I was wondering if something like this built as a plugin (more likely) or built into a forge mod (most likely) would be possible. I have not dealt with major DDoS issues so I do not know the nature of them but do you think it would be possible to have an effectove anti-DDoS mod? Many servers, especially the larger ones get hit often and this would be a nice feature to have. You would have to do some serious packet analyzing afaik.
That’s not a job for Sponge, that’s an OS feature.
Everyone above me in this thread is wrong!
Software (Sponge nor OS) can not do much against a true DDOS, it’s something that needs to be done on a network-level - AKA by the Datacenter (or having an additional layer above your servers ip)
There is some software DDOS protection solutions, but, if the server isn’t receiving packets - you cannot expect software to scrub them properly.
5 Likes
You would need software at a higher level than Sponge to detect DDoS attacks.
Beating a dead horse a bit, but handling DDoS packets wouldn’t do much for Sponge. It could just dispose the packets at best, but proper DDoS attacks are designed to occupy ports on the host machine, which is done outside the Minecraft server software. There may be another sort of DDoS that concerns itself with sending connect packets to the server, but I’m not familiar with that.
1 Like
Just going to say that I was asking not trying to state anything… I was just asking if it was a possibility as there are some software DDoS solutions out there, it seems though that there would be no benefit for sponge to have software level protection. Thanks for the responses, I have never really had to deal with DDoS attacks and I was just curious.
In what saying that DDOS protecting is on a OS level am I wrong, that’s level 3/4 on OSI if I remember correctly.
If you need DDoS protection, go with a service provider who provides native DDoS mitigation at their network level for best results on your game server.
Alternatively, fine a host that has DDoS protection through a third party provider. Heck, most do now days.
No that’s not true at all. Some server hosts (including OVH and PhoenixNAP Secured Servers) offer free DDOS-mitigation, but a lot of hosts will actually end your service when they’re experiencing DDOS-attacks. Most of the time the user himself is responsible for any DDOS-attacks that could be received. If they’re experiencing high volume attacks, they’ll need to contact a professional mitigation company like Black Lotus of Intreppid.
If you’re sending a ton of water through a tiny pipe, nothing at the end of the pipe will fix your problem.
13 Likes
One thing to factor is that DDoS does not consist of just one type of attack, it varies greatly. ICMP ping floods, SYN flooding are things that can’t be controlled at the sponge/server level. However detecting someone sending hundreds or thousands of MC query/join/ping packets (which would appear legitimate to a firewall because you are hosting a Minecraft server after all) could be tracked at the server level, but blocking the user at server alone wouldn’t be enough, the server would have to be able to tell a firewall to drop all incoming packets from that host, however this only frees up the server from having to waste resources and responding to this bogus packets and it would merely remove only a small portion of the bandwidth that is being consumed by the DDoS as a whole. sk89q’s comment was a perfect analogy, you can try and add more but if you’re already at the point were the pipe is too full to accept anymore there’s not much that can be done, especially when that traffic looks legitimate to begin with
This is a reply to post 11 (DDoS protection - #11 by sk89q).
I’m sorry for the poor quoting and editing.
However at the end of the pipe you can have a filter to filter all of the dirty* water.
In this case this “dirty water” is certain packets in the Minecraft protocol that take more time for the server to process than for the client to send, and sending these packets in large numbers can cause smaller (and sometimes event bigger) servers to lag and even crash.
And I think Sponge should probably have something to prevent this.
Any software-side DDoS protection would be next to useless. A Sponge Plugin would be just as useless.
All real DDoS mitigation is done via hardware for good reason.
genius xD hahah
Nothing wrong with watching packets to detect the difference between spam and legit, but calling this DDoS protection wouldn’t be correct.
I didn’t mean to make it sound like that. I quoted (or failed to) sk89q’s previous post.
I still don’t feel like it’d be very effective at all, probably not enough to be worth implementing. It would seemingly only target packets that would be targeting the Minecraft server, although the server can just turn down various packets from other types of DDoS attacks. Guess I’m beating a dead horse though.
It’s true that some filtering at the end point will help in certain cases and in small volumes, but if you need proper DDoS protection, then you will have already handled that elsewhere.
It might help if you pissed of your ex and s/he found some random flood program to perform a DoS, but at that point, any effort on our part to implement effective filtering would likely outweigh the benefit.
1 Like
It currently impossible to detect and stop DDoS attacks with a mod like Sponge or any other plugin running on Sponge/Forge. My apologies.
~ xxmarijnw
People on here don’t appear very knowledgeable when it comes to the topic of networking and DDoS. If you are being hit with SYN or ICMP 1. The guy attacking you is an idiot. and 2. Using an IP table you can simply mitigate the attack. More experienced users would use the most effective 4 layer attack, the DRDoS-DNS because when it is applied to port 80, nothing can stop it (except good mitigation) because it doesn’t allow any traffic in or out. Also kids bragging about how they are going to hit down your server with a 7 layer DDoS attack are idiots also, because 7 layer attacks are used to overload web servers with essentially by opening a million web tabs. And since minecraft isn’t a website, good freaking luck.
1 Like