Documentation
Documentación » VPS » How to configure Path.net DDoS protection to block attacks

How to configure Path.net DDoS protection to block attacks

Acceso rápido a las secciones de este documento

0 - Prologue

Path.net is a network provider that offers DDoS attack mitigation and is integrated within the GINERNET network, so that any server can benefit from this protection.

The main advantage of Path.net’s attack protection is the possibility to create specific filters for the following services and games:

TeamSpeak 3 Server:
Layer 7 packet validation for TeamSpeak 3 connections

 

OpenVPN UDP Server:
Layer 7 packet validation for OpenVPN UDP traffic

 

Source Engine Queries:
Layer 7 proxy for Source Engine queries. Can be enabled together with RakNet or HL2/Source filter.

 

RakNet Server (v2):
Layer 7 packet validation for RakNet game packets. Can be enabled together with the Source Engine Query filter.

 

TCP Service:
Stricter packet validation for TCP packets incoming to a listen port.

 

TCP Service (symmetric):
Full packet validation for incoming TCP connections. Requires that the return traffic is routed through Path.

 

Minecraft Java Edition Server (symmetric):
Full packet validation for Minecraft Java Edition traffic. Requires that the return traffic is routed through Path.

 

Half Life 2/Source Server:
Packet validation for Half Life 2/Source UDP traffic.

 

GTA V Multiplayer Server (beta):
Layer 7 packet validation for GTA V multiplayer traffic. Requires symmetric traffic routing.

 

Half-Life Dedicated/GoldSrc Server:
Layer 7 packet validation for HLDS/GoldSrc UDP traffic

 

DNS Server:
Layer 7 packet validation for DNS queries

 

WireGuard Server:
Layer 7 packet validation for WireGuard VPN servers. Note:
To avoid packet loss from fragmentation, it is recommended that you adjust your MTU to 1360

 

Arma 3 Server (beta):
Layer 7 packet validation for Arma 3 game servers. DayZ is currently unsupported.

 

STUN Server:
Layer 7 packet validation for STUN servers

 

SA-MP Server Queries:
Layer 7 proxying for SA-MP (San Andreas Multiplayer) server queries.

 

L4D2/CS:GO Source:
Layer 7 proxying for Source games using L4D2’s Source engine version. Includes Left 4 Dead, Left 4 Dead 2, Counter-Strike:
Global Offensive, and Portal 2.

 

RakSAMP Filter:
Layer 7 validation for SA-MP game traffic

 

QUIC Server:
Layer 7 packet validation for QUIC

 

SIP Server:
Layer 7 packet validation for SIP

 

DTLS Server:
Layer 7 packet validation for DTLS

 

RTP Server:
Layer 7 packet validation for RTP

 

Renegade X Server:
Layer 7 packet validation for Renegade X game traffic

 

DayZ Server:
Layer 7 packet validation for DayZ game traffic

 

Squad/Post Scriptum Server:
Layer 7 packet validation for Squad and Post Scriptum game traffic

 

Quake 3 Server:
Layer 7 packet validation for Quake 3 game traffic.

 

ASE/Multi Theft Auto Queries:
Layer 7 proxy for ASE queries.

 

V Rising/ARK Server:
Layer 7 packet validation for V Rising and ARK: Survival Evolved game traffic.

 

LiteNetLib Server:
Layer 7 packet validation for games using LiteNetLib such as 7 Days To Die.

 

Lineage II Server:
Layer 7 packet validation for Lineage II Interlude servers.

 

Steamworks Server:
Layer 7 packet validation for Steamworks game packets. Can be enabled together with the Source Engine Query filter.

 

FiveM Server Queries:
Layer 7 proxying for FiveM server queries.

1 - How to set up Path DDoS protection

To take advantage of Path.net’s DDoS mitigation options you must contract a protected IP with Path.net.

Once you have contracted the IP, you must route it to your VPS. To do this, follow step 7 of this guide.

Once you have your IP assigned, you will be able to manage them from your GridCP control panel: gridcp.ginernet.com

configure-ddos-path

You will see that by default there is already a rule that does DROP by default to all traffic entering your IP. At this point, you must add the services running on your server.

For example, we have created 3 rules:

  • Limit ICMP traffic (ping) to 1000 pps (packets per second).
  • Allow access to port 80 (web)
  • Allow access to port 22 (SSH)

Any other traffic will be blocked before reaching your server.

At this point you may be wondering how to prevent attacks on ports 22 and 80 that we have opened? This is done from the “Filters” option.

De esta forma estamos activando la validación del tráfico TCP a los puertos indicados. Cualquier tráfico que genere tramas inválidas, será bloqueado antes de llegar a tu servidor, permitiendo solo el tráfico legítimos.

2 - Rules for the game "RUST".

These are the rules that Path.net recommends to create to protect the RUST game.

Filters:

  • UDP puerto 28015

Rules:

  • RakNet Server (v2)
  • Source Engine Queries
  • TCP Service (symmetric)
rust-filters

Additionally you will have to activate other services that you have running such as SSH, RDP, etc… Check the previous step to see how to open and configure any port correctly.