Amazon Web Services is launching a solution to get rid of a very old enemy for online games.
As games grow in popularity, they also become attractive targets for malicious actors seeking to disrupt gameplay through Distributed Denial of Service (DDoS) attacks.
An attack occurring during the initial launch of a game, during a visible esports tournament, or while a notable influencer/streamer is playing can have a significant impact on a game’s success and its developer’s reputation.
“This service is purpose-built as an always-on defense system that’s designed specifically for multiplayer game servers,” said Chris Melissinos, principal evangelist at AWS, in an interview with GamesBeat. “So it differs from the way traditional DDoS threat mitigation is handled. This is really, truly a first-of-a-kind capability.”
To address the specialized needs of protecting game servers, Amazon Web Services (AWS) is introducing Amazon GameLift Servers DDoS Protection, a new feature that enables game developers to protect against malicious attempts to disrupt User Datagram Protocol (UDP)-based traffic to a game server hosted on Amazon GameLift Servers. Reports show that gaming is often one of the prime targets for DDoS attacks.
Unlike traditional DoS/DDoS protection methods for session-based multiplayer games, which react to an attack by finding the single instance that is being impacted and then applying a mitigation, Amazon GameLift Servers DDoS Protection provides always-on, UDP-based DDoS protection for game servers, without the need for manual byte matching, and with negligible latency added.
The new feature is available at no additional cost to Amazon GameLift Servers customers, and it will be initially available in the following regions: US East (N. Virginia), US West (Oregon), Europe (Frankfurt), Europe (Ireland), Asia Pacific (Sydney), Asia Pacific (Tokyo), Pacific (Seoul).
How it works
Melissinos said it solves a problem that game devs have wrestled with for years. Whether it happens at a game launch or in a tournament or while someone is streaming a game, DDoS attacks usually arrive as an aggregation of lots of angry folks or bots hitting a site all at once and overwhelming it with traffic.
“This layer protection is included at no additional cost for Amazon GameLift Server service customers,” Melissinos said.
One of the key ways that AWS can provide this protection is its sheer breadth of server capacity in data centers spread out in a redundant way across the world. And so it has servers that receive the traffic incoming for a game. But it obfuscates the real game server or servers and their IP addresses from the public. Instead, if it’s a DDoS attack, the public server can relay that traffic away from the game. It’s called a “relay network,” and it sends bogus traffic into the cyber netherworld and it passes real game traffic to the game servers.
“We’re literally providing a layer between the attack and the game server,” Melissinos said.
This is different from solutions where infrastructure companies wait for the attack to arrive and throw more servers at the problem to make sure real game traffic gets through. But that process can take several minutes and players may drop out before that.
“What we are doing is taking a different approach to that is again focused directly on game specific traffic and traffic patterns,” Melissinos said. “It’s always on and it’s always proactive. It is not reactive. It doesn’t wait for an attack to start. So the protection is active from the moment a game actually launches. If one relay is hit, the rest of the session remains unaffected, and players seamlessly fail over to other relays without dropping out of the game.”
The Challenge: DDoS Attacks in Modern Gaming
DDoS attacks have become one of the most persistent threats facing multiplayer games. Traditional mitigations are typically reactive in nature since they monitor incoming attacks, and then automatically implement a mitigation when the attacks are detected. Attacks can take multiple minutes to detect and multiple additional minutes for mitigations to take effect. By the time mitigations are in place, players may have abandoned their game sessions or even been forcibly disconnected due to the network interface on the instance saturating.
Traditional mitigations are not purpose-built to proactively address attacks on game servers at scale, and they are not designed to handle UDP-based traffic and may require more complex integrations such as managing rotating byte match patterns. Additionally, the mitigations used to protect game servers often result in increased latency and may require updates if attackers find new ways to bypass defenses. Finally, some offerings only support a single game platform (such as PC games exclusively), resulting in developers needing multiple implementations to support multi-platform games.
When they’re attacked, developers don’t often say it’s a DDoS attack because they don’t want anyone to know the attacks work against them. In this case, the UDP traffic goes through but the non-UDP traffic gets blocked.
This is important for tournaments where victory or defeat depends on millisecond responses, where players can’t afford to have lag, or interaction delays.
“We’ve engineered this so you won’t feel the difference,” Melissinos said.
The Solution: Purpose-built Protection for Game Servers
Amazon GameLift Servers DDoS Protection provides an advanced layer of protection for games running on Amazon GameLift Servers by co-locating a relay network directly alongside the game servers that authenticate clients’ traffic using access tokens to ensure only authorized traffic reaches the server. In addition, even if the source of an attack presents itself as legitimate, the DDoS Protection feature has per-player traffic limits to further prevent disruptions.
By connecting players to a relay instead of the game server directly, this feature provides IP obfuscation and DDoS protection while maintaining a negligible increase in latency. To maximize resilience, players receive multiple relay endpoints, and connections are distributed across the infrastructure to prevent targeted disruptions against specific players or the entire game session.
Amazon partners with Shield on the backend, but Shield is designed for websites and web apps, while the GameLift Server protection is purpose-built for the specific dynamics of game sessions, he said.
For developers, the good thing is there is nothing for them to manage. The service runs on top of their Amazon GameLift Server subscription with no extra charge or monitoring needed.
To learn more about DDoS Protection, visit the Amazon GameLift Servers website and documentation to get started on enhancing your game’s resilience and player protection.
Disclosure: I participate in the Boss Rush podcast on Fridays with Melissinos, Susan Cummings and Mark DeLoura.