What are your opinions on TCPShield?

Status
This thread has been locked.

I_Luv_Cowz

Feedback score
5
Posts
292
Reactions
120
Resources
4
Hey MC-Market, I'd love to hear all of your guy's opinions on DDoS protection/Proxy services.
The options I've heard are: TCPShield, ProxyPipe, Cloudflare Spectrum, OVH's in-house DDoS protection for game servers.

My analyses of above options:

TCPShield - Good for OVH (since they're hosted in the same datacenter which makes latency lower), however it has recently been making connections unstable & increased latency ever since they revamped their whole system and added all the paid plans.

ProxyPipe - Never used, never really heard of until recently - and the last time it was mentioned on mc-market was in January 2020

Cloudflare Spectrum - Would be amazing and low latency, but bandwidth costs $1/GB + $20/Month for pro plan which is a pretty high rate.

OVH's in-house DDoS protection - This would mean exposing the backend IP and hoping people don't use a botnet. OVH's DDoS filtering is good for 1-50 source IPs, but when someone uses a larger botnet, its essentially useless.

My current setup:
OVH Game server using TCPShield free plan.

Issue with current setup:
Connections are unstable and player's ping often spikes (This doesn't happen without TCPShield).

Would love to hear any suggestions or opinions.
 
PebbleHost
High performance, consistent uptime and fast support. Minecraft hosting that just works.

Stefatorus

Experienced Java Developer & SysAdmin
Premium
Feedback score
7
Posts
0
Reactions
99
Resources
0
No OVH filters or mitigates internal traffic within the OVH network... Which is the issue we've been talking about for the past few responses, your response isn't very helpful.
First post addresses your issue with a workaround.
 

I_Luv_Cowz

Feedback score
5
Posts
292
Reactions
120
Resources
4
I don't know if you read what I said, but I recommend reading it again. I told you that OVH provides hardware firewalls that you can achieve this with.
Ah, so traffic that is blocked by that firewall wouldn't effect your bandwidth? Could you possibly link me an article explaining the hardware firewall provided by OVH?
 

I_Luv_Cowz

Feedback score
5
Posts
292
Reactions
120
Resources
4
Seems like OVH doesn't offer this anymore sadly. That's alright. Here's a pretty good alternative instead, at least in terms of blocking other OVH IP Addresses:

https://docs.ovh.com/gb/en/dedicated/firewall-network/ <-- This is their firewall with a neat little network diagram that shows how it stands behind your server. This is part of OVH's VAC system with 80Gb
em96e5CBa6bd1f9c3C.png



It seems OVH's network firewall won't be of much use...

To explain a little more - you can add OVH's failover IP addresses as a virtual network interface. For an example, you may configure a singular IP as eth0:0 on CentOS. You can effectively null route this address by simply doing ifdown eth0:0. Your primary IP address is never known, and by removing it from your system - the IP is essentially a black hole - which is what the purpose of a null route is. You could do this indefinitely and cycle through a few addresses. If you use OVH's vlan feature, you can accommodate this with something similar to a heart-beat monitor or load balancer, because this additional server can act as a vrouter/vswitch. I don't see why this wouldn't work with OVH's infrastructure and the level of control they give you with their vlan's. It does come at an additional cost however.
I understand that the primary address would not be known but if they take the proxy offline, that would interrupt the connections of all online players (because its proxying the connection). If you cycle through a few IPs, there is still enough time to take the proxy offline before it switches to another IP (and null routes the old IP) - and you can always attack the new IP as well. It would be a temporary null route, however it wouldn't be very effective since the new IP isn't hidden at all.
 

I_Luv_Cowz

Feedback score
5
Posts
292
Reactions
120
Resources
4
You can't just get rid of the traffic. It has to go somewhere, and something has to deal with it. Period. It cannot just be vanished, because if it were that easy, mitigation could be as simple as a google search. That's why it would be beneficial to get a vrack though, because the transition between IP addresses would be seamless. It doesn't affect the end user.
Yes, this is true, but if you disconnect the IP address, traffic to that IP is no longer routed to your server and is now handled by OVH. If the proxy server's bandwidth gets saturated at any point - no matter how long or short, it will effect the end user and increase latecy.
My question stands: If the proxy server is attacked, then you switch the IP, and they attack the new IP - how would switching the IP be helpful?
 

I_Luv_Cowz

Feedback score
5
Posts
292
Reactions
120
Resources
4
Most people who are going to hit off a Minecraft server is likely using a booter, not anything sophisticated. Usually, for a monthly fee, you can hit off one address for a specific period of time. Longest I've seen is an hour. Ok. Lets say that they have a special plan, or the booter provides multiple addresses to hit at once time.

If that booter hits at 10Gbps; and you have 8 addresses (for a one time fee), that suddenly becomes 1.25Gbps to each address. The point is eventually the traffic isn't going to saturate the uplink anymore. This works under the assumption that the booter doesn't allow the user to cancel the attacks though.

If you have someone with a massive scale botnet that is gonna hit your server at 100Gbps, you're not going to have a good time mitigating that.
Most booters allow a user to cancel an attack. If its even a 1GBPS attack from within the OVH network, they can keep cancelling and re-booting after you switch the IP - this would saturate all of your bandwidth.
 

I_Luv_Cowz

Feedback score
5
Posts
292
Reactions
120
Resources
4
so? the other addresses wouldn't be under attack, but you don't really have much of an option. the same could be said if you went with any other provider. they have their capacity, and once that's reached it's game.

Not trying to be a dick, but the only thing I could reasonably think of that would be decent to do is to try to cycle through those addresses and hopefully they'll get tired of doing that since it wouldn't bring the server offline. It automatically changes, and if they cancel it on 1.1.1.1, 1.1.1.2 is attacked, just swap to 1.1.1.1 or 1.1.1.3. once the other address is brought offline, it isn't reaching your server and not saturating bandwidth.

It's not a elegant solution or by any means efficient, but can and has proven effective.
Hm, I see how this could work, but as you stated, it seems cost inefficient (since a 10GB port with OVH would cost a lot), complicated to setup, and only effective to a certain capacity.

I appreciate your responses and insight into my initial question. It seems the only 3 real options I have are using TCPShield, trying to get OVH to filter internal traffic for me, or getting a high capacity port and only committing to a lower amount (IE: getting a 10GB port but only committing to 1G:cool: and hoping that there are no DDoS attacks with more than 10GB of traffic.
 

I_Luv_Cowz

Feedback score
5
Posts
292
Reactions
120
Resources
4
You are not understanding what I’m saying, at least in regards to how this works. Either way, yes. You must come to understand though, you HAVE to make compremises - either pay what a proper setup is, or cut corners and take the risks for a cheaper setup. Nothing is bullet proof if it gets shot enough
I see, thank you.
 
Status
This thread has been locked.
Top