DDoS Protection

flowShield is our self-developed, highly flexible and performant Anti-DDoS solution to filter attacks on network (and partly application) level. DDoS-Attacks are filtered automatically. Most customers dont even notice a ongoing mitigation. In order to mitigate attacks on HTTP, we provide a inline reverse-proxy called flowProxy, which acts as transparent validation proxy, forcing the client to interact. flowProxy needs to be activated manually by the customer, either using our customer area or api.

Technical overview

flowShield DDoS-Filters are based on x86 comodity hardware using Intel Xeon and AMD EPYC CPUs to process the defined application logic. Network connectivity is done using Intel 10G/40G network cards. Traffic is processed in userspace, using the netmap framework, which provides us with really high packet I/O. Several posix threads has been implemented to handle incoming and outgoing traffic, statistics, export of flow information, dynamically manage flexible filter rules (flexrules), garbage collection, game-query-cache as well as cli commands. Some parts of flowShield has been written in inline Assembler to address some glibc performance limits.

TTD (Time-To-Detect)

DDoS Attacks are usually detected within 2-10 seconds depending on the size of the attack. This applies also for Carpet Bombing Attacks, which might target whole subnets instead of single hosts.

UDP Game-Query-Cache

Game-Query-Cache (GQC) is our solution against complex UDP Floods targeting Game- and Voiceservers (such as Teamspeak). The idea behind of the Game-Query-Cache is, to offload as much traffic as possible on the DDoS-Filters (basically the edge), in order to always reply on specific sets of traffic. Game-Query-Cache has been implemented for several portranges and helps to keep Gameservers online, even under very complex attacks.In order to operate correctly, the customer is supposed to not apply any ratelimits on the protected server. Otherwise, GQC will not work correctly, which will render the protected service offline. All GQC activity is logged and can be reviewed by our customer support staff.

UDP Application

The following port-ranges has been implemented specifically to operate the following gameservers:

  • 2300-2400: Arma3 and DayZ

  • 5761-5794: Atlas

  • 7000-8999: Generic Games

  • 9000-9999: Teamspeak3

  • 12800-13100: Hurtworld

  • 19132: Minecraft Pocket Edition

  • 22000-22020: Rage-MP / MTA

  • 22126: Rage-MP / MTA

  • 23000-23200: Battlefield

  • 27000-28000: All Source Engine / Query Games such as Counter Strike 1.6, Counter Strike Source, Counter Strike GO, The Ship, Garrys Mod, Nuclear Dawn, Call of Duty Modern Warfare 3, Starbound, Space Engineers, 7 Days to Die, Rust, Quake Live, ARK: Survival Evolved

  • 30000-32000: FiveM GTA-MP

  • 36123-36128: Stormworks

Layer 7 DDoS Protection

flowProxy is a modified, well known reverse proxy, using our own program code to validate visitors based on the possibility if they can interact with the page. Coupled with L7-Captcha, our self written high performance captcha generator, we provide a full stack Layer7 DDoS-Protection solution. flowProxy runs on comodity x86 hardware and uses Intel 10G network cards to provide even enough headroom for pretty large POST floods. Incoming traffic is prefiltered using a netmap application, which blocks repeatedly abusive clients on network level (IP Ban). Typical layer7 floods ranging between 500 up to 50.000 requests per second. We have several technical implementations in place to filter even larger attacks.