All geek questions in one place

UDP Socket Security Management

I am considering developing my first multi-player RTS game, and I will naturally use UDP sockets to receive / send data.

One thing I was trying to figure out was to protect these ports from being flooded with fake packets in a DoS attack. Typically, the firewall protects against floods, but I will need to allow packets on the ports that I use, and I will have to rely on my own software to reject the dummy packets. What is stopping people from sniffing my packets by watching any authentication or special structure that I use and spamming me with similar packets? The source addresses can be easily changed to make it impossible to detect and prohibit criminals. Are there generally accepted methods of protection against such attacks?

I know all about the differences between UDP and TCP and therefore, please do not include this in the lecture on this.

====================== EDIT ============================= ===============================================

I must add that I am also trying to decide how to protect the game from “hacking” and cheating by sending packages that I think come from my game. Sequencing / sync numbers or identifier can be easily faked. I could use encryption, but it bothers me how much this will slow down my server, and it will not provide protection against DoS.

I know that these are the main problems that every programmer who uses the UDP socket should face, but for the rest of my life I can’t find the appropriate documentation about the methods of their work!

Any direction will be appreciated!

+4
source share
2 answers

The required methods will not be specific to UDP: you are looking for general message authentication to handle spoofing, throttle throttling for DoS processing, and server-side state heuristics ("does this packet make sense?") To process hacks for the client.

For effective DoS processing, you need detection levels. Transfer the wrong source addresses without even looking at the contents. Put the session identifier at the beginning of each packet with an identifier that is not assigned or does not match the correct source. Then monitor the arrival rate per session. Start dropping from addresses that arrive too fast. These methods block everything except those who are able to trick legitimate packets in real time.

But a DoS attack based on real-time sniffing will be very rare, and the attack speed will be limited by the speed of one source network. The only way to block packet sniffing is to use encryption and checksums, which will be a lot of work. Since this is your “first multi-user RTS,” I suggest doing everything that’s not enough for encryption.

If you decide to use encryption, AES-128 is relatively fast and very secure. Brian Gladman's Rijndael recommendation is a good starting point if you really want to optimize, or there are many AES libraries. Checksumming clear data can be done with a simple CRC-16. But this is probably too large for your likely attacks.

+4
source

Most important: never trust a customer! Always keep an eye on the entire server. If a packet arrives that seems fictitious (for example, a unit moving Y units per second, while it should only be able to move X units per second), simply drop the packet.

Also, if the number of packets per second grows to large, start dropping packets as well.

And do not use UDP packets for "non-essential" things ... In the game, chat and similar things can go, although normal TCP streams.

+4
source

Source: https://habr.com/ru/post/1394584/

More articles:


All Articles