GH GambleHub

DDoS protection and packet filtering

Brief Summary

DDoS attacks come in three classes: L3/L4 volumetric (clog channel/equipment), state-exhaustion (exhaust state tables/CPUs on balancers/firewalls) and L7 (generate "plausible" requests to the application). Effective defense is built in several layers: network measures on the perimeter, filtering/scrubbing outside your network, protection on balancers/proxies and the application, plus operational procedures with measurable SLOs.

Threat Landscape

Volumetric (UDP/ICMP flood, DNS/NTP/SSDP/CLDAP/Memcached amplification): the goal is to clog the channel and ports.
TCP state-exhaustion (SYN/ACK flood, TCP fragmentation, half-cone connections): exhaust conntrack/listener.
L7 HTTP (S )/WebSocket/GraphQL flood, cache-busting, "slow" requests: eat CPU/IO applications and cache layer.
Reflection/Amplification: use of open reflectors/amplifiers with IP source substitution.
Carpet bombing: distribution of traffic across multiple IP/prefixes, complicating point filtering.

Basic network measures (before attacks)

1. Anti-spoofing: uRPF/BCP38 at the border; drop outgoing packets with other people's sources.
2. ACL on edge/PE: deny unwanted protocols/ports; separate lists for the mgmt segment.
3. CoPP (Control Plane Policing): polishing to the router (BGP, OSPF, SSH, SNMP).
4. Rate-limits/polishing on ports: bps/PPS for "noisy" classes, burst settings.
5. Load sharing: Anycast for public IPs, georesources; CDN/WAAP for static and cached.
6. RPKI/ROA + strict BGP import: reduces the risk of traffic hijack/redirection.
7. Surface reduction: minimize published services, close the "raw" origin behind the proxy.

Quick reaction when attacking: network levers

RTBH (Remote Triggered Blackhole): BGP community for route zero/32 (or/128) victim.
BGP Flowspec: fast propagation of L3/L4 rules (src/dst/port/TCP flags) to PE/edge.
Scrubbing centers/anti-DDoS providers: GRE/VRF tunnel or direct upstream; filtering, then "pure" traffic to you.
Anycast-antiDDoS: flow splitting by presence points, damage localization.
CDN/edge cache: screens origin, gives L7 limits and "challenge" mechanisms.

Host and L4 protection

SYN cookies/SYNPROXY: Do not hold status until client confirmation.

Linux: `sysctl net. ipv4. tcp_syncookies=1' or'SYNPROXY 'on the input balancer.

Tuning conntrack (if used):
  • Temper 'nf _ conntrack _ max' sensibly by raising hashsize;
  • Reduce timeouts for "half-open" and inactive states.
  • eBPF/XDP: early drop on NIC (PPS protection), signature/speed filtering to core.
  • nftables/iptables: PPS limits, discarding "suspicious" flags, connlimit.
  • UDP hardening: if the service does not use UDP, a drop at the border; if using, restrict sources/ports.
Example 'nftables' (simplified): 
nft table inet filter {
sets {
bad_ports { type inet_service; elements = { 19, 1900, 11211 } } # chargen/SSDP/memcached
}
chains {
input {
type filter hook input priority 0; policy drop;
ct state established,related accept ip saddr 127. 0. 0. 0/8 drop ip6 saddr::1/128 drop

limit new TCP tcp flags & (syn    ack) == syn limit rate 200/second burst 400 accept tcp flags & (syn    ack) == syn drop

deny bad UDP ports udp dport @ bad _ ports drop

ICMP rate-limit icmp type echo-request limit rate 50/second burst 100 accept icmpv6 type echo-request limit rate 50/second burst 100 accept
}
}
}
SYNPROXY on input balancer (example 'iptables'): 
bash iptables -t raw -A PREROUTING -p tcp --syn -j CT --notrack iptables -A INPUT -p tcp -m tcp --syn -m hashlimit --hashlimit 100/second --hashlimit-burst 200 --hashlimit-mode srcip --hashlimit-name syns -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460 iptables -A INPUT -m state --state INVALID -j DROP

L7 protection (short)

WAAP/WAF: positive model on critical pathways, rate-limits, challenge/JS, behavioral scoring.
Caching/static offload: reduce requests to origin; cache-busting protection (normalization/parameter blacklists).
GraphQL limiters: 'maxDepth', 'maxCost', introspection prohibition in sales.
BFF pattern: thin client tokens, heavy logic/limits on the server.
Idempotence and queues: prevent avalanche-like repetitions during degradation.

Telemetry and Discovery

Network flows: NetFlow/sFlow/IPFIX (pps, top talkers, protocols/ports/ASN).
Passive L7 sensors: balancer/proxy logs (nginx/envoy), p95/99 metrics, error-rate.

Basic thresholds: "unexpected PPS/CPU growth on edge," "SYN-RECV surge," "UDP unrequited."

Signatures/behavior: IP/ASN/JA3 frequencies, 4xx/5xx spikes, user-agent anomalies.
Visualization: individual dashboards L3/L4/L7; Geo/ASN traffic map time to RTBH/Flowspec.

SLO/SLI and alerting

SLO examples:
  • "MTTD of DDoS anomalies ≤ 60 sec, MTTM (RTBH/Flowspec activation) ≤ 3 min."
  • "p95 latency via edge ≤ 50 ms outside attacks; when attacking ≤ 200 ms under mitigation."
  • "The share of discarded malicious traffic ≥ 99% while maintaining ≥ 98% of legitimate traffic."
Alarms:
  • PPS/CPU/IRQ of network nodes> threshold;
  • SYN-RECV/half-open > X;
  • 5xx/latency growth on public endpoints;
  • percentage challenge/deny at WAF> threshold (FP risk).

Defense architectural patterns

1. Tiered Defense: Edge (ACL/CoPP) → Scrubbing/Anycast → L7 Proxy/WAAP → Application.
2. Traffic Diversion: BGP community to move to scrubbing, GRE beckhol for dive time.
3. Stateless Edge: maximum stateless filtering to conntrack; stateful - closer to the application.
4. eBPF/XDP First: early drops (by JA3/ports/speed) to the core.
5. Golden Paths: separate IP/domains for critical APIs so as not to "demolish" everything entirely.

Operational procedures and incidents

Runbooks: who and under what metrics turns on RTBH/Flowspec/scrubbing, how to switch Anycast/pools.
Blacklists and TTL: short-term block so as not to "overshoot"; automatic re-test sources.
Communications: message templates for providers/partners/vendors; communication channel outside the attacked domain.
Post-Incident: report with a timeline (T0... Tn), "what worked/not," updating the test catalog.
Exercises: regular game-days: RTBH dry-run, loss of Anycast region, link saturation, "slow" attacks.

Linux/Balancer Tuning (Sample)

bash
TCP sysctl -w net. ipv4. tcp_max_syn_backlog=4096 sysctl -w net. ipv4. tcp_syncookies=1 sysctl -w net. ipv4. tcp_fin_timeout=15 sysctl -w net. ipv4. tcp_tw_reuse=1

Conntrack (if enabled)
sysctl -w net. netfilter. nf_conntrack_max=1048576 sysctl -w net. netfilter. nf_conntrack_tcp_timeout_syn_recv=30 sysctl -w net. netfilter. nf_conntrack_udp_timeout=15

NIC/IRQ ethtool -G eth0 rx 4096 tx 4096

Common errors

Keep all traffic through stateful firewall on edge → exhaustion of conntrack. Do stateless where you can.
Late RTBH/Flowspec → channel is already "to zero." Automate thresholds and enabling.
One IP/one edge for "all" → no blast radius isolation. Divide domains/IP and quotas.
Zero cache → each L7 call beats origin; Enable caching and parameter normalization.
Blind blocking of countries/ASN without legite analysis - cuts conversion; use nuanced rules/challenges.
Too aggressive limits → massive FP at the peak of business.

Implementation Roadmap

1. Surface assessment: IP/prefix/port/protocol inventory, critical path map.
2. Network hygiene: anti-spoofing, ACL, CoPP, RPKI/ROA, refusal of unnecessary UDP services.
3. Traffic diversion: contract with scrubbing provider, Anycast/CDN, BGP communities.
4. Edge tuning: stateless filtering, SYNPROXY/eBPF, reasonable conntrack timeouts.
5. L7/WAAP: positive model, limits/challenges, cache.
6. Observability: NetFlow/sFlow, dashboards L3/L4/L7, alerts, SLO.
7. Automation: RTBH/Flowspec buttons, IaC for rules, canary layout of configs.
8. Drills and RCAs: regular tests, playbook updates.

Features for iGaming/fintech

Peak events (tournaments, promotions, matches): plan capacity/limits, warm up caches, pre-warming CDN.
Payment integrations: dedicated IP/domains, priority channels via anti-DDoS provider, mTLS to PSP, strict limits on critical endpoints.
Anti-fraud/bot control: behavioral scoring and human challenges at registration/login/promo codes.
UX and conversion: with aggressive protection, use grace lists for VIP/partners, soft degradation (cache/readonly).
Legal requirements: log transparency, telemetry storage, debugging the impact of measures on Time-to-Wallet and turnover metrics.

Examples: Flowspec and RTBH (conceptually)

RTBH via community (example): 

route 203. 0. 113. 10/32 blackhole set community 65535:666 announce to upstream
Flowspec (UDP unit> 1 Mbit/interface per port 19/1900): 

match destination 203. 0. 113. 0/24 protocol = udp destination-port {19,1900}
then rate-limit 1000

FAQ

WAF solves DDoS?
Partly for L7. Against L3/L4 and volumetric, scrubbing/Anycast/network measures are needed.

SYN cookies enough?
This is basic protection against SYN-flood, but without network limits and scrubbing, the channel can still be clogged.

Do I need to disable ICMP?
No, it isn't. Better rate-limit and only dangerous types, ICMP is useful for diagnostics/PMTU.

GRE tunnel with scrubbing will not add latency?
Yes, but usually acceptable. Compensate with cache and exact route to the nearest PoP.

Total

Reliable DDoS protection is a multi-level architecture: network hygiene (anti-spoofing/ACL/CoPP), fast traffic diversion (RTBH/Flowspec/scrubbing/Anycast), host and L7 mechanisms (SYNPROXY, eBPF/XDP, WAAP), plus telemetry, SLO, and debugged playbooks. This approach minimizes downtime, keeps channels alive, and keeps business metrics even under pressure from distributed attacks.

Contact

Get in Touch

Reach out with any questions or support needs.We are always ready to help!

Telegram
@Gamble_GC
Start Integration

Email is required. Telegram or WhatsApp — optional.

Your Name optional
Email optional
Subject optional
Message optional
Telegram optional
@
If you include Telegram — we will reply there as well, in addition to Email.
WhatsApp optional
Format: +country code and number (e.g., +380XXXXXXXXX).

By clicking this button, you agree to data processing.