Games that communicate with the server are always exposed to attacks from the network. The most troublesome of these is the DDoS attack. In this article, by contracting with Alibaba Cloud,
-Introduction of AntiDDoS Premium that can protect systems running other than Alibaba Cloud, --About the special function TOA of AntiDDoS Premium
A DDoS attack is an attack that interferes with a specific service by exposing it to a large amount of communication using a large amount of IT equipment around the world. The communication used for the attack is
――Use something that the telegram itself induces a malfunction of the service, --Usually harmless communication or invalid communication is exposed to the service line for hundreds of Gbps to saturate the line and force the service to stop.
Since the attacked side continues to be exposed to a large amount of communication that does not know which IP address it comes from, it cannot be properly protected by using the IP address, and the line equipment (line equipment) with too many invalid packets. Since the firewall, router, etc.) will be overloaded, the original service cannot be provided at all.
There are several DDoS attack protection services available on Alibaba Cloud. I will put this on the table.
|Anti DDoS Basic||A service that DDoS protects systems on Alibaba Cloud.|
|Anti DDoS Premium||A service that can protect systems installed outside Alibaba Cloud by DDoS|
|Anti DDoS Pro||DDoS protection service that can be used for those who have servers in China|
|Game Shield||It can defend against various attacks specialized for game applications. DDoS protection is also included. (However, it must be linked with the application)|
This time, I would like to introduce Anti DDoS Premium.
Anti DDoS Premium is a service that can protect against DDoS attacks on systems running outside Alibaba Cloud. Like other cloud services, it is not a narrow service that only the cloud system that provides the service can protect from DDoS attacks. You can be confident about DDoS protection because you can fully protect the external system.
Let's draw a diagram of how to enter Anti DDoS Premium as seen from the protected system side.
As shown in the figure, the system to be protected is protected by entering as a Proxy server in front of the system.
In addition, the IP address of the client is saved as shown in the table below. Of course, WebSocket is also supported for HTTP / HTTPS. Unfortunately, there is currently no way for UDP to know the client's IP address as it is. The only way to know the client's IP address in UDP is to have the client application act like including the client's IP address in the UDP message.
|protocol||Type(※1)||Where is the client's IP address stored?|
|HTTPS(TLS1.2nd grade)/HTTP/2/WebSockets（※2)||Website||X-Forwaded-For header|
|Any TCP||Non-Website||Stored in the TCP Option field. You can restore a specific Linux Kernel with the TOA feature enabled.|
|Any UDP(※2)||Non-Website||Currently not recorded. (If you want to know, you need to embed the IP address information in the UDP message in the client application)|
For HTTP / HTTPS only, Anti DDoS Premium records the client's IP address in the X-Forwarded-For header. For arbitrary TCP communication, the IP address of the client can be known on the server side by using TOA, which is a special function of Anti DDoS Premium, which will be described later. Unfortunately for UDP, there is no way to know the IP address of the client.
Let's use it now. Step1. First, select the Anti DDoS Premium menu and perform the purchase operation. It's easy to buy because you just push a button!
Step2. Next, set the HTTP / HTTPS communication you want to protect. If there is HTTP / HTTPS communication that should be protected from DDoS, set it here. To set it, follow the procedure shown in the figure. Step3. Next, set the communication that is not HTTP / HTTPS that you want to protect. To set it, follow the procedure shown in the figure.
Now your system is DDoS protected in no time.
As you can see by actually setting the communication, it is difficult to set each communication you want to protect. Here, you can get the XML file of the settings, process it with your favorite editor, and specify it at once. I will introduce it in the figure. It's that easy!
Even if you read the manual of Anti DDoS Premium on Alibaba Cloud, TOA is a function that is actually usable but not described. Here, we will describe TOA.
TOA is an abbreviation for TCP Option Address. The Option field of the TCP packet contains a special ID and the IP address of the client, which is restored by the toa module of the special Linux kernel and returned as a result of the system call. In fact, this function is available by default for TCP communication specified on the Non-Website of Anti DDoS Premium.
The advantages and disadvantages of this function are as follows.
With a normal Socket program, the IP address of the client can be obtained by the normal procedure. You don't have to worry about having Anti DDoS Premium in between.
Since iptables is processed before toa processing, it is processed by the source IP address of the TCP header. Therefore, it is not affected by the client IP address specified as TOA.
To use TOA, the current system must be running in the following environment.
--The server must run the RHEL / Centos 6 series 64-bit x86 kernel. --The environment must be able to install and boot the non-standard OS kernel.
(There is no problem if the system you want to protect against DDoS is an on-premises environment!)
Basically, follow the manual written on the Anti DDoS Pro side. You can also download the RPM from the kernel listed in this manual.
How can origins outside Alibaba Cloud get clients’ real IP addresses? https://www.alibabacloud.com/help/doc-detail/52477.htm
Step1. Get the following kernel package
$ wget http://docs-aliyun.cn-hangzhou.oss.aliyun-inc.com/assets/attach/52477/cn_zh/1491917761209/kernel-2.6.32-220.23.2.ali_github.el6.x86_64.rpm
Step2. Installed with the rpm command.
$ sudo rpm -ivh kernel-2.6.32-220.23.2.ali_github.el6.x86_64.rpm
Step3. Reboot as it is
$ sudo reboot
Step4. Confirm uname
$ uname –r 2.6.32-220.23.2.ali_github.el6.x86_64
Confirm that it comes out
Step5. Enable TOA
$ sudo modprobe toa
Note: If you want to disable TOA
$ sudo modprobe -r toa
You can disable it with.
The figure below shows the difference between the results of the nc command when TOA is disabled and when it is enabled. Mysteriously, when TOA is enabled, you can see that the nc command has obtained the IP address of the client.
The actual TOA communication is shown in the figure. The communication itself is normal TCP communication, but the TOA information is hidden in the TCP Option field.
Let's actually use the tcpdump command to see it.
The TOA value is the part surrounded by red and the part surrounded by blue in the above figure. This is explained below.
The structure of the kernel and toa module is illustrated below. You can see that the packet information is rewritten based on the information contained in TOA before it is passed to the system call.
Kernels with TOA enabled will now see statistics in / proc / net / toa_status. The content and meaning are shown in the figure.
I'm not afraid to have trouble with TOA! : laughing:
If you remember this much, DDoS is not scary!
-Alibi Cloud's Anti-DDoS Premium is easy to use and stubbornly protects infrastructure other than Alibaba Cloud from DDoS. It's easy because you can set it up immediately! -Alibi Cloud's Anti-DDoS Premium Non-Website is convenient because you can use the IP address of the client side as it is with the socket api by using the TOA function!