WTS Service - 100% DDoS protection (OVH)

[Dimis4]

4 hours ago, AlmostGood said:

use OVHs edge firewall and own rule set with default drop all, extend L2 client to calculate some math challange before login request is attempted, send result together with some hwid/ip to aws/gcp instance which will verify it and query OVHs firewall api to allow login. Mystery of application layer "100% DDos Protection" solved.

 

your idea is good and that would be the ultimate protection , but have in mind that ovh firewall can only handle up to 20 rules . that means you can have up to 19 online players ( one reserved for drop all ) so you have to find another workaround. 

[AlmostGood]

they have dedicated firewall solutions which doesn't have such limits like VMware NSX, where you can filter traffic on the edge

 

but even if you run on budget, its doable with 20 rules limit and some extra code because you only need to allow connection init, once its established/related it will pass firewall, so you could setup TTL for rules to expire after 10sec and add extra msg on game start about queue when your rules set is full :D to make it smoother, i would block manual auth with login/pass and use autologin + launcher passing login data in process args.

Edited January 14, 2020 by AlmostGood