How did I get bombed and dropped by the "bombing house hanger"?

How did I get bombed and dropped by the "bombing house hanger"?

Exploding the house?

As we all know, in some chicken-eating and MOBA battle games, we often encounter some "fairy games". For example, in chicken-eating and FPS games, we often encounter "gun and gun headshots", and we encounter them in MOBA games. To the unlimited release of the skills of various opponents with zero CD, this type of plug-in uses simulated mouse and keyboard, or intercepts the content of Sock and API, and modifies it to achieve the effect.

Another type of plug-in is the critical moment of the battle, which directly causes the player's network to freeze or even disconnect; or at the beginning of the game, directly disconnect all players, and then control the stop time of the attack to make it faster Reconnect to the battle suit. For example, in a chicken game, if everyone is disconnected at the beginning of the game, and then reconnect back after 60 seconds, first reconnect the successful player (usually the player who opened the plug-in, Because he can control the stop time), he will be able to easily kill nearby landing players to make a profit. These types of plug-ins are collectively referred to as "bombing houses", and this is the main topic today.

UDP protocol in the game

In real-time multiplayer battle games, UDP protocol is usually used to directly connect multiple players to the same battle server (the same battle/copy will be assigned to the same public IP address and port), so malicious players (Open hook) It is easy to get the specific server address and port of the battle.

DDoS attacks and UDP

Common DDoS attack methods are mainly divided into two types:

1. Control a large number of external meat machines, use scripts, and let these meat machines use scripts to directly attack the target server.
2. Only need to control a small number of meat machines, by accessing public services on the Internet, and then by modifying the source address, a distributed reflection attack is carried out on the target server.
   
   Let's compare the protocol packet structure of TCP and UDP:
   
   We can find that in the UDP service flow, unlike TCP, there are multiple field dimensions that can be detected.
   So to summarize, the main features of UDP are:

1. no connection
2. The source IP is easy to forge (many operators will not detect whether the source address is assigned by themselves), and it is difficult to trace the source
3. Low cost of attack

Azure protection solution

Therefore, for these attacks, we have five main protection ideas:

1. Server whitelist and blacklist

Only allow business destination ports and shield common reflection source ports.

2. Location filtering

In view of the geographic characteristics of business users, when encountering UDP reflection attacks, the source IP of the geographic location with the least amount of users will be blocked first, until all the source IP requests of abnormal geographic locations are blocked, so that the traffic can be reduced to the server. Within the range, can effectively reduce the interference flow.

3. Speed limit based on IP and port

Through the speed limit control of multiple combinations of source IP, source port, target IP, and target port, a flexible and effective protection strategy is realized and the scope of business impact is reduced.

4. Abnormal flow fluctuation suppression algorithm

Learning and modeling of normal business traffic. When a certain type of abnormal traffic fluctuates rapidly and suddenly, it will automatically determine which is abnormal to perform speed limit/ban, so as to avoid affecting the normal traffic.

5. Fingerprint (watermark) filtering

Negotiate a specific watermark algorithm, bring the watermark field when the client sends the packet, and then use the watermark filter to identify normal or attacked traffic.

For these five protection ideas, Azure can provide corresponding protection solutions.

1. Network Security Group
2. Azure Firewall
3. Advanced custom protection
4. Azure DDoS Standard Plan
5. Advanced custom protection

We roughly sum it up as three main lines of defense:

The first line of defense: Azure DDoS Standard Plan

Enable Azure DDoS standard protection to block most of the 3-4 layer attacks.

The second line of defense: adding a watermark

A watermark is embedded in each message sent by the mobile client, and the attacked message does not carry a watermark. Azure can filter through these watermarks. Only the messages that carry the watermark will reach the back-end game server to achieve protection. Effect.

The third line of defense: port-based rate limiting

We cannot guarantee that the watermarking scheme can resist 100% of all DDoS traffic, so when DDoS can still reach the back-end server, we can limit the rate of each port at the expense of the cost of a game (disabling processing) in exchange for the whole The normal operation of other game rooms on the server.