Layer 7 Protection Modes & support

At X4B we have Layer 7 (Application Layer) DDoS & Security Protection for the following protocols. Most applications and game servers do not require specific Layer 7 protection benifiting instead from our dynamic & layer 4+ mitigation. Some game servers and protocols however are either sufficiently complex (e.g HTTP/HTTPS), commonly attacked (e.g DNS and HTTP/HTTPS) or particularly vulnerable (e.g SAMP) for these protocols we implement specific protection modes. Most games and services do not need special handling.

As needed we will extend this list.

HTTP Layer 7 protection

HTTP Layer 7 protection is implemented via a Reverse Proxy (optionally over Encapsulated or Routed Tunnel). We implement extensive in-house developed algorithms for mitigation including Proof of Work challenge and CAPTCHA validation. Custom user supplied Layer 7 rules can also be provided via the dashboard page. This protection is available on "HTTP" type ports and "HTTPS" type below.

For more information on HTTP protection please see:

HTTPS (TLS) Layer 7 protection

HTTPS layer 7 protection is implemented as per the above HTTP protection. Additional protection is provided for SSL specific attacks such as re-negotiation and handshake attacks. This protection is available on "HTTPS" type ports.

Teamspeak 3 Layer 7 protection

Protection against Teamspeak 3 (UDP) connection floods has been implemented using an application layer cookie and protocol validation. This protects against all know Teamspeak 3 Application Layer attacks. This protection is implemented on "TS3" type ports.

Grand Theft Auto: San Andres Multiplayer (GTA SA-MP or GTA SAMP) protection

Protection against protocol vulnerabilities in the joining process & querying protocol. These mitigations are implemented on port 7777 for "UDP" type ports.

FTP protection

For FTP we implement protocol validation and helper support to enable dynamic port forwarding for file transfers enabling both active and passive transfer support without opening large port ranges to backend servers.

DNS protection (coming soon)

For DNS we implement both query validation and edge caching. By caching DNS queries on our Anycast network you can acheive maximum performance and all the benifits of your own Anycast network without deploying a fleet of servers world-wide.

Valve A2S protection (for Half Life series games)

For Half Life (HL1, HL2, and on) games we implement a query cache protocol to protect against query floods. The A2S port should be used in place of the games UDP port. If tour Half-Life game server includes a TCP service (e.g for content delivery) this should remain forwarded seperately.

Active A2S caching for game server list ranking improvement is also available at additional cost. Contact us for pricing.

This protection mode has been tested with:

  • Left for Dead 2
  • Garrys Mod
  • Counterstrike 1.6 and Source
  • Team Fortress 2

It is expected to work with all Half Life 2 engine games. There are two main attacks specific to Half-Life based game servers, both deal with the A2S query protocol used to list servers in the Valve master server list. These two methods, both of which we mitigate are below:

  1. Query Reflection - Your server is used to attack others: Half-Life servers are queried with the spoofed source address of the target. Your server replies wasting bandwidth and increasing the load on your server. Your servers load is however signficantly less than that of the attack target who is likely receiving hundreds of packets per second from multiple Half Life servers. This attack type is mitigated against all port types and profiles.
  2. Query Flood - Your server is the target: Your server is hit with thousands, tens of thousands or millions of queries per second. These queries may originate from compromised devices, or from a small number of spoofing servers. With the "A2S" port type we perform advanced mitigation to not only stop this traffic from reaching your server but also to continue responding to queries ensuring your server remains listed.

FiveM protection

A firewall profile for protecting FiveM services against attack is provided. This profile is similar to the UDPAuth profile, however it includes additional checks. This profile requires that you have your TCP port and UDP port on the same number (as is the default). This is available on all Anycast services.

You may also wish to define a HTTP port for Layer 7 protection on the TCP port, this is supported however is an advanced configuration.

UDPAuth profile

The UDPAuth profile verifies services that include both a TCP and UDP connection. A completed TCP connection (three way handshake) is required before the UDP "connection" will be accepted. This is available on all Anycast services.