Nik

Application layer ddos protection that works only for windows? o.O?

I mean, kudos for supporting this crappy OS which shouldn't be used for servers, but one can get only so much from it...

OVH ddos protection is protecting you against huge ddoses, but small ones might be considered for normal traffic, therefore are passed to the gameserver. Since most of the gameservers have very bad network management, they get pwned by above than normal traffic, which OVH still considers as normal traffic. In such case having an extra application that can filter-out bad traffic might work, but its a very limited case. Its enough for a smart guy to craft a better attack and this kind of protection becomes not so useful.

That being said, on windows you will meet nothing better than an application-layer protection, which is not great, at all - you will need more powerful PC to protect against attacks compared to using Linux/BSD with proper firewall settings. In many cases iptables/netfilter/pf will filter out bad traffic orders of magnitude faster than windows.

If you are helpless person who is still running l2 server on windows and you have enough money and lack of knowledge to afford such protection, then go on, take the gamble and hope this kind of protection works, otherwise I suggest you to start running your servers on a proper server OS like Linux, BSD, or whatever, its not that hard to do so, the only hard part is configuring your firewall.

P.S. I have no idea if this guy is selling snake oil (scam) or is selling a real, working product. I do not suggest you to buy it or not buy it, I just tell you from experience the point of this topic.

Just run cmd.exe (not PowerShell crap) as administrator and start l2.bin from there lol.

Edit: nvm, this works on windows versions below 1809... windows ruined another thing yet again.

1 hour ago, Elfocrash said:

As I mentioned in my first post, the Autoproxy solution is currently in production and has been for about 2 weeks without any issues for a server that was constantly attacked.

Was? So its no longer attacked I assume. Your solution might only prevent very few gbps and mpps ddos. The server is still lucky to not get a bigger ddos.

1 hour ago, Elfocrash said:

Well it does though. It's not a cheap way to protect against it though. You can get very expensive ddos protected VPSes and host the proxies there.

And until mitigation kicks on, I can still down your proxies. Sure, once mitigation kicks on, you would be safe, but I can attack you again when your mitigation turns off and constantly harass your players by disconnecting them from every proxy.

1 hour ago, Elfocrash said:

This can't happen because the proxies only pass traffic through to the server if a player with this IP is connected to it. Since the ddos attacks come from another IP the proxy won't allow them through to the gameserver. The orchestrator keeps note of who is where and will only allow connected players traffic in.

Good, its not as horrible as I thought. But still, its a far cry from what it should be.

1 hour ago, Elfocrash said:

The proxy has such a small footprint that you don't need a beefy VPS to host it. 

While an in-kernel solution would have multiple times less overhead. The OS still needs to initialize the connection before it goes to your app, which means the machine where your proxy is hosted on is very vulnerable when it gets spammed by connections. An in-kernel solution can prevent initialization of connections, which in turn doesn't waste precious system resources.

Okay, we get it. Its just simple reverse proxy that has one good feature and that is the ability to change proxies while ingame.

Please do not advertise that thing as having the ability to protect against ddos attacks. It doesn't. It just hides the gameserver IP so the attacker cannot directly attack it. Its enough for a smarter attacker to lightly attack all of your proxies concurrently, just enough to not stress them too much, and those proxies will pass on the traffic just as if its a normal traffic, thus reaching the gameserver without any problems. The concealment of the real IP of the connections coming to the gameserver is working in favor of the attacker btw. Saying that your solution requires no additional firewall and whatever settings is just outright laughable, further nailing the fact that once you get attacked by a ddos, the whole solution will crumble down. So yes, you've created something that may route players traffic to a lower ping route. Nothing more, nothing less. There is no protection, it just conceals the gameserver and players' IPs.

If you really think your solution offers any kind of protection, fell free as @Tryskell said - test it on a real, live attacked server.

P.S. Yes, we do talk about NAT and tunnels, because it is the proper way to go if you want to offer any kind of basic protection. But of course, they alone do not offer the real solution, thats why firewall rules come into play after setting up proper NAT.

By lower level I meant lower network level.

And yes, I tag team in order to show him something funny. We do really enjoy reading funny mxc stuff. The funniest part is that I try to explain where your mistakes are in your "protection", yet you think your solution is top notch and has no problems at all.

And yes, my "archaic" solution is 5 terminal commands per machine, yet you've managed to make a whole app to do similar thing, just much worse xD

Oh, and thanks for that disclaimer, its nice comedy.

4 hours ago, Elfocrash said:

Disclaimer, this is NOT your usual shitty tunnelling proxy that you setup on the machine level. This is a reverse proxy implementation purely done in software that acts like an elastic load balancer.

OOOOOOOOOOOOOOOOOOOOOOOOOOOHHHHHHHHHHHHHHHHHHHHH

So its just a higher level application that is trying to do stuff that can be done at lower level. I thought you had implemented it at a lower level. That would explain why you have no idea of what I talk about.

43 minutes ago, Elfocrash said:

Nop, you're wrong. I'm outsourcing the responsibility to it's own app, ignoring the 100% useless system config that is completely unnecessary to provide a proper and more robust protection from the punny tunnelin solution that you disturbed. This isn't 2008 any more. We can do better.

@UnAfraid we are not 2008 anymore, its time to drop your GRE tunnels and iptables rules and start using this solution!!!

12 minutes ago, Elfocrash said:

Again, what I mean by "proxy" and what you mean by "proxy" seems to not be the same. I call proxy the service I'm running that deals with a lot of stuff including the proxy support. 

So basically you call your service "proxy" and that service connects the gameserver and the remote VPSes, players connect to an IP that belongs to one of the VPSes and your service relocates all the traffic of the player from the VPS to the gameserver?

45 minutes ago, Elfocrash said:

Not present on aCis, or any other project that's not based on l2jserver post proxy support

 

That's only true when the servers have different throughput or load.

 

It's a reverse proxy. By definition that would be impossible to do that's why there is a query for it.

 

The main server knows who is where, so when the proxy stops pinging back in time due to an attack, it will automatically transfer those players to the next healthy proxy.

 

It's run on the server and it has a lot more logic that a simple proxy tunneling configuration including but not limited to health, max size, failover, recovery, port hopping, analytics etc.

 

It sounds to me like you confuse reverse proxies with tunnelin proxies.

The player is indeed connected to the server via the proxy but the server can choose where to put the player while he is connected to the proxy. He can detach the player from the existing proxy, connect him to the new one and the player will just see the loading screen. Unless the proxy server that's being attacked doesnt go down in an instant, the server will automatically transfer the players to a healthy proxy and trigger a circuit breaker pattern on the unhealthy one.

 

Since the connection is a TCP connection there is no way to do this without a loading screen of some sorts. It's basic TCP. There is a reason why you must have this screen and it's part of the magic behind the proxy change.

 

L2j might have the ability to add proxies, that's 5 lines of code, but the job that the services do and the proxy orchestration / load balancing that happens hasn't been done before, at least not in something I have seen in l2j. It's not "just a proxy".

 

Also if it's done already (as described), feel free to point me to an implementation. I'd be very interested to see how you can do all this with tunneling proxy implementation.

 

Because you might be on the go and you wanna manage the server while not able to login.

Even if its not present in some servers, that doesn't mean the solution should be separate from the server. It can be easily integrated taking examples from l2j.

Next, saying that its a reverse proxy means nothing. You just did a bad routing. If preserving real IP was impossible when routing, internet wouldn't be able to function.

Next, if a proxy stops pinging properly the main server, how can it transfer its players, since it can't even ping the main server? xD

Next, the extra features are just extra sugar added. If the program cannot achieve its main purpose, why does anyone need the extra features? Also nearly all of those features can be done with simple administration setup. Port hopping? Why would anyone need that? I have all my proxies connecting to my main server at port 7777, there is no need to have extra ports. Explain me, why do I need those extra ports? You've just added an extra feature to resolve the issue of your poor routing, which needs extra ports...

I would also like to know the difference between reverse and tunneling proxies and why you've chose one over the other.

"Unless the proxy server that's being attacked doesnt go down in an instant." Yeah, thats the fine line between a bad program and a good program. There are no "unless this happens..." in a good program. Basically your program becomes totally useless if you get one decent ddos thrown at your server.

My question is, whats the point of the tons of features that your program has, if it cannot do its main purpose and that is to protect the gameserver properly? Also saying that there is nothing more you can do about the flaws is just very bad practice. There is always something you can do to fix a flaw.

I already have much better private solution which I cannot share. l2jserver's configuration is the base of the idea. The rest is up to the person to create the infrastructure behind it. That was the main idea we had in mind with @UnAfraid when we did that config for l2jserver. We used such solution for nearly 10 years. The only thing that had to be done is that which is not part of the gameserver, basically creating tunnels for every proxy and source routing the data from there. This is why I keep telling you that you are wrong. You just have made a fancy program that ignores the necessary system configuration that must be done for a proper protection. It just creates the illusion of safety until an attacker comes.

Traditional proxy selection

Not sure why you've included that, Its already present in l2jserver configuration. I wouldn't rely on some unknown program to do that for me.

Autoproxy

Its cool, but giving players the choice of proxy is even better. Keep in mind that closest location is not always properly routed, so you might have better ping at a farther location than a closer one.

Shortcomings:

The said possible usages are already covered by the default configuration present in the l2jserver where you can setup multiple gameserver listings listening at different IPs, but relocating to the same gameserver instance. Even having such proxies hiding the real gameserver ip, they do not offer any solution if they are not configured properly. If a proxy gets DDOSed and it proxies all traffic as usual, it would just send the DDOS traffic to the gameserver nevertheless... ugh. So a knowledgeable person who is able to setup a proper proxy VPS is required to fully benefit from this.

Apart from that, sure, maybe you can detect if a proxy is stressed, but do tell me please, how can it transfer a player to another proxy if the machine is stressed so much that is not responding to anything? At huge attacks, you can't even make a ssh session, how do you think your request to change proxy server to all players is going to reach them? This solution only works for light attacks. Even so, even if it works, that would force players to see the loading screen which will ruin their immersion. Imagine they are at siege or some event and they suddenly get a loading screen in the middle of the pvp. Also the inability to see the actual IP of the player is yet again another sign of misconfigured proxy.

You even haven't specified where this program is meant to be run. At client or at server? If its ran at the server, then its pretty much useless because nobody should rely on such a program - a properly configured proxy tunneling using l2j's default config is pretty much everything. If its ran at client, basically if every player must run it even if its in background, I do wonder how you've implemented this stuff to work.

Overall you've fixed nothing. You've created a program that already offers what l2j has. The only interesting feature is the ability to switch proxy servers while ingame, but that feature is so flawed still, that is not useful to have it. You have 2 major flaws in it. The first one is the fact that you still need to be connected to the stressed proxy before you can switch to a light proxy, which doesn't guarantee at all that the player will receive the required packet that would change its proxy connection. A more proper solution will be that somehow the client listens for incoming packets of other proxies directly, in that case you do not need to wait for the unstable stressed proxy to send a proxy change request. The next flaw is that its not seamless enough. The connection change must happen instantly, no loadind screens no nothing. The connection itself should be interchanged seamlessly. That might require some kind of reverse engineering in l2 client to check if such thing is possible. If you can fix those two flaws, then you have some future for your idea. But for now, it does not provide anything new, its just fancy program does does what l2j already does itself.

Yes, but you need to wait a lot and it just takes way too much time to kill a boss (example baylor needs at least 15-20 mins with such party, where the yul 2-shots him) and also RB drops are very unsatisfying, you get almost nothing from them.

Even your H5 GMs are weaker than this yul :D

Unlike in helios where a donator yul can kill a whole party with 2-3 AOE skills... or even this:

You need to spend at least 200-500 euro to even make a start. Without giving anything, you wont manage to even progress, because nobody will take you on instances with your poor gear.

Gamecoast?

Lvl 85 is in max 2 days. Getting gear after that without donate is hard. Helios is mucho donate, so GL trying to get brooches and jewels and OP agathion and OP dyes and abundance talisman etc etc without donate on retail :D Makes me wonder what class you chose to play...

But how can you play a server with only 2000 online o.O? H5 privates have 10000, its much more online!

P.S: You will only realize how shit H5 is, even if you find helios shitty, H5 is shittier.

w/e me now fighting at 60 lvl with 2037489709 ppl for fucking Q monster, me mucho mad 

Go play H5 shit like you used to do. Why play Helios?

http://stackoverflow.com/questions/34512/what-is-a-deadlock

Never call Thread.sleep(...) inside a thread launched by threadpool (all gameserver threads are running from threadpool). This will cause the whole thread pool to sleep, and the server will hang. Very bad code, he need to learn when to properly use Thread.sleep.

I'd give u 50 euros for your sister. @Nik

A simple manicure procedure from her costs you 50 euro lol. If you plan to have manicure, feel free to give her those 50 euro.

Dressme system for 50 euro? If you are running H5 I'm all in :D

https://bitbucket.org/UnAfraid/l2junity/src/c076c9e7b0b9ee90e9eb11280eab4cfc7e39904e/l2junity-gameserver/src/main/java/org/l2junity/gameserver/model/skills/SkillOperateType.java?at=master&fileviewer=file-view-default

Read comments.

i guess thats why someone above called you a jerk.

 

you can deny to work someone but dont start your job and quit midway like with me. thats just unprofessional and childish.

you lie again, you had access to the files and nothing should be unknown since you coded on those files for over 5 hours.

just admit that u were lazy and move on.

anyway its not about crying, its about leaving a review on this topic for the interested customers etc.

 

ps. i still think your coding skills are pretty good.

Makes me curious, what kind of work was it to take 5 hours and then quit? :D

Because GOD presents much more gameplay. The main problem is the way you get things on retail, since its built upon the "pay to win" model and half of the goods are available only for money and you cant progress at all if you havent spent any money. Dex failed because it was older version (iirc dex was Glory Days or Lindvior, and gameplay before Ertheia sux anyway) and followed the boring official model of getting things and progression.

Basically what GOD is, is a version to provide you with tons of things to get and do (unlike recent H5 servers which simply copy GOD stuff to make H5 client more rich), but they must be presented in a way that encourages gameplay.

wow, is that you server description???

Which one?