[Work In Progress] DDoS Protection for Minecraft Servers

Discussion in 'Performance Tweaking' started by andyhuang, Feb 9, 2013.

  1. I posted this on reddit earlier today, but since not all of us go there, and you guys here are awesome at running big servers, I figured I'll share this here as well. Few things:
    1. The links in the article are not affiliate links. I do not have ads. So this is not a "blog spam" for personal gain.
    2. This is pretty long, so I'm not going to post it inline as a post.
    3. I have it on my blog right now, because I can edit it easier. This is quite an early draft, and I plan to revise it over the next few days/weeks.

    The article: DDoS Protection for Minecraft Servers

    Hopefully this helps a few people keep their servers online. I know Kainzo was looking into something like this.

    I hope you guys can help provide any feedbacks on things that are incorrect, or could be revised better. Also, please do feel free to post any questions you have on this setup, and I will try to answer them for you.
    • Like Like x 10
  2. md_5

    Administrator Developer

    Have you actually tried the filtering from these budget places? In many cases they literally conk out after a kiddies miniature booter?

    Also you are welcome to post whatever you want, you do more than your fair share of contributions here :)
    • Agree Agree x 4
    • Like Like x 2
  3. I haven't actually tried to implement this yet, because my server haven't gone live yet. That said and all, of the three listed: I think BurstNET is big and have been around for quite some time now, so I'm pretty sure I can trust their service. BuyVM is also pretty good at handling things such as this, mainly because of their founder's anime community + IRC roots, I'm sure they know how to deal with attacks effectively. GigaServers I have honestly never heard of until I started looking up things for Kainzo recently. It would be interesting to test them out some time later.

    At the end of the day though, even if they are able to down a PoP, you can still have other PoP's available for people to connect to. And if nothing else, at least it will be more expensive for them to do so -- X times more expensive, depending on how many PoP you end up getting.

    And thanks for the kind words, you've really read my mind in that I wasn't sure if this would be welcomed :)
    • Like Like x 1
  4. Thank you for your informative experience.

    I've tried many DDoS protection service, such as Javapipe(which they resold BlackLotus and CnServers), then Black Lotus, then AssetGateway(which they resold Black Lotus), TransitShield, then Staminus. although I haven't tried any that you mention, and thank you for providing the info :) but they seem to good to be true :3

    I can rate each of the one I've tried below (Only in Chronogically order):

    - Javapipe: I tried Javapipe when my server started, which is a long ass time ago. I like it when their support system is fast and instant, but I dislike it when they charge for each GB of bandwidth. Although I worked out a good deal with them, I felt that the relationship could not be stable that way, especially when they count traffic both way when most providers only count outgoing traffic. My experience with them was good, except at the beginning they gave me a shitty BlackLotus service which went down when being attacked right away. I know that if you pay under 1k to BlackLotus, your server can still go down anytime you get attack. After that, Javapipe gave me another protected port at CNServers, which I had been using for a few months and had great experience with, until I realized my server was growing so fast and I didn't wanna renegotiate the deal every time it's close to the bandwidth limit. So I left

    - BlackLotus: I was trying to reduce my expense and I came accross Black Lotus's $249 Minecraft protection service up to 10Gbps. Shit, it was fucking terrible, so terrible that they now removed the "Protection for Minecraft" section on their website. Well, long story short, any kind of DDoS attack could bring down this BlackLotus service, and their support service would deny it, and came up with the reason "It's being filtered, your players have to go ping the IP by browser first, then Minecraft client later". Well, I already filed a BBB report against them, and got my money back. Thing is, Black Lotus never provides good DDoS protection for under 1k. I remember I musta got to be in the same switchport with Killion server, cause when my server went down, they went down also, and our IPs were in the same subnet.

    - AssetGateway: I'm sure they resold a higher quality Black Lotus service, I just bought them for a month to try out the server to server teleportation plugin. Overall, it's a good experience, but haven't fully experienced it yet. I'm going to keep this one short cause there's more talk about Black Lotus than they deserve.
    - TransitShield: I used them briefly, they used a very smart, yet could be more effective, way of protecting server. It is that your domain name will point to 3 or 10 of their protection IP, then all of their servers will do some load balancing to transfer player to go another IP if one has high load. The problem is, their mitigation is okay, anyone who's smart enough to figure out this trick and has enough DDoSing power could bring all of the IP down in a minute, and block players from going to that server.

    - Staminus: Last but not least, they are my current favorite. First of all, I worked out a good deal with them, which made me happy. Also, I heard much about them and their good protection service, it turns out to be true. I've been using them for a few months, using the highest protection package, which is 10Gbps dedicated port, but I'm sure they can handle much more cause their rules are tight and effective, and you don't share the protection with everyone else. In some occasion, there will be some false positive that will block a few of your players from your server, then you will have to collect the player's IP and ask them to do an MTR test to the server. After sending the test result to Staminus, they'll unblock the IP and change the rules a little bit so it won't happen again. Also, they would give you very good deal if you own a popular server and willing to put them as your Recommanded Network Protection.
    • Disagree Disagree x 4
    • Like Like x 1
    • Winner Winner x 1
    • Informative Informative x 1
  5. "Pro-tip: If you are using a game server provider, you can set local-port to 25565, and remote-port to whatever your actual port is. Now people will be able to connect to your server (using the VPS's address) without entering a port number."

    This is possible with the minecraft SRV settings too
    • Agree Agree x 1
    • Informative Informative x 1
  6. Yep :) That is entirely true :)

    Meow sorry, I've been swamped and haven't got back to you yet. I haven't forgotten about your email. Will get to that right after I sort out things here on my end -- Chinese New Year stuff :X
  7. This is mostly my planning phase summary. I haven't done full testing on this yet, and some nice people on Reddit have pointed out some weaknesses I should address before taking this further.

    I am VERY interested in learning more about your experience with other dedicated DDoS mitigation providers. It would be great if we can get in touch base (perhaps after we figure out the hugepage thing for you via email) so I can learn more about how they work, and what limitations / benefits we can implement on this proposed setup.

    And yes, this is probably too good to be true in some cases... but that's because this is an early brain dump which I haven't quite flushed out all the details yet. There are weaknesses not identified / addressed, and should be discussed too... I'll get in touch base with you soon :)
  8. I'll be reading this and catching up :) we're a large target and pretty much always need protection.
  9. I should get in touch base with both you and Meow about your experiences with other DDoS mitigation providers, as well as figure out what can be done on the front-end servers together, to make sure we're not just blindly tunneling requests from there to the actual server. Would it be okay with you if I were to PM you my email address, and have you send me an email?
    • Like Like x 1
  10. SuperSpyTX


    People who have used SecuredServers have had no issues with DDoS, as the attacks get filtered out pretty quickly.

    I surely haven't.
  11. md_5

    Administrator Developer

    I'd actually be interested to know what deal you actually managed to get, since their website says 4k/month for 10gbps, which seems a tad unreasonable, and probably excessive for what most servers would get :p
  12. I'll send you the info via message.
  13. Please reveal the secret to all of us, I like everything but their prices. D:
    • Agree Agree x 3
  14. Jigsaw


    That article was a very nice read! Great ideas and great information.
  15. 100% correct. i bought it, and lost my $250 after they wouldn't refund me and lost the dispute i made.

    Javapipe was also not good, although they did refund me

    Currently im with transitsheild and have been for the past 2-3 months... i get ddosed daily with 1-8gbps attacks, and they do a very good job of keeping my server online 24-7 plus im paying 1/5 what most people would pay to protect against attacks of the size im getting.
  16. Don't be afraid to file complaints against them via Better Business Bureau and California State Office of Attorney General(which is where their business is) with a professional report, so they'll never try to abuse server owners again.
    • Agree Agree x 1
  17. LiLChris

    LiLChris Retired Moderator

    They are not BBB accredited, so doubt they will give a dam. :(
    • Informative Informative x 1
  18. LiLChris

    LiLChris Retired Moderator

    Never mind...

    So mixed up posts.
  19. Thanks Meow :) I have submitted my complaint