How to defend games against DDoS attacks

When launching a new game, it’s critical to ensure your players can access and enjoy it without interruption. That’s why you need to protect your game against Distributed Denial of Service (DDoS) attacks. Fortunately, if you’re building your game on AWS, you’re already protected against many common DDoS attacks. This post explores the architecture decisions you can make to best utilize these capabilities.

This is part two of a two part series on distributing and protecting your game on AWS. Be sure to check out the first part here on accelerating your games with Amazon CloudFront

So what exactly is a DDoS attack? A DDoS attack impacts the availability or performance of your game by targeting it with more traffic than it can effectively handle (think: mindless zombie horde of internet connected devices constantly attacking your servers). For example, an attacker can send large volumes of traffic that are not valid for the application and attempt to deplete available network or service capacity. It is also common for attackers to send traffic that appears to be valid but is not generated by an actual player. When a game application performs poorly, it has the potential to harm player experience. Defending against these attacks is important to protect the player experience and trust in your brand.

When you build on AWS, your application is automatically protected against DDoS attacks by AWS Shield Standard. This service is provided to all AWS customers on every service and in every AWS Region, at no additional cost. With AWS Shield Standard, common DDoS attacks like UDP reflection or SYN floods are automatically mitigated by proprietary systems that are built by AWS to provide high-capacity mitigation at every point of ingress. This can provide a latency advantage over the traditional “scrubbing center” model. To provide optimal coverage for your game application, you should consider the architecture best practices described in the AWS Best Practices for DDoS Resiliency. Applications that architected according to these best practices are most likely to withstand DDoS attacks and leverage the DDoS mitigation capabilities available on AWS.

One technique that is commonly used by game applications is using a matching service to shard players across many Amazon EC2 instances. This allows you to limit any potential impact to a small fraction of players. You can also improve the resiliency of individual instances by using larger instance types like compute optimized instances with enhanced networking. When using these instances the AWS DDoS mitigation systems will engage at different thresholds which allows the instance to absorb more traffic. This is beneficial for avoiding false positives and ensuring continuity of player experience. On the instance itself you can use firewall software, like iptables, to control access by port and protocol, rate-limit traffic by keys like source IP, or allow only packets that match a known reliable pattern. To learn more about this best practice, see Compute Optimized Instances.

If you are subscribed to Business Support or Enterprise Support and would like assistance from AWS in mitigating these attacks, you can choose to subscribe to AWS Shield Advanced. In addition to the DDoS mitigation capabilities provided by AWS Shield Standard, you receive features like access to the AWS DDoS Response Team (DRT) during high-severity events, visibility into DDoS attacks against your application via Amazon CloudWatch metrics, the AWS Management Console, or API, and Cost Protection which offers a limited refund of AWS charges that may occur from scaling or absorbing traffic during a DDoS attack. To learn more about AWS Shield Advanced and other features that are provided with this service, see AWS Shield Features.

In addition to high-severity event response, the AWS DDoS Response Team (DRT) can also help protect the availability of your game application by providing custom mitigations. Many game applications require client-side software that generates traffic with predictable patterns. DRT can build mitigations that are customized to your game logic and protect traffic that is most likely to have originated from your actual players.

When subscribed to AWS Shield Advanced you also receive AWS WAF and AWS Firewall Manager at no additional cost. With AWS WAF you can protect web application components of your game, like landing pages, in-app purchasing, or APIs against application-layer threats or web request floods. AWS WAF allows you to define match conditions and combine these into an AWS WAF rule with the option to allow, block, or count. You can also use rate-based rules to temporarily block IP addresses that match a specified condition and access the application at an excessive rate. Examples of match conditions include string match, regex match, geographic match, size constraint match, cross-site scripting match, and SQL injection match. You can use AWS Firewall Manager to manage both your AWS WAF rules and your AWS Shield Advanced protected resources. This allows you to ensure that the entire application is covered by a standard set of policies, even as new resources are added.

You can learn more about AWS Shield here

And to learn more about Amazon Game Tech solutions, visit our home page