No relevant resource is found in the selected language.
MENU
Support Documentation
HUAWEI AntiDDoS V500R001 Maintenance Guide
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Real Source SYN Attack Defense in the Game Service

Real Source SYN Attack Defense in the Game Service

Symptom

The number of connections on the game server exceeds the normal value range, and the service port cannot respond to normal access requests from the client.

Service Analysis

In normal cases, the game server has a small number of TCP connections for user login. In addition, the number of concurrent connections on each client is small.

Cause Analysis

The effectiveness of real source SYN flood attack defense in the default universal defense policy employed by the AntiDDoS scrubbing device is far from being satisfactory. As a result, a large number of SYN packets are transparently transmitted to the server, exhausting connection resources of the server.

Procedure

  1. Create a user-defined Zone and enable customized defense (enable advanced SYN source authentication and rate limiting upon TCP ratio anomaly). Check the defense result. The inbound traffic is 50,000 pps, and the value is 6000 pps (transparently transmitted) after the scrubbing, demonstrating a satisfying scrubbing result.
  2. Analyze attack source IP addresses. Around over 2000 source IP addresses constantly initiate connections to the server. Source IP traffic is evenly distributed, source IP addresses are geographically dispersed, and no cloud platform host is available. At present, the number of APPs soars. It is possible that the 2000 odd IP addresses are just normal users.
  3. Contact customer personnel to understand game services. TCP is used for login only, and the number of concurrent connections shall be small.

    Enable the abnormal TCP connection check function and check the creation and connection rates of the source IP address. The device blacklists the abnormal source IP address dynamically for defense. Check the defense result. 99% traffic is scrubbed. The game service recovers.

Summary

  1. If you are not familiar with specific service traffic features of the Zone, you may configure the universal defense policy in a relatively conservative way.
  2. The SYN flood attack at the game service port can be really threatening.

Suggestion

Treat the workaround as a mandatory check item in subsequent fault locating.

Translation
简体中文
Download
Updated: 2018-09-30

Document ID: EDOC1000128684

Views: 63069

Downloads: 239

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next
Enterprise APP

Copyright © 2021 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :