GH GambleHub

DDoS Packet Protection and Filtering

1) Why do you need it

DDoS is a "massive degradation" of resources: band/pps, state tables, core CPU/IRQ, connection pools, application limits. The goal is to stratify protection: extinguish the volume on the network perimeter, neutralize protocol anomalies to the TCP/IP stack, and cut off unwanted requests on L7, saving SLO for legitimate users.

2) Attack classes

2. 1 L3/L4 (volumetric/protocol)

Volumetric: UDP flood, UDP-reflection/amplification (DNS/CLDAP/NTP/SSDP/memcached/mDNS), GRE flood.
Protocol/state exhaustion: SYN flood, ACK/RST flood, TCP connection-exhaustion, ICMP flood, TCP fragmentation.
QUIC/UDP features: false Initial/Retry storms, spoofed source.

2. 2 L7 (application)

HTTP/1. 1: queries behind expensive routes, header oversize/field smuggling.
HTTP/2: Rapid Reset, stream-flood, HEADERS flood, PRIORITY abuse.
HTTP/3 (QUIC): connections/threads without termination, Initial flood.
Slow-атаки: slowloris/slow-read/slow-POST.
gRPC/WebSocket: endless streams, message-flood, large frames.

3) Basic security architecture

1. Anycast + Scrubbing

Spray traffic globally and drive through provider scrubbing centers (cut off volumetric/spoofing at the edge).

2. Multi-CDN / Multi-Edge

Domain separation (web, API, static), aggregation of protection and cache for read load.

3. Low-level filters on its perimeter

ACLs on border routers (RFC1918, bogon, known false ports).
eBPF/XDP for early-drop on signatures and rate limits up to conntrack.

4. L7 Perimeter (NGINX/Envoy/WAF)

RPS compression by keys, challenge (captcha/PoW), cache, prioritization of "expensive" paths.

5. Internal stability

Connection pools, queues, circuit/timeout, service isolation (bulkhead) and shedder autoscaling.

4) Network "valves": what to turn on immediately

4. 1 Linux sysctl (kernel/stack)

bash
TCP SYN flood sysctl -w net. ipv4. tcp_syncookies=1 sysctl -w net. ipv4. tcp_max_syn_backlog=4096 sysctl -w net. ipv4. tcp_synack_retries=3

Conntrack/sysctl -w net tables. netfilter. nf_conntrack_max=262144 sysctl -w net. netfilter. nf_conntrack_tcp_timeout_established=300

ICMP/redirect sysctl -w net. ipv4. icmp_echo_ignore_broadcasts=1 sysctl -w net. ipv4. conf. all. accept_redirects=0 sysctl -w net. ipv4. conf. all. send_redirects=0

sysctl -w net socket resources. core. somaxconn=4096 sysctl -w net. core. netdev_max_backlog=250000 sysctl -w net. core. rmem_max=134217728 sysctl -w net. core. wmem_max=134217728

4. 2 nftables: basic filters and ratelimit on packages

nft table inet filter {
sets {
bogon { type ipv4_addr; flags interval; elements = { 0. 0. 0. 0/8, 10. 0. 0. 0/8, 100. 64. 0. 0/10,
127. 0. 0. 0/8, 169. 254. 0. 0/16, 172. 16. 0. 0/12, 192. 0. 2. 0/24, 192. 168. 0. 0/16, 198. 18. 0. 0/15, 224. 0. 0. 0/4 } }
}
chains {
input {
type filter hook input priority 0; policy drop;
ip saddr @bogon drop ct state established,related accept

UDP amplification ports - limit pps udp dport {53,123,1900,11211,389,1900,5353} limit rate over 2000/second drop

SYN rate-limit tcp flags syn tcp dport {80,443} limit rate over 2000/second drop

ICMP flood ip protocol icmp limit rate 100/second accept
}
}
}

4. 3 XDP/eBPF (idea)

Early-drop packets with spoofed source (uRPF is welcome on the router).
hash buckets pps per/32 and per/24; dynamic "quarantine" of sources.
UDP-reflection: DNS response-like signatures (filter out of context).

5) UDP amplification: inventory and blocks

Frequent reflectors/amplifiers: DNS (open resolvers), NTP (monlist), CLDAP, SSDP, mDNS, Memcached (UDP), Chargen.

Measures:
  • Close/restrict UDP services, minimize open ports.
  • At the perimeter, limit pps/bitrate for known ports.
  • DNS recommendation: recursive only for its networks, RRL (Response Rate Limiting), minimizing ANY.
  • NTP - only "bootstrap" to trusted, 'noquery' for public.

6) TCP state exhaustion

SYN flood: 'tcp _ syncookies = 1', increased 'tcp _ max _ syn _ backlog', 'synack _ retries = 3', drop by pps.
ACK/RST flood: low-level limits, screening of illegitimate sequences (nftables/ebpf).
Conntrack-less on the border: do not waste state tables where the filter is possible by stateless signature.

7) HTTP/2/3 and smart L7 attacks

HTTP/2 Rapid Reset: limit the frequency of RST frames and the number of open streams; close the connection in case of anomalies.
Stream abuse: лимит concurrent streams, headers size, max frame size.
QUIC/HTTP/3: limit Initial pps, enable Retry; short handshake timeouts.

NGINX (fragment L7)

nginx
Header/body constraint client_max_body_size 1m;
large_client_header_buffers 4 8k;

HTTP/2 limits http2_max_concurrent_streams 128;
http2_recv_buffer_size 256k;

Rate limit by IP (example)
limit_req_zone $binary_remote_addr zone=reqs:20m rate=100r/s;
limit_req zone=reqs burst=200 nodelay;

Envoy (anti-reset and limits)

yaml http2_protocol_options:
max_concurrent_streams: 128 initial_stream_window_size: 65536 max_outbound_frames: 10000 stream_error_on_invalid_http_messaging: true

8) Slow attacks and resource protection

Slowloris/slow-read/slow-POST: enable 'proxy _ request _ buffering on', low idle-timeout, minimum acceptable 'read _ rate'.
Terminate connections at a long inter-packet interval per request.
On application - early reading/body discarding, JSON size/depth limits.

9) L7 filtering: who is more important - let it pass

Traffic classification: known good (mTLS/JWT partners), registered users, anonymous.
Priorities: "expensive" write-routes (deposits/conclusions) - protect, but miss confirmed; read-directories - cache + throttle.
Challenge layer: captcha/PoW/JS challenges for gray zones at peak.

10) Cache, coalescing and degradation

Edge cache for static/quasi-static responses, 'stale-while-revalidate'.
Request coalescing: collapse parallel requests to one key - in the proxy and in the application.
Degrade mode: disable secondary features (personalization, heavy reports), issue "light" pages.

11) Observability and telemetry

Metrics (per POP/node/cluster):
  • L3/L4: `pps_in/out`, `bps_in/out`, `drop_pps{reason}`, `syn_recv`, `conntrack_used/limit`, `xdp_drop_pps`.
  • L7: `requests_total{route}`, `429_total`, `challenge_total{type}`, `h2_rst_rate`, `slow_req_total`.
  • Dependencies: CPU IRQ soft/hard, NIC queue drops, run-queue length.

Logs: sampled, aggregated by/24, ASN, ports and signatures; without PII.
Tracing: enable on whitelists, crash expand sampling for debugging.

12) Response plans (runbook)

1. Detection: triggering of pps/bps/429/h2_rst_rate thresholds.
2. Classification: level (L3/4/7), protocol (UDP/TCP/h2/h3), geo/ASN.

3. Valves:
  • enable scrubbing/blackhole profiles on the provider
  • strengthen nftables/ebpf limits,
  • lower L7 limits and increase challenges,
  • enable Retry for QUIC (Initial flood).
  • 4. Communications: status page, partner notification templates.
  • 5. Forensics: PCAP capture for 60-120 seconds, sampling top talkers ASNs/ports.
  • 6. Retrospective: update signatures, thresholds, reflector lists.

13) Testing and drills

DDoS-drill playbooks quarterly: synthetic UDP/HTTP bursts, slow traffic, HTTP/2 reset.

Game day: Anycast switches/migration between CDNs, degradation to "easy mode."

Provider verification: SLA scrubbing, filter on/off time, max pps/bps.

14) Antipatterns

Rely only on L7-WAF for volumetric attack.
No uRPF/ACL on the curb and conntrack-heavy filtering head-on.
Unlimited headers/bodies and long keep-alive at peak.
Single region/ROR without Anycast/multi-edge.
No NIC/IRQ/CPU inventory and queue monitoring.
No cache/coalescing - extra RPS for backend.

15) Specifics of iGaming/Finance

Temporary peaks (matches/derby/lotto draws): expand POP capacity in advance, include an aggressive cache of coefficients, lay canary challenges for anonymous people.
Payment/output routes: a separate edge pool with mTLS, short timeouts, competitive limits; no 0-RTT.
Geo-politicians: regional allow-lights, ASN-filtering of "hosting," fast geo-switching.
Intersection with antifraud: velocity limits and Risk API go into a "hard" profile in a DDoS incident.

16) Prod Readiness Checklist

  • Anycast или multi-edge/CDN; scrubbing channels checked.
  • Border-ACL/uRPF; nftables/ebpf/XDP profiles, conntrack-less filtering.
  • Sysctl TCP/SYN tuning, limit pps for UDP amplifier ports.
  • HTTP/2/3 limits (streams, frames, headers), slow-protection, body/header-limits.
  • L7 limits and challenge; cache and coalescing on the perimeter.
  • Dashboards pps/bps/conntrack/IRQ + L7 RED; alerts to h2_rst/429 anomalies.
  • Runbook/playbooks, provider contacts, one-click enabling profiles.
  • Teachings: bursts, slow, HTTP/2 reset; report and record improvements.
  • Split pools for payment/critical routes, mTLS, and strict limits.

17) TL; DR

Stratify protection: Anycast + scrubbing dampens volume, eBPF/XDP + nftables cut garbage to the stack, L7 limits/challenges/cache retain SLAs. Tune TCP (SYN cookies, backlog), limit UDP amplifiers, set HTTP/2/3 limits and slow protection. Have a runbook and train it; for iGaming - expand edge in advance during peak hours and separate payment paths with mTLS and hard limits.

Contact

Get in Touch

Reach out with any questions or support needs.We are always ready to help!

Telegram
@Gamble_GC
Start Integration

Email is required. Telegram or WhatsApp — optional.

Your Name optional
Email optional
Subject optional
Message optional
Telegram optional
@
If you include Telegram — we will reply there as well, in addition to Email.
WhatsApp optional
Format: +country code and number (e.g., +380XXXXXXXXX).

By clicking this button, you agree to data processing.