can finally have a major world power with a robust labour force

SPD is not what you think

12:33

its CDU just with minimum wage

12:33

atleast Scholz represents that

ok putin was older

I'm aware that they aren't really much of a difference. That's why I said they need to go back to their roots :P

i c

12:34

well idc who is in the might, my ideology is simple, replace humans with robots xd

Shame to see die linke losing almost 3 points

slavery will never stop, so slave the robots

12:34

instead of the humans xd

Learath2

Shame to see die linke losing almost 3 points

almost 5% actually

12:35

I really want to take a look at the demographics of these moves when I have some time. It's really interesting to see how these happen

its simple 40% of all voters in germany are 60+ years if they dont like CDU, they vote SPD and vice versa xD

same here

12:39

but its PP and PSOE

12:39

xdd

Heh, interesting to have 2 parties that are essentially the same

12:40

In turkey it's so wack. If you don't like your party, sucks to suck because it's either far right or far right or far right or center left

12:41

And all the flavours of far right are different. One is religious, one is racist, another is a neolib in disguise

well CDU and SPD were the leaders since 2013

12:43

the biggest problem is that such long periods increase courrption

Oh btw what do you think will happen? What do you predict the final coalition will be?

if FDP and green go with CDU(and CDU will probably just give FDP and green whatever they want, bcs they only care about might) then FDP and green will probably loose alot of their voters So its risky, SPD is more likely

Soo, SPD, Green, FDP?

depends, also possible that none of that comes, bcs FDP blocks, like in 2017

12:45

FDP is always a bet

12:46

their program and their political style

12:46

i might work or not xD

Yep, FDP doesnt look very warm to the idea, that's why I was asking around

12:47

Do you think CDU + SPD is possible? Sounds very unlikely to me as both want the chancellory

mhh, not very likely, they might even prefer to trigger reelection instead

12:47

bcs all younger ppl would hate this xD

Yeah, that's what I figured too, fokko made me re-think

never say never, 2017 exactly this happened

12:48

and SPD lost most of their voters

12:48

if green and CDU didnt fuck up their campaign SPD wouldnt be so strong

Without the FDP though there is no way out. AfD is insane, die linke doesn't have the votes.

12:50

Could the Greens swing to CDU you thinkm

12:50

?

it can work, but i'll tell you then green looses around 7-10% of their voters

12:52

https://www.tagesschau.de/wahl/archiv/2021-09-26-BT-DE/charts/index/chart_918206.jpg thats how much ppl want the representant to be the leader of our country

12:52

not even CDU voters like laschet xD

12:54

this is why green will loose most voters

12:54

"Which party has the best answers to future questions"

12:54

CDU = do nothing

Scholz is a moderate tho, no? He will do nothing aswell :D

yeah but the SPD base is mid-left i'd say

12:55

SPD is really green without as good climate concepts

12:56

i dunno if you know how these parties come together

12:56

but its not like they can just decide without their base

I mean they can, if they don't mind the fallout. Happens at the end of political viability. E.g. MHP in turkey aligned with the AKP because they lost 10% and they were projected to lose more.

ah for your question why die linke is so weak:

12:58

"I fear, that i cannot hold my life standard"

If the base doesnt like you anymore you dont need to concern yourself with their thoughts :P

thats something where die linke was strong in the past, for the worker class

Deleted User

Click to see attachment 🖼️

How does this graph work? How many percent of that parties voters agree with the statement?

its a question that is asked to the voter, and he says what party he elects

13:00

so most ppl vote for AfD fear this

I see. Not very surprised that AfD performs so well in that metric

13:03

So die linke used to perform better here, but they dont anymore? I wonder where these voters moved to

13:04

Where do you get these graphs? I'd like to take a look at them too

Afd is very aggressive and simple in their language E.g. just blame immigrants

13:05

So yeah that's probably the main reason

Learath2

Where do you get these graphs? I'd like to take a look at them too

https://www.tagesschau.de/wahl/archiv/2021-09-26-BT-DE/index.shtml

Bundestagswahl 2021

Hochrechnungen und Ergebnisse, Analysen und Grafiken zur Bundestagswahl

Deleted User

Afd is very aggressive and simple in their language E.g. just blame immigrants

It is a very simple idea actually. Less immigrants = more for us. There is a reason it's so popular all around the world :D

1

as hard as it sounds most ppl dont really think alot so this is an easy answer to a complex topic

Ryozuki

@Deleted User i found this, is it funny?

i dunno if you know the original meme, but homer says "your worst day until NOW", here he says the worst voters count until NOW

BloodWod-513

[ddnet/ddnet] Pull request opened: #4182 add ctrl+backspace for ingame console

Checklist

[x] Tested the change ingame
[ ] Provided screenshots if it is a visual change
[ ] Tested in combination with possibly related configuration options
[ ] Written a unit test if it works standalone, system.c especially
[ ] Considered possible null pointers and out of bounds array indexing
[ ] Changed no physics that affect existing maps
[ ] Tested the change with [ASan+UBSan or valgrind's memcheck](https://github.com/ddnet/ddnet/#using-addresssanitizer--u...

@Dev would be nice to have a couple more hands on deck

for what

if that role is even highlightable

hi

Help me look for the exploit?

troll

whats the exploit

@Learath2 doubt there is a real exploit

vali or someone flooding servers with connecting

i was playing doto

he's probbaly just spamming with random ips

He shouldn't be able to get a slot allocated with random packets

13:51

Both the ddnet and the vanilla layer require a handshake before giving a slot

all i can say is, that its not happening on my servers, maybe because its a 0.7 server and they have even handshakes for connecting packets and all

13:51

he just ddosed my server today

Learath2

Both the ddnet and the vanilla layer require a handshake before giving a slot

mh

I think only DDNet's servers were targeted

KoG is gone too

:0

and my server was targeted too

Time to add a username/password login feature to play the game xD

1

Learath2

He shouldn't be able to get a slot allocated with random packets

another mikrotik botnet with needed scripts targeted for teeworlds monkalaugh

13:56

to*

ye

13:58

probably

CAPTCHA to join servers xD

I believe it's fixed now (@Learath2)

@heinrich5991 how

14:09

KoG is gone again

14:10

ger too

i see 200 servers now only

ye its not fixed xd

is vanilla affected?

yep, it's a standard vanilla connect flood

but it causes a crash?

14:23

or just ddos

well it's a dos, it will fill your server and other players won't be able to connect as a result

14:24

it won't crash

14:24

it does seem to cause some internal issue though, should simulate that attack and profile it sometime to see what is going wrong

but it does spit out a decent amount of packets according to #bot-cmds

the missing servers are probably due to the massive reflection causing hosters to block us

14:25

:/

they aren't null routed on CHN tho, which is kinda weird

looks more like a master server issue?

14:26

i can conenct to qshar.com in server browser

i can't connect to chn's ip directly as well

The master server also uses serverinfo requests at this time, so if the hoster is dropping them that won't work either

cant the http list try to connect to the servers

Soon(tm) we'll have the servers contact the master over http too so this will be less of an issue

and only drop them if they dont respond for a certain time

14:27

(the tool for it ofc)

Deleted User

and only drop them if they dont respond for a certain time

well we only drop them after they fail to respond to 10 serverinfo requests

but not time based?

14:28

or is there a delay

http list grab servers from masters tho

the connect packet wouldn't be any more immune to hosters "smart" filters

Deleted User

but not time based?

well the requests are sent periodically, so it is technically time based

ok

they might found out exactly how much bandwidth chn servers have, and they are just keep it at threshold.

Have you checked that connections can still get through from outside the great firewall?

i have no idea

I couldn't connect to chn6 a couple minutes ago

i can't even connect within the wall

14:31

but dashboard still shows pretty high bandwidth usage

14:32

and it is draining data limit

fwiw the great firewall seems pissed

that's good i suppose lol

bors[bot]

[ddnet:master] 2 new commits

7dc2284 add ctrl+backspace for ingame console - BloodWod-513 c0cdfda Merge #4182 - bors[bot]

14:44

bors[bot]

[ddnet/ddnet] Pull request closed: #4182 add ctrl+backspace for ingame console

@Deleted User any insights on bad m1 performance? https://forum.ddnet.tw/viewtopic.php?t=7282&p=69670#p69670

i'd say apple gives a shit about opengl xd

15:32

probs software renderer or smth

15:33

it says 2.1 Metal

15:33

isnt metal the fancy apple thing

yes

vulkan just for apple fans xd

15:33

so i guess its some software renderer that uses metal, or a really bad translation layer

@Deleted User when port to vulkan

i can do that yeah

15:36

but will probs cause like 5k lines of code, vs 1.5k for opengl 3.3

15:36

vulkan is really verbose

I am sorry, I missed the point of the problem it's not about fps, it's about a little delay of keyboard and mouse (like vsync) actually fps on m1 looks like ok

15:36

@Deleted User i know its verbose

15:36

but more control

oh

did u ever try it?

its not about fps, got that wrong

Ryozuki

did u ever try it?

vulkan?

y

yes

i got tired of setting up code to draw a triangle and never finished it

15:37

xd

15:37

https://github.com/edg-l/SuperSDL/blob/master/src/graphics/renderer.cpp

vulkan is alot about, you know what your program uses

here my old attempt

its like writing a driver for ddnet xd

xd

you have fixed size memory pools

@Deleted User https://github.com/gfx-rs/wgpu

GitHub - gfx-rs/wgpu: Safe and portable GPU abstraction in Rust, im...

Safe and portable GPU abstraction in Rust, implementing WebGPU API. - GitHub - gfx-rs/wgpu: Safe and portable GPU abstraction in Rust, implementing WebGPU API.

e.g. descriptor pools

this is a rly good project btw

15:38

its a higher level api

15:38

that can run dx 11 12 opengl vulkan

15:38

made in rust

if i write vulkan i want full contrl xD

15:38

else i can also use opengl

15:40

you have to remember opengl 4.5 is really similar to dx 11

15:40

since these two were competetors

dota 2 will soon remove the opengl support and keep only vulkan on linux

opengl 3.3 is easier, but also has alot of API calls you probs wouldn't do in GL 4.5, binding stuff to units, instead of just using the objects id and stuff like that

nice

15:42

sad we have around 1% of players only having opengl 1.x support

"Moving DDNet Technology Forward" "Remove support for everything except VK"

xd

15:42

that would be great

15:42

"Moving DDNet Technology Forward" "Rewrite it in Rust"

I wonder what they use on macOS if they are removing GL, do they support Metal already?

would indeed be easier to write vulkan only, instead of supporting opengl too

15:43

just bcs its so different

There is a fairly robust VK -> Metal translation layer, but still I wonder what valve ended up doing

probably supporting opengl makes some optimizations harder for them

15:43

or idk

yeah, e.g. you could have specific sets where you need the gl scissor preallocated

15:43

the high level program knows when it uses them, so it can also tell the backend how many it needs

15:44

in opengl you just switch as you want

15:44

the driver has to care about it

15:44

never trust drivers

15:44

you could say, vulkan can reduce the amount of pipeline switching allocating alot

15:45

and has awesome memory control

15:45

that makes a huge impact even if you go single threaded with vulkan

I was supposed to do something right before that dos attack, now I can't remember what it was

deen

@Deleted User any insights on bad m1 performance? https://forum.ddnet.tw/viewtopic.php?t=7282&p=69670#p69670

if its about input delay i cant help, maybe it buffers the images too much, e.g. it doesnt actually turn off vsync, even if it says so, depending on how reliable the translation layer is :/

[2021-09-27 18:00:07][chat]: *** : Your team has 1 player that has not started yet, they need to touch the start before this team can finish: Sorah

(edited)

16:01

i get this message after i activate super on testing servers

16:01

and ofc i touched start before

ah yeah create an issue on github and tag version 15.6

16:02

many ppl are annoyed by that i think

don't have a github account tear

(edited)

Sorah

don't have a github account tear

(edited)

pathetic

16:08

What are the exact steps to reproduce @Sorah ?

deen

What are the exact steps to reproduce @Sorah ?

join a team with atleast 2 tees > go over start with both > rcon super with one of them

16:18

funny enough after i kill one of them now i can rejoin the team now lol

https://users.rust-lang.org/t/rust-koans/2408?u=michael-f-bryan

heinrich5991

[ddnet/ddnet] Pull request closed: #3722 Feature: Hook range indicators

1

19:34

heinrich5991

[ddnet/ddnet] Pull request closed: #3993 Replace some global g_Configs with Config()

19:38

ChillerDragon

[ddnet/ddnet] Pull request opened: #4183 Fix nullptr when using Config() in components

https://github.com/ddnet/ddnet/pull/3993

Checklist

[ ] Tested the change ingame
[ ] Provided screenshots if it is a visual change
[ ] Tested in combination with possibly related configuration options
[ ] Written a unit test if it works standalone, system.c especially
[ ] Considered possible null pointers and out of bounds array indexing
[ ] Changed no physics that affect existing maps
[ ] Tested the change with [ASan+UBSan or valgrind's memcheck](https://github.co...

bors[bot]

[ddnet:master] 2 new commits

a5ae3bf Fix nullptr when using Config() in components - ChillerDragon a53cde8 Merge #4183 - bors[bot]

20:06

bors[bot]

[ddnet/ddnet] Pull request closed: #4183 Fix nullptr when using Config() in components

where are checkpoint times stored?

heinrich5991

[ddnet/ddnet] Pull request closed: #4136 Harden open_link shell injection a bit

bors[bot]

[ddnet:master] 2 new commits

5dee9a3 Always update default tune zone - Jupeyy 560d2ad Merge #4166 - bors[bot]

21:04

bors[bot]

[ddnet/ddnet] Issue closed: #4140 Vanilla shotgun broken while in spec

21:04

bors[bot]

[ddnet/ddnet] Pull request closed: #4166 Update default tune zone, when no local character is alive and tune zones don't exist

@Chairn record_race, but not in the sqlite export

regarding the ddos problem, have you considered having running reverse proxies in front of the real server? like get some vpses or servers in the same datacenter to do the packet filtering and forwarding

considered yes, implemented no. What do we do if the reverse proxy gets overloaded? Move the existing players to other reverse proxies that get fired up on demand?

those reverse proxies would have different IPs and you could try to distribute the players between those to limit the impact of one IP getting ddosed. and if most players are using the ddnet client, it could be updated to send the controls input data to multiple IPs

21:47

fired up on demand is of course very operationally complex, but maybe at least for tournaments you could have a large pool ready to tank the attacks for a few hours

https://news.ycombinator.com/item?id=28675094

def-

DoS Attacks against my Online Game

21:57

ddnet is on the HN frontpage

21:57

thanks @deen

wtaftak

21:57

"my Online Game"

21:57

oof

21:58

did u guys also get ddos today? -.-

Yes, thus the post

wow u fast at popsting

Yeah, I wasn't sure about "my online game", but too late now

s/my/our/

yea

if only communism could solve ddos

also the good old ddnet is a own game discussion

22:00

its just a tw mod

well stalin's kind could solve ddos, shoot anyone who ddoses

heinrichs dissector is mentioned pog!

22:00

such a good dissector :)

22:01

@fokkonaut: maybe u want to read about ddos too :D

and again i don't have the latest context about how many players are vanilla vs ddnet client, but if ignoring vanilla is an option then you could drop all packets in iptables by default and when a client wants to connect make it first make a http request which would punch the hole for specific ip and port in the firewall to let the udp in

22:06

might be simpler than XDP

eeeee: That is what we did last tournament and I started automating it using ipset today, just didn't quite finish it yet

yeah that's nice. pretty obvious idea but didnt see it mentioned in the post

Oh yeah, I forgot to mention that in the blog post actually

@noby: onbgy mentioned in hackernews trending article hrhrhr

For Team Fortress 2 I've implemented something similar as what eeeee is suggesting

Yeah, I came over after seeing the ycombinator article. I have extensive experience in dealing with DDoS and DoS attacks against game servers (specifically the Source engine).

22:09

I've been trying to dig into the open source code to understand the packet structure, but a packet capture would be better, especially of the attack if that is available.

@deen: "We know the real name of the main DoS attacker" do you mean vali? where did you get his name from?

Yeah, you might have a bit of trouble understanding the base part of the netcode as it's a bit of a mess supporting 3 different versions of the protocol. I don't have an anonymized tcpdump I can share currently, but I can try to create a sample tomorrow

That would be appreciated. As I maybe able to develop something similar to the tools that I currently use to protect Source engine games.

22:12

Though some quick questions, when the client makes a request for server info, how many bytes do they have to send vs how many do they receive?

@Kigen can you share some info on what you're working on for source engine games?

Its a query cache and filter that used BPF and emulated networking to the Source engine server.

query cache to stop a2s player/info like attacks?

Yeah, but also it filtered everything else out from reaching the server. So either it handled it, or it knew the client was legitimate to pass on to the game server.

Ah right, I have something dumber where I severely rate limit unknown clients

An important thing is to make sure the client has to send as many bytes as they receive to prevent usefulness in reflection attacks.

and whitelist players after connect

22:17

regarding having your service used as an amplifier, TF2-server has a global query limit per second/window and a challenge/response system for larger replies, which made it uninteresting for people looking for ddos amplifiers (edited)

Kigen

Though some quick questions, when the client makes a request for server info, how many bytes do they have to send vs how many do they receive?

Depends on how full the server is and whether the server thinks it's getting flooded with requests. Under attack the server will send a minimal serverinfo about 380~b. The request is 30~b iirc

@Kigen: i have a ddos dump but i am not sure how to censor ips and stuff before i can post it here

a ddos dump will be full of spoofed IPs anyway

yea true

Yeah, but some legit clients maybe in there so I understand the concern.

iptables rules will also agressively limit the reflection ratio

ips are not too sensitive but still

If you want to find some way to get it to me privately via DMs if you also have Discord it'd work.

ips are not exactly what is senstive, there might be rcon passwords in there

nah i do not have discord

22:20

i grepped for the rcon password but not sure if grep works against pcap files :D

Wireshark is very good about scanning things if you use that. But it also depends on if the game transforms the password any.

22:21

Such as via hashing it.

22:21

Though most game protocols I'm aware of don't.

Anyway, I'm not completely sure what you'll get out of a dump. Attacks vary, so some days we get NTP amplification, some days we get SYN, some days we'll just get random garbage, some days we'll get packets resembling game packets to try get deeper into the netcode before getting dropped

Learath2

Depends on how full the server is and whether the server thinks it's getting flooded with requests. Under attack the server will send a minimal serverinfo about 380~b. The request is 30~b iirc

aren't you also globally rate limiting replies? a 380b reply to a 30b request is still valuable to someone looking for amplification

nah passwords are sent as plaintext

Been dealing with very similar attack patterns over the past few months @Learath2

Learath2

iptables rules will also agressively limit the reflection ratio

^^, we do globally limit

Get the kitchen sink thrown at me daily

22:23

NTP, DNS, memcached, and bespoke TF2-like packets

Arie

aren't you also globally rate limiting replies? a 380b reply to a 30b request is still valuable to someone looking for amplification

I honestly would suggest increasing the required bytes for the client to send. Obviously doesn't need to be anything useful but that way the server can simply discard a packet that isn't of the correct length. And, of course, usefulness in reflection is reduced.

22:24

For NTP, DNS, memcached, etc it is pretty easy to filter those out via blocking source ports.

if you can filter upstream, yes

Since the vast majority run on default ports.

An updated version of the protocol (0.7) already requires 512b request packets, we could indeed move towards that. It just hasn't been a priority since reflection isn't the main issue we have right now

know any good hosters who let you easily filter upstream by source port?

OVH is the easiest if you have to acquire a server today that can deal with these type of attacks.

For dedis, hetzner and psychz allow you to configure upstream rules (edited)

22:26

And I agree with Kigen on OVH

22:26

Their soyoustart line is limited in what you can do

22:26

although their game anti ddos is decent, but won't support your game

Google Cloud lets you set filters on the hypervisor/upstream and they have great connections, we used it extensively on the tournament day. nfoservers also seems to have large uplinks on their hypervisors, though they are not really fond of us as customers anymore

also won't filter out the bespoke game-specific attacks

Learath2: if you only support ddnet client then why not keep only the http server info and delete the udp one? and if vanilla support is still needed then protocol upgrade isn't a good option, right?

I've been working on a service I'm hoping to offer people, but acquiring the IPv4 addresses it quite a challenge these days.

I think you can still keep an aggressively rate limited backward compatibility for the info

22:28

@ eeeee

@Learath2 guess you've gotten a few of those "a very large ddos attack on your server overwhelmed our filtering capactity" emails too huh?

eeeee: heinrich is working on getting the servers registered over http aswell, so when that is here we can more agressively filter out people that don't go through the modern channel

22:28

@Arie yep, followed by either a massive blanket rule or a null-route for hours/days/weeks

yeah been there, even though I mostly use their Chicago location

22:29

which supposedly has the most capacity

funnily enough hetzner has been the only ones to let us use the 1g dedicated link they promise, all other hosters seem to get their noses into the kind of traffic you receive

hetzner does these days, they used to null route quite soon

Yep, back in the day they would null route you before you could notice the ddos even

also their "firewall" rules are nice to have now

22:30

filters a lot of the big and easy crap

i think it would be ideal if you could accept inbound traffic through google cloud or some other huge hoster, have multiple scrubber vpses in there on multiple ips which forward only legit traffic to real server (which is not at google) which then sends outbound traffic through spoofed ips (of the scrubbers) to save on bandwidth costs (which is quite $$$ at google)

Hmm, that is basically what I'm building right now. lol

Aka steam datagram relay

could be a good startup idea if any of these games had any money to spend on this tech -_-

Like I said, I'm literally building that network now. Just wish it was ready today.

eeeee: Hm, scrubbers would be on google cloud too, no? If all the traffic goes through there I don't see where we are saving the money

only incoming traffic

google cloud only charges for outbound traffic, inbound is free

22:35

so you'd only be charged for the legit traffic from scrubbers to real server

Hm, but we only had a good experience at google cloud because we were agressively filtering traffic from all non-players. I think unless we run a whole lot of scrubbers they would easily be overwhelmed

Curious if Google Clould allows BGP announcement. So far I've only run across their Cloud Router.

If they are to survive they will need to interface with the google api to set upstream firewall rules

Global rate limit for non-players is a good idea anyway

22:37

saves a lot of packets hitting userland code in the gameserver

Anyway, I'll get some sleep. I'll try to get a working version of the player filter tomorrow and a new set of iptables rules

22:38

Nice to see new faces around, it's always good to get fresh minds on problems

22:39

Especially opinions from people experienced in the topic

Hope to get some more ideas from here too, looks like you guys have similar problems as me with TF2

Just wish I had something to offer you today. Have a nice sleep.

interesting, didn't know the article that you posted @Learath2 http://ithare.com/udp-for-games-security-encryption-and-ddos-protection/

"No Bugs" Hare

UDP for games – security (encryption and DDoS protection) - IT Hare...

Quote:"Yes, you DO need to encrypt your UDP traffic. And no, using UDP is NOT a valid excuse to skip encryption"Another Quote:"Personally, I prefer to think of it as of insurance - when I'm paying my premiums in hope that my money will go to waste."[→]

Huh, I'm sure I mentioned it here once. I think someone recently linked it in a github issue aswell