OVH - Anti DDoS vs Anti DDoS GAME

Discussion in 'Hosting Advice' started by MrDienns, Mar 7, 2017.

  1. I'm not trying to be some know-all or butthurt here, but multiple people stated that what you're saying is nonesense...
     
    • Friendly Friendly x 1
  2. JamesJ

    Supporter

    You are literally a meme.
    idek whether you're joking or not, but I hope to God you are.
    And you. You're also a top meme.

    RAM has nothing to do with it. Your connection is everything.
    Your router is the one handling the incoming packets, and in this case, will be what will struggle. RAM on the server has nothing to do with it.

    Hypixel is able to stay up, as for one, they have 20 BungeeCord instances in rotation, which changes periodically. All of which I would imagine have a 1Gbps uplink.
    Let alone, SingleHop provides ~30Gbps of DDoS protection, furthermore, Hypixel also has on-site filtering devices for filtering incoming attacks.
    It has nothing to do with your playercount.

    It depends on the hardware / software, not the players.

    Please take your incorrect, illogical thoughts, somewhere else.

    What a meme.
     
    • Agree Agree x 4
    • Winner Winner x 4
  3. Now that is usefull!

    So stated a following things, and I have a few questions for those in combination with OVH:

    - Is having multiple BungeeCord instances something you can simply do with a few dedicated servers? Also, got some lead on how it's done at all?

    - Please define the "on-site filtering device". Is this not basicly a configurable firewall, aka perminent mitigation Anti DDoS with some rules?

    Thanks for the info so far
     
    #24 MrDienns, Mar 10, 2017
    Last edited: Mar 10, 2017
  4. "Most people don't create these"

    *cough* @dreadiscool *cough*
     
  5. In my opinion I think that OVH Game servers has a really good ddos protection. This https://www.ovh.it/anti-ddos/anti-ddos-game.xml convince me, also I know some mc server owner that hosts their's servers on ovh game and they says that no one succeeded dossing their servers. In fact ovh game is what I will buy for my own network
     
  6. Problem is, I'm interesting in using vRacks to set up a better infrastructure, more security & better overall performance. The game servers don't support vRacks, that why I'm willing to know wether the DDoS protection of the game servers is alot better than a configured perminent mitigation DDoS protection with the regular ones. Got any experience with that?

    Thanks for the review :D
     
  7. I've no experience with that. You may get one Game server to be used has front-end, then the vrack as back ands. idk
     
  8. You can't. A vRack is practicly a local network within a datacenter. All servers need to support vRack solutions to even be able to contact that local network (after you added servers to your vRack ofcourse). If a server doesn't support it, you can't use it. Simple as that.

    I wanted to use the vRack for a file, database & backup server, but the game server is not gonna be able to connect to it. Correct me if I'm wrong, but pretty sure that's how it works. :(
     
  9. JamesJ

    Supporter

    I highly doubt you need to look into on-site filtering at your size.

    Hypixel used to use Intrepid for BGP Session mitigation (basically, they hijack the connection so all the traffic is routed through Intreppid's network when an attack starts, meaning it's scrubbed before it hits their backend [SingleHop]). They moved, I believe because Intreppid caused a lot of issues, such as dropping legit connections, as well as also being involved in a massive leak.
    On-site mitigation is configurable, however it's a dedicated router that they own, and handles mitigation as a dedicated device, rather than a shared device. In 99% of datacenters you'll be sharing a router with your rack, which is 42 Units, so could be up to 42 servers if they're running 1U servers.

    Regarding multiple proxies, yes in theory. You could run multiple proxies on one machine (and use port 25565 if you have multiple IP addresses), however, this would kind of make it redundant lol.
    You only really need to look into multiple proxies if you're dealing with >750 players, as BungeeCord can quite easily deal with that many players. Hypixel currently likes to keep <900 players on each proxy, and I'd imagine their proxies are even more optimised than the base Bungee.
    For how it's done, you can do it with a plugin such as RedisBungee, however, it's pretty easy to create your own system with some knowledge of redis and/or pub/sub messaging.

    You could quite easily implement a vRack (aka VLAN) into a network like this.

    Your proxies all run on public facing IP addresses, then your backend Spigot/whatever instances run on private addresses (bogons, such as 10.0.0.1) and as it's all on a vLAN they'll be able to communicate, hence reducing the exposure of your network.
     
    • Like Like x 1
  10. Alright, that greatly helps. Is it possible to use RedisBungee on multiple machines? Does Hypixel have one enormous dedicated server running 20 Bungeecords, or do they run 20 dedicated servers, running one BungeeCord each?
     
  11. JamesJ

    Supporter

    They use multiple dedicated machines, at that scale you have to start looking into what the kernel will do with that many connections. Most ports wouldn't even support that many incoming connections.

    But yes, you can use RedisBungee on multiple machines. You just need Redis installed on one "master" machine, then you can add as many BungeeCords to that as you need.
     
  12. I suppose running multiple BungeeCords will give you a significently higher chance of staying online during an attack, right? Unless they go full retard and DDoS all of them ofcourse.
    In most cases, you got one target. That would no longer be the case :)
     
    • Agree Agree x 1
  13. JamesJ

    Supporter

    If all your proxies are on the same rack, connected to the same router, you run the risk of overwhelming the router. Hence, still taking you down.
    If they're spread across multiple routers, your attack will be more distributed. However, I wouldn't rely on it for complete protection.
    The attacker could easily just go onto sites what whatsmydns.net and pick off your proxies one by one.
     
  14. Its quite useless running multiple bungee's on the same dedicated server. So I guess they have 20 dedicated servers for 20 bungeecords.
    With hypixel's player counts they either have more bungeecords running or their bungee's do handle up to 3000 players each with their overall player counts climbing up to 55055 (current max is 52025 however) players and no equal player distribution.

    GommeHD.net (20000 players)'s target is to keep every bungee instance below 400 players, they currently have more than 70 bungees.
     
  15. If they're all on seperate machines, that should be good enough I suppose. They all got DDoS protection anyway :D
     
  16. Ah and OVH's ~1 terabyte attack which got mostly successfully handled, was targeted onto a minecraft server.
     
    • Like Like x 1
    • Winner Winner x 1
  17. JamesJ

    Supporter

    Hypixels regularly rotates their bungees, they only have 20 publicly facing at a time.

    https://www.whatsmydns.net/#A/mc.hypixel.net
    These were taken 10 minutes apart.
    [​IMG]

    Many people in the DDoS mitigation "industry" believe that this was escalated to scales which the attack wasn't actually.
    Many other providers only experienced around 600Gbps, whereas OVH apparently handles 1Tbps, even though they can be downed with a pretty simple L7 attack.
    Let alone, OVH's mitigation capacity is only at 600Gbps because they have hardware limits.
     
    • Winner Winner x 1
    • Informative Informative x 1
  18. Is the rotation something that can be done with some simple Java code, using Redis or RedisBungee, or does that require a crap load of hardware & server configuring?

    Thanks again, you're the hero of the day
     
  19. JamesJ

    Supporter

    Rotation can be done pretty simply.
    On the basis that, you set the TTL (Time To Live) as a shorter number, meaning that user's systems will cache the DNS response for less time (I suggest putting at the lowest value [5 minutes] for maximum effect).
    There is a script that can automate this, which is designed for Minecraft servers, I'll try and find it for you.

    Edit: Finally found it, https://github.com/vemacs/cloudflare-autorotate
     
    #40 JamesJ, Mar 10, 2017
    Last edited: Mar 10, 2017
    • Like Like x 1