DDoS Protection for Minecraft Servers

It was brought to my attention that people do know how to do DDoS protection on a budget, or understand how it works. Today, I will share with you my plans on how to do DDoS protection on a budget. Keeping in mind that you will already have your server expense setup, so this is on top of your regular expense. As such, we would want to squeeze this as low as possible, and avoid the usual brand names such as JavaPipe (starting at $100/mn) and alike. Instead, we'll be looking at ways to press it down to (just under $5/mn).

What is the Purpose of this Guide?

No amount of DDoS protection will help when you piss off the wrong people. Look at how Anonymous took down Sony, or simultaneously took down PayPal, Visa, and MasterCard at the same time. If major corporations with seemingly endless supply of cash can't stay up against DDoS, nothing we do will protect you from attacks of similar calibre.

As such, it is important to note that this guide is not designed to enable you to slap epeen at griefers, and make enemies. Instead, it is intended to help you withstand smaller DDoS attacks from competitors who decide to play dirty, and keep your server online a bit longer, instead of giving them the opportunity to think they're pro-anonymous while screaming "#TANGODOWN" and rant about how bad or unstable your server is on other sites, in attempt to shame you out of the competition.

It is also important to note, that by setting up proxy/relay/tunnel/etc. for DDoS mitigation, you are adding additional latency between your server, and the players, as all data must be routed through to another server. If you are intending to run a sub 100ms ping server for competitive PvP, you will not be able to achieve desired results with setup such as this, or even most DDoS mitigation services.

What is DDoS?

Before we start, it is important to understand what is a DDoS. DDoS, stands for Distributed Denial of Service, is an increasingly common attack which involves a large amount of computers requesting for the same resource. Imagine if your MineCraft world is a nice playground, and all the kids on the neighbourhood want to play there. However, you only have a small fence gate that can allow 2 kids to fit through at once. What happens when all 150 kids try to go in at the same time? Well, a lot of the kids will have to wait until people before them go through the gates.

Now, you may have a 1Gbit/s connection from your hosting provider, but if someone wants to DDoS you, they will use 4Gbit/s, 8Gbit/s, or even higher amount of bandwidth to keep your connection fully saturated, so legitimate traffic cannot fit through the connection.

There are other forms of attack, such as abusing the underlying communication protocol weaknesses (TCP SYN_ACK/UDP broadcast/etc.), so it would not need that much traffic, but the idea are relatively similar in that they occupy your queue, so your system cannot keep up with the requests, and ultimately makes it so no one else can connect.

How does DDoS Protection Work?

Traditionally, getting DDoS Protection means dropping lots and lots of cash on hardware firewalls. Think thousands of dollars, to get good gateways to handle the large amount of traffic, and then thousands of dollars to get specialized firewall appliance machines to filter out bad traffic. Before you know it, you are investing in an entire infrastructure, which is not only expensive to up keep, but also hard to manage.

How does DDoS Protection Work on a Budget?

So how can we prevent other people from filling up your server's queue on a budget? We put one, or better yet, many protected virtual servers in front of your real server, and do not make the real server's information available to anyone. People with malicious intent may still try to attack your server, but since they are connecting to other servers sitting in front of your real server, and those servers have hardware DDoS filters in place, so they will try to weed out most of the bad traffic before it hits your server.

How to Choose a Provider?

Most importantly, above all else, make sure the provider you are choosing offers DDoS protection. Simply throwing another server in front of your current server just means the server in front of yours will go down during an attack, your end result is still a down'ed server, and people are still going to be sad that they cannot connect to your server.

Next, we need to think about the distance between your real server, and where you can get DDoS protected virtual servers from. This is especially important because if the provider you choose cannot offer you a close physical Point of Presence (PoP), you will experience lag. Typically, you would want to have lesser than 30ms of ping between your real server and the virtual server. This is because higher ping will lead to notable delay for the players.

Lastly, you will need to figure out how much bandwidth you would need. On average, each player will need about 4kb/s to 8kb/s. Keep in mind that this is different from the 30kb/s to 50kb/s recommendation we give regularly; that is peak usage, when they are just logging in, or teleporting and loading lots of chunks; this is average distributed over time. You will need to make sure you have enough bandwidth, multiply by 2, because the protection service is going to be reading from your server, and then sending information back to the players. Take for example a 30 concurrent players server, you will need approximately 6kb/s per player \ 60 s/min \ 60 min/hr \ 24 hr/day \ 31 days/mn \ 30 players \ 2 (from real server to virtual server and from virtual server to player) / 1024 kb/mb / 1024 mb/gb = ~460GB of bandwidth on your virtual server, assuming if your provider does not charge you for usage on receiving a DDoS attack.

If all of the above conditions are met, you are good to go to get started!

Some Budget Providers to Choose From

I have been looking around for different providers for some time now. Here are three that I've seen, which advertises DDoS protected VPS. Full disclosure: I make no endorsement for them, I cannot guarantee their services will be good, these are not affiliate links (though, I probably should get affiliate links), your agreement with them are strictly your own responsibilities.

  1. BuyVM - $4.25/mn
    • $15/yr for VPS
    • $3/mn for Protected IP
    • 500GB/mn of bandwidth (enough for ~30 players*)
    • Locations: Vegas, NV (They also have servers in New York, NY; but no DDoS protection there)
  2. BurstNET - $4.96/mn**
    • $5.95/mn or $59.50/yr for VPS
    • Protection price included
    • 1000GB/mn of bandwidth (enough for ~60 players*)
    • Scranton, PA; Los Angles, CA; Miami, FL; Chicago, IL; Dallas, TX
  3. GigaServers - $20/mn
    • $20/mn for VPS
    • Protection price included
    • 1Gbits unmetered bandwidth shared with 5 customers (enough for most busy servers*)
    • Washington DC (test IP traceroute location)
    • Note: This one is more expensive because they claim to offer 40Gbits of protection while others often advertise only 10Gbits.
  4. NFOServers - $16.99/mn
    • $20/mn or $203.90/yr for VPS
    • While not advertised as protected, their "knowledge base" (which is really just a forum) have posts suggesting they will help investigate and filter attacks.
    • 1000GB/mn of bandwidth (enough for ~60 players*)
    • Locations: Seattle, WA; San Jose, CA; Los Angeles, CA; Dallas, TX; Denver, CO; Atlanta, GA; Chicago, IL; New York, NY
    • Note: This one is more expensive because they use InterNAP bandwidth, which is known to be very good for gaming and streaming due to its reputation of low latency and packet drops.

*Refer back to "How to Choose a Provider?" section
**Several /r/admincraft members from Reddit have pointed out that BurstNET's CISCO Guard is provisioned to null route your VPS on attack, instead of filtering out bad packets to keep your server online. They are stroked out for now until I get a chance to investigate it further. Use at your own discretion.

How to Setup Filtering?

As noted earlier, you will need to put your VPS in front of your actual server. The simple way to do this is to setup a TCP tunnel from the VPS to your actual server. I have tried tcptunnel, and it works very well. The only down side is that everyone connected to your MineCraft server will appear to come from the IP address of your DDoS protected VPS. This means you lose the ability to IP ban people from the game, and must handle it with firewall installed on your VPS. If you want to handle IP bans from your Minecraft Server, you will need to do GRE Tunneling. I have not studied this well enough to document procedures yet, but you can read more about it on BuyVM's wiki here: GRE Tunnel. If you follow that tutorial, you can skip the rest of this section, and move to the bonus section after this.

From the download section, grab the source code (you can alternatively choose a compiled binary if there is one readily available for the OS of your VPS), and follow the building instruction to compile it. You will eventually end up with a tcptunnel executable. You can use tcptunnel --help command to get all the parameters, or just setup as follows:

tcptunnel \
--local-port=25565 \
--remote-port=25565 \
--remote-host=123.45.67.89 \
--bind-address=11.22.33.44 \
--fork \
--stay-alive

Be sure to replace the 25565 with your actual port, as well as replace remote-host with your actual IP address, and bind-address with your own address.

Pro-tip: If you are using a game server provider, you can set local-port to 25565, and remote-port to whatever your actual port is. Now people will be able to connect to your server (using the VPS's address) without entering a port number.

Congratulations, you have now setup a filtered VPS in front of your actual server. Give people the IP address (and port, if you're still using a non-standard port) of your VPS, and they can connect to that. Remove all references of your actual server from your DNS, so there's no information for malicious people to sniff for. Repopulate it with actual information, so people can connect using your domain name, too. I would recommend naming this server something such as location-1.minecraft.yourdomain.com. Increase the number as you get more VPS as fail overs at the same location. So, for example, vegas-1.minecraft.andyhuang.net (note: not an actual server), or westcoast-2.minecraft.andyhuang.net (note: also not an actual server). More on this in the next section.

Bonus: Multi-Point of Presence

A Point of Presence (PoP) is where your service are present to the public. If you get several DDoS protected VPS pointing to your real server, then you can have multiple PoP for people to choose from. For example, if you are targeting North American players, it would be nice to have PoP on East Coast and West Coast, so people can connect to one that is closer to which ever one that is closer to them, and get a slightly lower ping. This is also a good idea if the VPS does not provide enough bandwidth for your entire server (e.g.: 150 concurrent players would need around 2.3TB of bandwidth; your VPS only offers 500GB per month), as you can distribute the bandwidth usage across multiple VPSs. Now that you have one PoP setup already, let's add more.

You would repeat the same setup for the first PoP you've done. Then, you can go to setup your DNS with multiple SRV records. SRV record allow people to connect to yourdomain.com without having to manually type the long string such as westcoast-1.minecraft.yourdomain.com. If you are not sure how to do this, you can follow the instruction on HostHorde's Tutorial for setting up a SRV record. A few tips on doing this:

  1. You don't have to use CloudFlare for their CDN if you don't want to (you should, but if you have reasons against it, that's your choice), but you can and should use their DNS service as it is one of the fastest DNS service available.
  2. You can setup multiple SRV record for the same hostname, so people can connect to the same server, and DNS will figure out which one to direct them to.
  3. You can setup multiple SRV records for the same domain, so people can still choose to some extent where they will be connected to.

To make it super easy for people, you should setup multiple SRV record for the main hostname: yourdomain.com. Each record should point to a different PoP (i.e.: yourdomain.com points to vegas-1.minecraft.yourdomain.com; yourdomain.com points to vegas-2.minecraft.yourdomain.com; yourdomain.com points to washingtondc-1.minecraft.yourdomain.com; etc.). I would recommend setting up the weight proportionally to how much bandwidth you have available at each location.

Next, to allow people to choose the region, you should setup several SRV record for specific regions: us-west.yourdomain.com points to vegas-1.minecraft.yourdomain.com; us-west.yourdomain.com points to vegas-2.minecraft.yourdomain.com; us-east.yourdomain.com points to washingtondc-1.minecraft.yourdomain.com; etc.). I would recommend setting up the weight proportionally to how much bandwidth you have available at each location.

Congratulations! What you now have setup is:

  • Real server information hidden from public / malicious attacker's eyes.
  • Multiple PoP, so players can connect to a server that is close to them, and get slightly lower ping.
  • DDoS filtered, so if someone try to DDoS you, they will be attacking just one of the many of your PoP while not affecting your actual server.

Running a server is hard, keeping it online shouldn't be. Now you know how to protect yourself, on a budget :)

What's Next?

"What? I thought you said I'm done?"

Yes, but there are still a few things you want to keep in mind / try to do.

  1. Now that you are done, you want to make sure you NEVER give your real IP address out to ANYONE for ANY reason. Once attack gets a hold of the real IP address, it is game over, as they'll bypass all your front-line security, and go straight for the back-end server.
  2. Extending from the previous point, if you are migrating a live server to this setup, it would be a good idea to get in touch base with your provider to see about renumbering your IP address (and update your DNS entries once you are done) so people with the old IP address cannot continue to use (and 'leak' -- "oh, you can't use westcoast.server.com? Use real.address.server.com instead!") it.
  3. The more front-end servers you get, the more effective your network can avoid going down. If you have only one front-end server, people can take it down just as easily, if not even easier (since it is on a weaker VPS), as your real server. Having two PoPs means they will need to take down two servers, three PoPs means three, so on and so forth. Since you will have some extra budget compared to using brand name providers, you can setup a few more, to be on the safe side.
  4. Consider setting up a monitoring tool to look for oddities. I use Zabbix to monitor my server's resources. This enables me to contact the provider right away if I notice sudden rise in traffic or very high resources usage at one of the PoPs. If you do not want to setup your own thing, Pingdom is well liked by web developers recently.