[malikNF]

We used to run a game server for a small community of around 400-500 people and DDos attacks were something we had to face almost every week, whenever someone got upset with the admin team, the go to solution was was to DDos, you get scammed by another player? DDos. Got banned for saying racist things ingame? DDos. You figured out a new way to cheat in game and the admins fixed it? DDos.

We were kids back then and those were kids that were attacking us with just a 5-10usd budget. Yes they were relatively small (ranging from 10-60Gbps) attacks compared to the Tbps attacks that are happening to some companies, but good god it was so annoying when all it took was just 5 usd from some idiot to take down your server.

We moved to gcp got null routed (or reduced network bandwitch to the node under attack) every-time there was an attack. Bought azure's 3000usd a month anti DDos protection, was worthless for a tcp/udp service. Tried to have a network load balancer in the cloud that auto-scaled, still some players got effected when an attack came in.

Finally we moved over to OVH and placed a few really powerful servers in-front of the game server and applied some ipfilter rules to reduce common attacks. That ended up being the cheapest option out of all the options. When you have a very small community its not like you have the biggest budget to work with. But it was really fun and taught all of us a lot. Looking back its kinna sad we had to end things. But it was a lot fun.

DDos attacks are one of those things that really makes me worried about the future of the internet. The only way to win it is to throw money at it and cross your fingers that the attacker will run out of resources before you do.

Definitely companies like cloudflare does an incredibly good job of stopping some insanely big attacks when it comes to http/https (I recently saw they were supporting udp and tcp based services now, never tried it).

But one thing that's weird is having to rely on some 3rd party company. Yes cloudflare so far has been a company I can trust, but, I once loved and trusted a company that said "Don't be evil".

If you are a developer for some IOT device manufacturer please do your best to makesure someone wont turn your light bulb in to a part of a botnet. When you guys fuck-up the rest of us have to suffer.

[stcredzero]

The significant thing about "script kiddy DDOS" level attacks, is that they significantly raise the effort and expense for the smallest projects. This is exactly where the most important innovations happen:

http://www.paulgraham.com/marginal.html

Finally we moved over to OVH and placed a few really powerful servers in-front of the game server and applied some ipfilter rules to reduce common attacks. That ended up being the cheapest option out of all the options

The cheaper attacks seem to be at the level, where machine learning could be able to counter them. Raising the bar for inexpensive attacks would be a huge boon to the internet and human progress. It wouldn't be that expensive to fund, either.

We used to run a game server for a small community of around 400-500 people and DDos attacks were something we had to face almost every week, whenever someone got upset with the admin team, the go to solution was was to DDos, you get scammed by another player? DDos. Got banned for saying racist things ingame? DDos. You figured out a new way to cheat in game and the admins fixed it? DDos.

I wonder if this sort of thing could be honeypotted? Give perpetrators a way to figure out and target a fake "edge server" of a particular user? (Which only affects about 5% of your user base, let's say.) However, that "edge server" is actually a honeypot that gathers data on the attack, and correlates that to support emails to the admin team, or flame wars in the game's forums.

This is the kind of suckage that holds back the entire network, but which can ultimately be defeated:

http://www.paulgraham.com/spam.html

[KirillPanov]

"Learning" has nothing to do with any of this. Deciding which packets are part of the attack is not hard at all.

What's hard is paying for 100s of gigabits of bandwidth, 24x7, so the incoming packet flood doesn't crowd out the good traffic before it gets to your filtering box.

Basically the only solution there is centralization. Cloudflare can afford to buy 1000s of times more bandwidth than any one of its customers needs, because it has (much more than) 1000s of customers.

[dasyatidprime]

As far as auto-learning to counter such things, https://linuxsecurity.com/features/features/introducing-crow... did show up recently: an attempt at a crowd-data-enhanced next-gen-fail2ban-alike. (Not an endorsement, never tried it.)

I don't think it uses any of the techniques currently considered central to machine learning, but if it works well / catches on to start with then it could be a good place to see how useful those would be.

[blibble]

I don't see how that project helps solve the underlying problem: denial of service

if the idea kicks off, instead of spamming packets directly at their targets: kiddies will switch to feeding cloud-fail2ban with their target's IP addresses

and there will be paid services to do this for you

same effect

[stcredzero]

if the idea kicks off, instead of spamming packets directly at their targets: kiddies will switch to feeding cloud-fail2ban with their target's IP addresses

As far back as the 2000's, kids knew to keep their IP addresses secret. There are plenty of real-time game server architectures where no game client knows the IP address of another game client. This might not be feasible for very fast paced FPS games, for example, but that's only one particular use case.

I suspect we could significantly raise the bar to DDOS something like 80% of all websites/apps/servers -- at least to the level where random kids or even random middle class adults would think about it because they had a bad day.

[zacmps]

> I wonder if this sort of thing could be honeypotted?

One method could be to anycast the domain to a bunch of edge servers which all relay traffic to the actual server.

DNS queries of the domain return the closest edge which gets attacked, other edge servers can still route.

[scandox]

Slightly OT but the significant thing about "Don't be Evil" is that Google had already taken the fundamental choices that were evil. The slogan itself is blatantly self-conscious - an acknowledgement of the insane power that would inevitably accumulate as a result of the business model they were pioneering.

[hn_throwaway_99]

> The slogan itself is blatantly self-conscious - an acknowledgement of the insane power that would inevitably accumulate as a result of the business model they were pioneering.

I think that's historically false. At the time, "Don't be evil" seemed like, more than anything, an acknowledgement that Google wanted to have a corporate culture that was different from Microsoft, which at the time was the 800 pound gorilla in tech and was widely seen as being "evil" (I may be dating myself, but does anyone else remember the Bill Gates/Borg avatar that was the standard for Microsoft stories on Slashdot back in the day?) Google was founded in 1998, right when the US v Microsoft antitrust suit was filed.

One could certainly argue Google now engages in some of the monopolistic tactics that originally got Microsoft in hot water (with MS is "everything is part of the OS", with Google it's "everything can be part of the search results page"), but I think you're reading too much into what was originally behind the "Don't be evil" slogan.

[scandox]

I would have certainly felt the same way until recently but the timeline laid out in Shoshana Zuboff's book on Surveillance Capitalism made me re-evaluate that.

[stjohnswarts]

I think that’s overly pessimistic. I think it may have helped delay the inevitable as it was in the back of their minds. I didn’t really completely give up on them until they renounced the slogan. It was a sad day and made it dead obvious they had gone full corporate.

[toyg]

> an acknowledgement of the insane power that would inevitably accumulate

That's overthinking it. "Don't be evil" is just the kind of slogan that could emerge in the '90s, when it became clear that good and bad were not linked to a specific organizational form or trait - you could have bad capitalism and good collectivism as well as the other way around. There was a feeling that "big business" was bad but "medium business" could be a force for good, you only had to stay decent and things would work out. And of course the 'net would have rejected any clipper-chip and not replicate the historical corruption of the real world.

Those were very naive times, in retrospect, but I don't blame the original googlers for believing in a simplistic view of the world. I blame Eric Schmidt and his sponsors for hiding their evil behind that line. Modern Google is basically all Schmidt.

[malikNF]

I see. Now that makes it worse.

[taylorfinley]

I've long thought of it as a big-brothery admonishment: "Don't be evil... because we'll know about it." Sort of a Santa Claus Is Coming To Town style cutesy celebration of tyranny.

[judge2020]

> Definitely companies like cloudflare does an incredibly good job of stopping some insanely big attacks when it comes to http/https (I recently saw they were supporting udp and tcp based services now, never tried it).

CF still requires an Enterprise contract for proxying arbitrary traffic via Spectrum, likely because of the abuse prevention aspect. Otherwise SSH and minecraft is offered at pay-as-you go rates, but a lot have complained about how expensive it is:

https://community.cloudflare.com/t/what-do-you-think-about-t...

[duskwuff]

Incidentally, I find it deeply weird that the only protocols supported by Cloudflare Spectrum below the enterprise level are SSH, RDP, and... Minecraft?!

I mean, I guess it's a compelling use case for some customers. Still, it's a weird outlier.

[jrockway]

Minecraft is incredibly popular and it's normal to run your own server. (It's the 5th most-watched game on Twitch; at 81,000,000 hours per month!) I don't play, so I can't authoritatively say there is no company that provides "default" servers that new clients log into, but I've never heard of such a thing.

(If you look at the other popular games on Twitch, they all provide servers and can't self host. GTA V, Fortnite, LoL, CoD, Valorant, etc. So there is no market for anything but Minecraft-related services.)

[meowface]

And perhaps more significantly, DDoS attacks against Minecraft servers are extremely common. There's a massive market dedicated purely to DDoSing Minecraft servers.

In addition to its popularity, I would guess that this is probably related to the fact that the average age of Minecraft players is probably lower than the average age for most other popular online games. A disgruntled person between the age of 12 - 18 who knows they can completely shut down the fun-having ability of everyone they're pissed off at for a few dollars per hour will often feel pretty tempted.

[tialaramex]

If you do the development work to support hot protocol of the moment X, chances are in 18 months nobody cares because either (a) now X is old news and nobody uses that any more or (b) X+1 came out, it's incompatible and you'd have to do the work again for it to be useful.

If an enterprise customer will pay $$$ to support X this can still make financial sense, but Cloudflare's non-enterprise customers aren't paying $$$.

Minecraft is apparently not going anywhere, it's still very popular a decade after release. And my understanding is that the protocol is fundamentally the same as ever. So, you do that work once, and then you've got a free proof of concept apparently forever.

[Macha]

There's a reasonable amount of servers with the traffic to need to worry about ddos attacks, and have revenue models from selling ingame perks (often in ways forbidden by the minecraft ToS, but that's relatively toothless for these servers) that would allow them to pay for this service.

[radihuq]

Was this a RuneScape private server (RSPS)? I remember back in the day you could find a free RSPS DDoS tool with a quick Google search, and all you had to do was enter the public IP address to start attacking. The culture for the RSPS scene was exactly what you're describing.

Also there was another kind of attack where you would start thousands of bot clients at once that would spam messages. The hopes would be that you would (a) shut down the server, (b) attract the players to the server your bots were advertising

[malikNF]

Not runescape, it was an old MMO that got abandoned, we modded the game kept it alive for almost 8 years before most of the Admins quit and we started our own company, last I heard the game is still running.

As for the DDoS tools, after writing the parent comment just did a quick ddg search and you can still find several websites advertising services to DDoS. Some I recognize from back then.

On a side-note doing a nslookup shows some of these sites are behind cloudflare haha.

>>Also there was another kind of attack where you would start thousands of bot clients at once that would spam messages. The hopes would be that you would (a) shut down the server, (b) attract the players to the server your bots were advertising

Oh man.. some people..

[loufe]

I wondered when I'd see a mention of RSPSs on here. God what an excellent time of my life that was. Running a server with my brother got me into programming and tech and was such an absolute pleasure. We had the good fortune of never being DDoSed but I suppose our scale was small enough to avoid it (20 players max at any given time). I had never heard about the tool you're mentioning.

[radihuq]

Haha I'm in the exact same boat - creating my own server got me into programming and tech.

A common tool was called Syipkpker[0]. It was really annoying dealing with these bots. All you could do is IP-ban them and pray the attacker didn't change their IP

[0] https://www.dailymotion.com/video/x417fz2

[MR4D]

> When you guys fuck-up the rest of us have to suffer.

Is there a lawyer here who can comment on whether the manufacturer of these horrid devices have any civil liability - either currently or possibly in the future?

My gut tells me the only way this will get better is for their to be rules of negligence applied to the realm of computer security.

[Negitivefrags]

I don't know what it is about gaming that attracts DDoS events more than practically anything else, but there are a lot of server hosts that will not even rent you a server if they know that there will be a game hosted on it due to this.

I have used Cloudflare Spectrum to prevent attacks. It does work incredibly well but the cost is significant.

As for 3rd party copmanies, I do hate to rely on cloudflare for this. It is the worst business relationship by far I have ever been in, but yet there are no good alternatives we found.

[throwawaygh]

> I don't know what it is about gaming

Gaming tends to attract a population that is tech-savvy (means), competitive (motive), and has copious leisure time (opportunity). Combine those three things and you have the kindling.

The spark, I think, is due to the fact that the crowd was historically quite young. That means three things. First, impulsive. Second, nothing/less to lose (someone with real assets they Worked Hard For wouldn't Risk It All over an in-game spat). Third, might not've learned how to handle competition in a healthy way.

A DDoS attack is a crime, but the sort that most law enforcement don't really care about at least in the context of a small-time game server. It's kind of the modern equivalent of knocking down mailboxes or shooting out traffic signs with a shotgun. Both things that cause actual damage that costs actual money, but which teenage males have been doing probably since the advent of mailboxes and shotguns.

[MaKey]

> [...] but there are a lot of server hosts that will not even rent you a server if they know that there will be a game hosted on it due to this.

Huh, I've only seen that with VPS hosters and thought it was related to game servers causing high CPU load on shared resources.

[eznzt]

> I don't know what it is about gaming that attracts DDoS events more than practically anything else, but there are a lot of server hosts that will not even rent you a server if they know that there will be a game hosted on it due to this.

Like IRC back in the day :P

[tomphoolery]

Trying to DDoS someone because you got banned for saying racist things is the virtual predecessor to the Jan 6th insurrection.

[yurielt]

No it is not the kids that used to do this kind of things rarely are part of the Q cult just because you don’t like two different kinds of people it doesn’t mean they are the same people mad about rigged elections are not the same as techy kids having fun so get a grip

[throwawaygh]

I'm good friends with a whole bunch of small-time GOP operatives. No one serious, but people employed full-time in the broader GOP world. Think stuff like "staff for state senator" or "event organizer at regional chamber of commerce type orgs".

I asked all of them in December if they were worried about violence given all the stolen election claims. I had TDS, etc. etc.

I asked after Jan 6 for a post-mortem on their dismissals and every single one said they thought all of the people online were just trolling. Half of them work for employers who ended up sort of half-severing historically very deep ties with state GOP parties.

So, I think there's probably a lot more truth in the GP than you give credit for.

[stjohnswarts]

It’s fair comparison in that they are both sets of garbage people overreacting when things don’t go their way. I find it a very apt comparison.

[daemoens]

It's just a comparison of two groups similar reactions.

[parliament32]

The magic of 3rd party anti-DDOS providers is rarely the software/methods: it's just about having bigger pipes. Everyone can figure out how to block volumetric attacks with iptables or whatever, the problem is if you have a 1 gig pipe from your transit provider, it's going to get saturated even before you can do any blocking. The 3rd parties can afford to have multiple 100g pipes with 10gbps commits in multiple DCs -- you share this cost with other customers for when you get attacked. That's kinda the entire point of 3rd party anti-DDOS providers, and not much else.

[homero]

Cloudflare does any tcp now, maybe udp?

https://www.cloudflare.com/products/cloudflare-spectrum/

[trinovantes]

I'd like to learn more about using ipfilter filters on bare metal machines to mitigate ddos attacks. Do you have any recommendations?

[s17n]

Iot device makers aren't going to be better just out of the goodness of their hearts - regulation / litigation is needed.

[tester756]

DDoS, 400-500ppl, OVH - let me guess the game, Tibia?

edit: nvm.

[EGreg]

And this is why we need MaidSAFE instead of the Web. They don’t have DDOS attacks, instead you make money every time someone accesses a chunk of a resource, and the kademlia tree hides the hosts’ IP after one hop so the network and hosts can’t be taken down easily. Very different from Tor.

https://maidsafe.net is the best project to come out of the “Web3” space. If you heard of freenet, this is like freenet 2.0

PS: Why the massive silent downvotes? This platform actually solves the problem and many others HN constantly correctly complain about. But when posted, you prefer to ignore it. (Disclaimer: I am not affiliated with them in any way. In some ways they are a competitor to Qbix and Intercoin but I give credit where it is due.)

[gilrain]

I think a lot of us are tired of cryptocurrency snake oil. It is an uphill battle to build things on a cryptocurrency and try to convince the wise that it isn't an elaborate vehicle for get-rich-quick speculation.

[EGreg]

MaidSAFE is not a cryptocurrency. It’s a network closer to Tor and Freenet but architected way better.

This is like downvoting all mentions of IPFS because FileCoin is a currency that is used to pay others for storing files. Or like downvoting all mentions of Freenet.

[gilrain]

> MaidSAFE is not a cryptocurrency

Mmhm. Well, they raised money using an ICO, so apparently they felt their coin was worth people speculating on. Market cap is above $200 million.

Maybe the technology is great, but it's built and operates like any other get-rich-quick crypto scheme. Their mission, if genuine, would be better served by a different approach. Avoid the appearance of impropriety and all that.

I don't have much of an opinion and don't want to argue, but you did ask why people were downvoting. That's why.

[piluso]

I am Lolling at the "get-rich-quick scheme" criticism of yours. This project has been in development for 14 years. It is incredible that people don't even care to properly research it, and they blindly choose their favourite bias just to say something. On one side we have those who criticize for not being soon enough, and other for being a 14 years get-rich-quick-scheme. Fabulous.

I would invite you to check out what the project is really about, check out: https://primer.safenetwork.org/

Secondly, if you want proof that this project actually predates bitcoins, here is a talk the founder gave at Google Tech Talks in 2008: https://www.youtube.com/watch?v=fLA77zxk-vA And maybe it was just because of this that they found a way to solve the Bizantine Generals Problem independently without relying on blockchains. I hope you get the significance of this.

[happybeing]

I get this is a popular view, and justifiably so. The project is not a get rich scheme for the founder, you will see that if you look at how it was created and the structures that support it (which include a Scottish Charity that owns the company MaidSafe which is building the first version, but then aims to remove itself from control in favour of decentralised development funded by the network itself).

And there is good reason why they chose an ICO over alternatives. You don't say what you favour, but what this project has achieved by this route is complete independence to deliver according to fundamental principles.

They have no VC investment, nobody has control who is not aligned with the goal to create a fully autonomous, decentralised network and the "fundamentals" of Safe Network which you can read up on if you want. So the project continues to aim at a hard target regardless of many opportunities to get rich along the way.

It was I think the first ICO, so if getting rich was the aim it could have happened many times by now.

As things stand it is a shame that people are turned off from even looking into this project because of that association. Once it emerges I think the value it provides rather than captures will change minds.

If you want to know what the target is you can read about the Fundamentals of Safe Network here: https://safenetforum.org/t/safe-network-fundamentals-context...

[EGreg]

Funny definition of “quick”. They started this project in 2006 and have not been raising any money except back then, as one of the FIRST ICOs (before Ethereum existed, they used Mastercoin).

And frankly, raising money with a token is far better than raising money selling equity. When you sell equity to a guy like Peter Thiel who thinks that “competition is for losers” and “you should build a monopoly”, you build exactly that. You kill off wirehog and lock everyone into your platform, instead of making an open source reference implementation of a protocol like Email (smtp) or the Web (http). All because you have to generate profits perpetually, as that is what equity investors expect.

With a token, you raise money from future participants in the network and you don’t need to have a profit motive causing you to build a monopoly. Show me open source projects that were funded by seed equity funding.

The socialist in me wants to see more funding of projects by developers, infrastructure providers and others being paid in tokens, rather than equity in a monopoly that will extract rents and be afraid to give out the code to anybody — or even become interoperable!

[smoldesu]

Apparently this project has been around since 2006 and still hasn't gotten any traction. Why should I move my resources to this system?

[EGreg]

The sister comment called it a “get rich quick scheme” due to selling tokens once. Which is it?