Can Rathena compatible with HTTP? (because anti-DDOS)

[bluesky]

Hello I'm come from https://github.com/rathena/rathena/issues/2654

I realy hope Rathena can compatible with HTTP

Maybe like this image?

Because nowaday, ddos attack was very frequently.
In my country, almost 90% server had under ddos attack.
If Rathena can support http forward to TCP, That's will help us a lot.
Even AZURE had ddos protection standard, but in fact I was under DDOS attack to disconnect.
So AZURE Technical service staff suggestion me to use Application GateWay.
But Rathena used TCP, AZURE Application GateWay used HTTP.

And I tried to use many server like
1.Google colud compute , Only can anti a few ddos
2.OVH , Can anti-ddos, but ping about 120~240ms...
3.other Asia anti-ddos server (about 500~1000usd/month), Only can anti a few ddos
4.AZURE , Can anti "most" ddos, and ping about 35~50ms , and cheap (about 350usd/month).

So AZURE maybe was the best choice for Asia.

Thank you!!!

Edited November 30, 2017 by bluesky

[Lighta]

Hmm even if we did, you'll have to modify your client to force him to use http too.

Now that not impossible but I feel is not the good way as imo it would be more work then to edit the filter. I don't get how that application gateway can work protect on http but not tcp.

Now hmm why do you want all server to be protected ? what the common way of attack ? Do they spam a particular port which then result in ddos ? Should protecting login only would be enough ?

Anyway you could change rA to use http, I would suggest use http2 and protobuf to do this. This should be done in pair with client so whatever you choose as long the client is happy with it is fine. Just keep in mind that you want persistent connection cause the default for http is a connection per request.

Now what I would really do in your shoes, (beside asking wtf if that protection only for http), is:
1) put all your login-serv / char-serv / map-serv on private ip say 10.*
2) Host or rent a VPN server that will allow your user to join the private network of your servers. (preferably on another device, this will allow that even if this get attack only the vpn ddos but not the actual game servers).

Now only protect this VPN server and voila you all good. People should be able to ddos your server cause they don't know their addresses. (at least not in this way if they flood once connected that another matter..).
Instead of having to modify both client and server you modify none. And just ask your user to launch their vpn client first.

 

Edited December 20, 2017 by Lighta

[sader1992]

for DDos attack here is my suggestion

never test that but it can be done

first limit the bandwidth per IP the player does not need more then 10 KB/s (you can put it like 25 ?)

so this will protect you from the bandwidth overload

for the ports also you can limit the access per IP (make it like 10 per IP or even more  )

those two things if you can do them then you did a lot of protection without any hard work

as i said i never did that (on linux) but it's possible

HOWEVER if you did that you would need to make an exception for your IPs /sql IPs/website IPs/etc

also as lighta said you can rent vpn and make the connection to the server via that vpn so the players wont really see the vps ip they will see the vpn ip and you can get more then one vpn

by doing that the DDos attack will go to the vpn not the server it self << (also didn't test that before but it's possible too)

[Hurtsky]

i still in testing OVH, but the ping i get is around 50-60ms (ASIA). @bluesky

Edited December 21, 2017 by Hurtsky

[bluesky]

7 hours ago, Hurtsky said:

i still in testing OVH, but the ping i get is around 50-60ms (ASIA). @bluesky

 

I rent OVH in two month before.

But in my country, ping about 120~240ms

And now I testing ping to OVH, still get 130ms.

[bluesky]

10 hours ago, sader1992 said:

for DDos attack here is my suggestion

never test that but it can be done

first limit the bandwidth per IP the player does not need more then 10 KB/s (you can put it like 25 ?)

so this will protect you from the bandwidth overload

for the ports also you can limit the access per IP (make it like 10 per IP or even more  )

those two things if you can do them then you did a lot of protection without any hard work

as i said i never did that (on linux) but it's possible

HOWEVER if you did that you would need to make an exception for your IPs /sql IPs/website IPs/etc

also as lighta said you can rent vpn and make the connection to the server via that vpn so the players wont really see the vps ip they will see the vpn ip and you can get more then one vpn

by doing that the DDos attack will go to the vpn not the server it self << (also didn't test that before but it's possible too)

 

When I used google cloud,I tried to use google cloud network to limit the bandwidth per IP , limit the access per IP.

But still disconnect.

 

Maybe using many VPN was good idea.

Thank you!

[bluesky]

19 hours ago, Lighta said:

Hmm even if we did, you'll have to modify your client to force him to use http too.

Now that not impossible but I feel is not the good way as imo it would be more work then to edit the filter. I don't get how that application gateway can work protect on http but not tcp.

Now hmm why do you want all server to be protected ? what the common way of attack ? Do they spam a particular port which then result in ddos ? Should protecting login only would be enough ?

Anyway you could change rA to use http, I would suggest use http2 and protobuf to do this. This should be done in pair with client so whatever you choose as long the client is happy with it is fine. Just keep in mind that you want persistent connection cause the default for http is a connection per request.

Now what I would really do in your shoes, (beside asking wtf if that protection only for http), is:
1) put all your login-serv / char-serv / map-serv on private ip say 10.*
2) Host or rent a VPN server that will allow your user to join the private network of your servers. (preferably on another device, this will allow that even if this get attack only the vpn ddos but not the actual game servers).

Now only protect this VPN server and voila you all good. People should be able to ddos your server cause they don't know their addresses. (at least not in this way if they flood once connected that another matter..).
Instead of having to modify both client and server you modify none. And just ask your user to launch their vpn client first.
 

Because I used wireshark , found after login to game, map server will direct connect to user.

So if attacker attack my map server port&IP,  online player will disconnect.

maybe I was wrong?

 

 

Using VPN and all in private is a good idea, thank you

Edited December 21, 2017 by bluesky

[Secrets]

RO’s protocol is stateful while HTTP is not. Consider other options instead.