Welcome toTencent Cloud + community, get more Tencent mass technology practice dry goods oh ~
This article is published by Tencent Game Cloud in cloud + community column
The purpose of this article is to share the security risk scenarios faced by the game business, and how to protect against them based on the characteristics of these scenarios.
[I, Background: DDoS attacks in the game industry are becoming more and more serious]
According to the 2017 Game Industry DDoS Situation Report, China has become the most affected region of DDoS attacks in the world, accounting for 84.79%.
The second characteristic is that there are more and more large-traffic attacks, in which the proportion of attacks over 100 gigabytes is increasing year by year:
The third feature is that the gaming industry has been the most heavily attacked industry. Among them, chess games are especially seriously attacked, accounting for 57% of the games with more than 100 G attacks:
In addition, the domestic has begun to appear large traffic attacks. On April 8 this year, Tencent cloud protected 1.23T of large attack traffic, DDoS attacks are becoming more and more fierce. In the face of increasingly severe security attacks, how to build our business defense is a problem that all game developers and publishers have to face.
【 II. Common Game Risk Scenarios 】
In view of the game business is facing increasingly severe security attack risk, it is necessary for us to further analyze it, for the subsequent establishment of the corresponding security protection to lay a good foundation. The game security scene consists of two components. One part is business attributes, the other part is technology and deployment architecture; Service attributes include the game type, attack trend, and delay requirements, which determine the probability of being attacked by DDoS, the volume of attack traffic, and the type of defense resources required, for example, BGP or the single-line line of the three carriers. The technology and deployment architecture, including the communication protocol used, deployment architecture, and so on, determine what protection products need to be used against.
Business attribute
Business attributes can be expanded from several aspects in the following diagram:
1. Game type
In recent years, with the continuous popularity of mobile games, more and more types of mobile games appear, such as MOBA, MMO, and chess, which started to emerge in 2016. Mobas, Mmos and other games are launched in the national dimension due to their coarse geographical attributes, and the competition is fierce but mostly benign. However, chess games are mainly distributed in China. Due to the different local characteristics, they have strong geographical attributes, and competitors are relatively clear, which is easy to cause improper competition behaviors. The typical one is to use DDoS attacks to attack competitors.
2. Life cycle
Different services may be attacked differently at different stages of their life cycle. Take chess, especially local chess, for example, in the early stage of the new game online, may be paralyzed by “fighting”. This is because the impact and cost of attacks are the most cost-effective. If a new game is attacked continuously for several days in the launch stage, the reputation of the game will deteriorate, and the advertising conversion rate and retention rate of operation investment will be very low, bringing great economic losses to the publisher.
3. Delay requirements
There are two things to consider when defending your business, one is to prevent attacks, and the second is to minimize the impact on the player experience. The ability to defend against attacks depends on the technology, architecture, and resources of high security products, which will be described in more detail later. In order not to affect the player experience, it is recommended that network latency not increase beyond the upper limit of the above latency. Because network delay is mainly related to network line quality, mobAS and Mmos are recommended to use BGP line protection resources. Chess can use the combination of BGP (service access in normal mode + basic defense) and Three-network (defense in heavy traffic) defense resources.
4. Attack type
In recent years, the attacks are mainly reflective UDP attacks with huge traffic. In early 2008, Memcached was used to magnify traffic by 50,000 times. This was an alarming situation and an effective UDP protection policy was urgently needed. From the attack duration and frequency, the attack intention and subsequent attacks can be predicted to a certain extent, facilitating defense preparation. For example, if the attack time is long and the frequency is high, even ten minutes or so is a round of peak value attack, in this case, the other party is bound to paralyze the target, so the developer needs to cooperate with cloud manufacturers to do a good job of targeted protection.
5. Attack size
It can be seen from the above attack statistics in 2017 that attacks are mainly concentrated in February to April, with low attack volume and frequency in 3/4 of the year. In terms of attack size, 87.1 percent of attacks were less than 50 gigabytes, and 51.2 percent were less than 10 gigabytes. Therefore, is it normal to reserve 50 or 20 GIGABytes of protection resources to provide protection even when the attack base exceeds this? In conclusion, can the protection mode of “bottom guarantee + flexibility” be used to achieve a balance between protection effect and cost?
Technology and deployment architecture
1. Universal game architecture
In terms of the general architecture of the game, players download the updated resource pack through CDN, log in the game through the domain name, and then connect the game server assigned to start the game. The rest of the game’s peripheral services are on the Intranet. Malicious attackers disguised as normal players, get all the domain names and public IP exposed to the game players directly from the public network, so as to attack the game through the huge amount of Internet under their control; In this game architecture scenario, the possible targets are CDN, DNS, login service entrance, game service entrance and other services exposed in the public network. CDN and DNS are generally platform-based services with few attacks. The main target of attack is login service, game service, etc.
2. Different delay requirements
In protection, services such as login and payment have a higher delay tolerance than game services. Therefore, protective measures and game clothing are different, can consider the large bandwidth and high defense resources such as China Telecom Unicom single line; The latency requirements of the game server are closely related to the type, as mentioned above.
3. Can I change the IP address
From the perspective of service technology architecture, whether IP can be replaced determines the flexibility of protection. If the IP address can be changed, multiple IP addresses can be flexibly scheduled to achieve “guerrilla warfare” flexible defense. If the IP address cannot be changed, use the bandwidth to undertake attack traffic and then perform cleaning. In this case, when the attack volume exceeds the bandwidth limit, the public network entrance of the server is congested and almost paralyzed, and almost all service requests cannot be processed normally.
4. Whether it can be deployed in multiple regions
In addition, if the business can be deployed in multiple locations, it can better take advantage of the high protection resources in multiple locations, and the player experience is better.
[III. Summary of protective thinking]
Architecture design stage
In consideration of security protection, the public IP address can be changed or the server can provide domain name access, and the architecture can be deployed in multiple regions
Service Deployment Phase
Plan the number of services exposed to the public network (i.e. targets to be protected) in a reasonable range, so that in the event of a single point of attack, it does not affect all players; At the same time, the cost and effect of protection should be considered comprehensively.
According to the type of game and whether the competitive environment is healthy, plan whether the game needs independent protection resources, whether different groups of players in the game and different business modules need independent protection; Otherwise, multiple services can share defense resources.
According to the delay requirements, select the region and line of protection resources; Different services within a game may have different latency requirements. For example, lobby servers usually have lower latency requirements than game servers.
According to the statistics of attack data in the industry and its own competition status, plan whether the flexible protection mode of bottom guarantee + flexibility is needed to balance the protection effect and cost;
Services are attacked
According to the attack situation, adjust the bottom protection and flexibility mode; Adjust defense policies based on the attack frequency. If the attack is a high-traffic attack, but the attack is still in the defense bandwidth, you can continue to use the high-bandwidth defense or upgrade the bandwidth appropriately to ensure the defense effect. If the attack rate is high, the bandwidth exceeds the available bandwidth, or the defense cost is too high, you can consider the anti-IP scheduling mode.
For frequent and complex attack scenarios, multiple layers of defense are required. For example, multi-IP flexible scheduling can be used as the first layer, and the three-network protective pocket bottom with large bandwidth can be used in the second layer. Effective protection can be achieved for CC, and customized protection can be done to some extent in some complex scenes.
Tencent cloud experts help
In the above stages, we can contact Tencent Cloud team to effectively do multiple rounds of attack and defense together.
Iv. Tencent Cloud new-generation high defense Solution
In the face of increasingly severe security threats, Tencent cloud’s new generation of high security solutions can be used to ensure service security. Tencent cloud’s new generation of high defense solution provides a comprehensive and multi-level DDoS defense solution, which can fully conform to the above defense ideas. You can select high anti-ddos IP address and high anti-ddos packet based on service deployment characteristics, and configure advanced security policies, CC defense policies, and watermark defense policies based on defense requirements to flexibly respond to multiple DDoS and CC attacks.
Protection of the domain name
Protected domain names provide intelligent resolution and automatic switching capabilities. If multiple line defense resources including BGP are available at the same time, BGP is preferentially resolved. If BGP lines are blocked due to attacks, the system automatically switches to the three-network defense resource. In this case, the system automatically resolves the visitor’s source IP address to the corresponding carrier line to ensure the optimal delay.
High against the IP
With the help of BGP high IP protection, the client connects to the high IP, and the high IP is forwarded to the game server. Can forward to servers outside the cloud or on the cloud.
High anti package
For services deployed on Tencent cloud, the high security package is like a layer of armor. It takes effect directly on existing service IP addresses, enabling fast access to high security without changing services. There are two kinds of high protection package:
U Single IP high security package to provide protection for a server or load balancing on Tencent cloud;
U Multi-IP high security packet, also known as shared high security packet, can protect multiple Tencent cloud servers or load balancers;
Advanced Security Policy
If the DDoS attack packets have certain characteristics, you can configure specific security policies to filter them out
CC Protection Policy
CC protection has always been a difficulty. By setting custom detection and processing policies at the LEVEL of CC detection and cleaning, certain CC attacks can be effectively blocked. If special CC traffic reaches the server, you can enable the emergency defense mode to tighten the defense policy.
Null connection protection
In CC protection, empty connection is a common method. Tencent cloud background will first establish a connection with the requester, until the arrival of a non-empty connection, the requester and the server really establish a connection, to avoid the impact of empty connection attacks on the service.
Watermark protection
If CC attacks are frequent and large, it is urgent to thoroughly defend CC, and watermark protection can be used. Tencent cloud’s new generation of high defense solution adds dynamic labels, namely watermarks, to service packets to identify whether it is normal game traffic. In addition, potential attackers cannot attack by capturing packets for playback, thus effectively filtering attack traffic 100%.
[5. Protection schemes for common Game types]
MOBA/MMO
For MOBA and MMO projects, BGP high defense packets can be used to cover all public network services.
The new game can use BGP high defense IP address or BGP high defense packet to cover all public network services. When an attack is attacked and blackhole occurs, you can enhance the defense package to quickly remove the blackhole state and restore service access.
chess
For chess business, the attack situation is more complex. The attack traffic is large, the attack type is diverse, the change is fast, the attacker is more professional, the attack cycle may be very long, a few cases even months or more than a year. So you need to have a plan for dealing with complex situations. Based on experience, we have established a multi-level protection system, which can fight against each other step by step and make targeted changes to the protection strategy to achieve the purpose of effective protection.
In the defense solution, the defense domain name + BGP high defense IP address + Tri-network high defense IP address + high defense IP address flexible scheduling policy can be adopted. Layer 1: Uses BGP to protect small and medium traffic from IP addresses and serves as an entrance for normal external services. The second layer uses three-network high defense or BGP high defense IP flexible scheduling to protect, and three-network high defense as a guarantee measure. At the third layer, if attack packets have length and content characteristics, you can use a user-defined defense policy to filter these packets. At the fourth layer, if there are obvious CC attacks, the default null connection protection and emergency protection mode (stricter filtering policy) can help businesses provide services normally, and watermark protection can be gradually added after development or online, which can effectively protect CC attacks.
【 VI. Conclusion 】
The above is a brief analysis of common game scenarios and anti-ddos solutions. If you have anti-ddos requirements, you can contact Tencent Cloud Commerce or industry architects for detailed requirements and the new generation of anti-ddos solutions.
Q&a How to Defend against DDos attacks? DDoS attack analysis based on TCP reflection Actual combat share: how to successfully defend 1.2T domestic known maximum traffic DDoS attack “eat the devil” behind the global summit of god assist, know about?
* * has been authorized by the author tencent cloud + community release, the original link: cloud.tencent.com/developer/a… **
Welcome toTencent Cloud + communityOr pay attention to the wechat public account (QcloudCommunity), the first time to get more massive technical practice dry goods oh ~