When launching a new game, ensuring uninterrupted access for your players is paramount. This is why protecting your game from Distributed Denial of Service (DDoS) attacks is essential. If you’re developing your game on AWS, you’re already shielded against many common DDoS threats. This article delves into architectural strategies to maximize these protective features.
This is part two of a two-part series about distributing and safeguarding your game on AWS. Be sure to read the first part here, where we cover acceleration techniques using Amazon CloudFront.
Understanding DDoS Attacks
So, what is a DDoS attack? A DDoS attack disrupts your game’s availability or performance by inundating it with more traffic than it can manage (imagine a relentless horde of internet-connected devices bombarding your servers). Attackers can flood your system with vast amounts of invalid traffic or even send seemingly legitimate requests generated by non-players. Such performance degradation can severely impact player experience, making it crucial to defend against these attacks to maintain your brand’s reputation.
AWS Shield Standard
When you utilize AWS, your application benefits from automatic DDoS protection through AWS Shield Standard. This service is available to all AWS customers across all services and regions at no extra charge. AWS Shield Standard mitigates common DDoS threats such as UDP reflection and SYN floods via proprietary systems designed for high-capacity defense at every entry point. This approach offers a latency advantage compared to traditional “scrubbing center” models. To ensure optimal protection for your game application, consider following the architecture best practices outlined in the AWS Best Practices for DDoS Resiliency. Applications designed with these guidelines are better equipped to withstand DDoS attacks and leverage AWS’s mitigation capabilities.
Strategies for Game Developers
A widely adopted strategy among game developers is to utilize a matching service to distribute players across numerous Amazon EC2 instances. This limits the impact of an attack to a small fraction of the player base. Additionally, enhancing the resilience of individual instances by opting for larger, compute-optimized instance types with advanced networking can significantly improve your defense. By using these instances, AWS’s DDoS mitigation systems can engage at various thresholds, allowing for greater traffic absorption. This is beneficial for reducing false positives and ensuring a seamless player experience. You can also implement firewall software, such as iptables, to manage access by port and protocol, rate-limit traffic based on criteria like source IP, or only permit packets that align with known patterns. For more information on this best practice, check out this insightful blog post here.
AWS Shield Advanced
If you have Business Support or Enterprise Support and seek assistance from AWS in mitigating these attacks, consider subscribing to AWS Shield Advanced. This service not only enhances DDoS mitigation capabilities provided by AWS Shield Standard but also grants access to the AWS DDoS Response Team (DRT) during critical incidents, visibility into DDoS attacks through Amazon CloudWatch metrics, and Cost Protection, which offers limited refunds for AWS charges incurred during a DDoS attack. You can learn more about AWS Shield Advanced and its features here as they are an authority on this topic.
Custom Defenses and AWS WAF
In addition to responding to severe events, the DRT can help safeguard your game’s availability by providing tailored mitigations. Many gaming applications rely on client-side software that generates traffic with predictable patterns. The DRT can create custom defenses tailored to your game logic, protecting traffic likely originating from your genuine players.
Subscribing to AWS Shield Advanced also grants you access to AWS WAF and AWS Firewall Manager at no additional cost. AWS WAF helps protect your game’s web application components, such as landing pages or APIs, against application-layer threats and web request floods. It allows you to set match conditions and combine them into AWS WAF rules, with options to allow, block, or count. Rate-based rules are also available to temporarily block IP addresses exceeding specified access rates. Examples of match conditions include string matches, regex matches, geographic matches, sizes constraints, cross-site scripting matches, and SQL injection matches. Utilize AWS Firewall Manager to oversee your AWS WAF rules and AWS Shield Advanced protected resources, ensuring that your entire application adheres to standardized policies as new resources are added.
For further insights on DDoS mitigation, this video resource provides excellent information.
Amazon IXD – VGT2
6401 E Howdy Wells Ave,
Las Vegas, NV 89115
Leave a Reply