Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Proxy system, ddos protection (free version)
#1
Hey,

A lot of you ask me for help with DDoS attacks. 
For big servers I have a solution - proxy system - for $1500, the problem is - many small servers can't afford it. 
So today I release free version of proxy system with some limitations.

Download: http://otclient.ovh/proxy_free.zip

Limitations:
- There's no source code, only precompiled files
- Has limit of 200 connections
- Doesn't show real player ip
- Doesn't support packet compression

How to use it:
First of all, in your tfs (tutorial for 1.3) disable limit for connections/bans from local ip address.
Edit ban.cpp, change
Code:
bool Ban::acceptConnection(uint32_t clientIP)
{
std::lock_guard<std::recursive_mutex> lockClass(lock);

to
Code:
bool Ban::acceptConnection(uint32_t clientIP)
{
if(clientip == 16777343 || clientip == 2130706433) { // localhost
        return true;
    }
std::lock_guard<std::recursive_mutex> lockClass(lock);


and

Code:
bool IOBan::isIpBanned(uint32_t clientIP, BanInfo& banInfo)
{
if (clientIP == 0) {
return false;
}

to
Code:
bool IOBan::isIpBanned(uint32_t clientIP, BanInfo& banInfo)
{
if (clientIP == 0 || clientip == 16777343 || clientip == 2130706433) {
return false;
}


Proxy vps configuration
Now you need to buy some vpses to work as proxy. I recommend to buy cheapest vps availalbe, for less than $10. OVH vpses are good to use. On each vps you need to install haproxy and configure it, here's how:
Code:
PROXY VPS CONFIGURATION
1. install lastest debian/ubuntu
2. apt-get update
3. apt-get install haproxy
4. edit /etc/haproxy/haproxy.cfg, add on bottom (change 11.22.33.44 to ip of your game server):
listen l1
    bind 0.0.0.0:7162
    mode tcp
    timeout connect  4000
    timeout client  180000
    timeout server  180000
    server srv1 11.22.33.44:7162 send-proxy-v2
5. if you want to redirect traffic also for login port/server add
listen l2
    bind 0.0.0.0:7171
    mode tcp
    timeout connect  4000
    timeout client  180000
    timeout server  180000
    server srv1 11.22.33.44:7171
6. /etc/init.d/haproxy restart
7. that's all


Game server configuration
Upload proxy_server_free to your game server, run
Code:
chmod +x proxy_server_free
And then just keep it running on screen
Code:
screen -S proxy
./proxy_server_free
 
On iptables or your firewall, unblock only port 7162 (and eventually 7171 for status) for your proxy vps, block every other port (80, 433, 7171, 7172). Move website to vps, don't keep it on game server. If you don't want to use port 7162 you can change it by adding argument to proxy server, like this: ./proxy_server_free 7170

Important: you also need to change your server ip to 127.0.0.1 in config.lua and login.php for tibia 12

Client configuration
For client you need 2 files, launcher.exe and proxy.config, upload them to dir with tibia.exe or client.exe. Now configure your proxy.config
Code:
.\client.exe
7172 7173
proxy1.otclient.ovh 11.22.33.44 7162
proxy2.otclient.ovh 11.22.33.55 7162
proxy3.otclient.ovh 11.22.33.66 7162
proxy4.otclient.ovh 11.22.33.77 7162 200
proxy4.otclient.ovh 11.22.33.88 7162 200


In 1st line (.\client.exe) enter name of tibia binary (so .\client.exe or .\Tibia.exe or .\otclient.exe)
In 2nd line enter ports to redirect separated by space (so for example: 7171 7172 7173)
In next lines add proxy servers: domain backup_ip port priority
So for example: proxy1.otclient.ovh 11.22.33.44  7162
If you don't have domain just enter: 11.22.33.44 11.22.33.44 7162

If you have some expensive vpses, like google cloud, you can also lower proxy priority by adding some number at the end, for example 200
Then such server will be used only in case of ddos attack, so you can save some money on traffic

There's also proxy_debug.exe, keep it only for yourself, it can be used to check if everything works fine. When you open it, you'll see your proxy connections.
Code:
proxy1sv2.skelot.com P: 259 RP: 259 In: 4 (56)  Out: 5 (90) Conns: 1 Sess: 0 R: 191.252.204.54
proxy2sv2.skelot.com P: 251 RP: 251 In: 4 (56)  Out: 5 (90) Conns: 1 Sess: 0 R: 34.95.219.116
proxy3sv2.skelot.com P: 234 RP: 234 In: 4 (56)  Out: 5 (90) Conns: 1 Sess: 0 R: 45.231.132.164
proxy4sv2.skelot.com P: 251 RP: 251 In: 4 (56)  Out: 5 (90) Conns: 1 Sess: 0 R: 177.67.81.81

Here you can see your ping through proxy, number on input/output packets (bytes), total number of connections and active sessions.

If you have some problems with setup, ask someone for help from http://otclient.net/forumdisplay.php?fid=29
Please don't ask me for help, I don't have time for that.
Thanks
[-] The following 3 users Like Kondra's post:
  • Andersen, jabroni, Trevor
Reply
#2
So, all players will have the same ip address right?
Reply
#3
(10-07-2020, 02:31 AM)Rudy Wrote: So, all players will have the same ip address right?

Yes, 127.0.0.1.
There's a way to bypass it, here's how:
1. Don't use proxy for login server
2. Save player ip in database when he's getting character list (in login server/login.php)
3. When player log in, load last ip of player from database

There's special feature for that in paid version, i didn't add it in free version because it requires more changes in source code
[-] The following 2 users Like Kondra's post:
  • Rudy, Trevor
Reply
#4
Does it work only on linux?
Can't run on windows?
Reply
#5
Great attitude, thanks for sharing.
I am starting now with the otserver.
I have already installed it and it is working perfectly.
I hope to be able to buy your proxy in the future.
God bless you!!! Kondra.
Reply
#6
Why the OT server just doesn't work with the haproxy normally? Why it doesn't redirect traffic to the server as expected? I'm trying here but can't connect through haproxy, it says the port is not open.

You said free version on the title. Do you have a paid one with no limitations?
Reply
#7
From my personal experience I went thru various ddos attacks on my server, but finally I found a good and relatively cheap decision for this. Cloud4u and their disaster recovery system helped me a lot to overcome my problems: https://www.cloud4u.com/cloud-hosting/di...-recovery/
Reply
#8
Proxy system and DDOS protection is an important part of a website. The proxy system will protect you in situations which you have exceeded your bandwidth limit or when you have shared your bandwidth with others for free, which is against the terms of service. Proxy server protects your website by using third-party servers as intermediate agents, so your IP will be hidden. The DDOS protection keeps your website online. It is a common way to get some reputation points.
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)