How to protect a Game server with the application firewall – Support Guides

Learn about our Game DDoS Protection (also known as Game firewall) and how to configure effective protection for your servers.

Find more information on our Game DDoS Protection on our website.

NOTE: If you are using a Game server for purposes other than gaming, you may want to disable the Game Firewall, which is automatically enabled.

Our dedicated Bare Metal gaming servers include an additional network attack protection specifically designed to secure gaming applications against targeted attacks, ensuring stability and accessibility for gamers. This dedicated protection solution is both robust and easy to use, allowing you to focus on developing your business without the distraction of defending against cybercrime.

OVHcloud Anti-DDoS infrastructure and game protection services diagram.

Requirements

An OVHcloud Game dedicated server

OVHcloud Control Panel Access

Direct link: Public IP
Navigation path: Bare Metal > Network > IP

NOTE: This feature may be unavailable or limited on Eco servers.

Please visit our comparison page for more information.

Instructions

Introduction

The Anti-DDoS Infrastructure and the Edge Network firewall keep the network safe from common threats (mostly focused on ISO OSI layers 3 and 4). Hosting gaming applications can be challenging from a network security perspective. Game DDoS Protection is here to help - this is a Layer 7 (application) firewall focused on protecting specific gaming protocols. Its main advantages are:

Very low latency: We know that latency and its stability are crucial for online gaming. These solutions are put as close as possible to the servers and work together with high-performance hardware.
2-way: The platform analyzes incoming and outgoing traffic to best understand every player's situation.
Instant: It can distinguish real players from harmful attacks on a server from the very first network packets.
Always-on: The ability to detect and stop attacks ensures a smooth experience for sensitive gaming applications without any disruptions and latency changes.

Enabling and configuring Game DDoS Protection

NOTE: The Game firewall protects the IP associated with a server. As a result, if you have a server with multiple IP addresses (i.e., Additional IP addresses), you need to configure each of them separately.

Each of the addresses you wish to protect with the Game Firewall must have its Game Firewall status set as Configured for the rules to apply.

To configure game protection rules for your Bare Metal Game server:

Open the Network menu in the left-hand sidebar.
Click Public IP Addresses.

You can filter IP addresses by using the All services drop-down menu, or directly enter the desired IP address in the search bar. Enter the name or category of your server.

List the IP addresses attached to your Game Server

Open the Bare Metal Cloud section in the left-hand sidebar.
Select Dedicated servers.
Click on the Game server you wish to configure.
In the Network section of the General information tab, find the "Game DDoS protection" section.
Click the more options ... button and select Configure Game Protection. You will be taken to the list of IP addresses assigned to your server.

Open the Network section in the left-hand sidebar.
Select IP.
In the All service types drop-down menu, find and select the Bare Metal Game server you wish to configure.
A list of IP addresses assigned to your server will appear.

Enable and configure the Game Firewall rules

For each address attached to your server that requires protection, verify that the Game Firewall status is set to Available. You will have to configure the Game Firewall rules separately for each.

Click the more options ... button next to the IP address of your Game server and select Configure Game firewall.
Add rules specifying the protocol and port range for each gaming application that will be accessible on the selected IP address. Please refer to the Game-specific notices section for additional information.
For security reasons, we strongly recommend you enable the x option at the top right of the rule table. This option blocks all traffic that does not match the rules you set up for the Game Firewall, i.e., all listed game applications will be protected, and no other connections will be able to reach your server. This option significantly reduces the attack surface exposed to potential malicious actors.

GAME DDoS Protection allows you to configure up to 100 rules per IP address that points to the recent GAME-1 and GAME-2 Bare Metal Game servers (2024 or later), or up to 30 rules per IP address for the older Bare Metal game ranges (usually listed as RISE-GAME or SYS-GAME).

Please note that supported gaming protocols (game titles and versions that can be protected) may change over time, and there may be differences between those used on the newer versus the older Bare Metal game server ranges. The most recent list of supported game profiles can be found here.

Game firewall protection rules must not overlap in terms of the ports defined.

The Game Protocol "Other" may be selected for applications hosted on specific ports (for which there is no available protection) to let the client traffic pass through. Please note that there is not much added security for the traffic matching the rule Other, and it should be used with caution.

A few minutes after you are done configuring the Game Firewall for an IP address, all the newly created rules will apply, and the Game Firewall status of that IP address will switch from Available to Configured.

NOTE: Game DDoS protection takes effect after rules are defined in the Edge Network firewall. For both to work properly, the Edge Network protection cannot be too strict and needs to pass traffic to the GAME DDoS protection.

Verify your configuration

Once configured, verify that your server is protected by the Game Firewall by checking:

On the IP page, each IP address that is attached to your Bare Metal Game server and requires protection must have its Game Firewall status as Configured.
On the management page of your Bare Metal Game server, in the Network section of the General information tab, the Game Anti-DDoS Protection status must be either All IP addresses are protected or Some IP addresses are protected. If it is the latter, please ensure that you have configured all the relevant IP addresses.

Game-specific notices

Ark Survival Evolved

Ark Survival Evolved: Basic protection engine
Ark Survival Evolved v.311.78: Updated protection engine, added to the recent GAME-1 and GAME-2 Bare Metal Game servers (2024 and later).

Counter Strike 2

Counter Strike 2: New protection engine added to the recent GAME-1 and GAME-2 Bare Metal Game servers (2024 and later).

FiveM

FiveM is a Grand Theft Auto V multiplayer mod by Cfx.re, which is now recognized by the game publisher Rockstar. We added FiveM support in the recent GAME-1 and GAME-2 Bare Metal Game servers (2024 and later).

Rust

Rust is supported with a dedicated protection profile on all generations of Bare Metal Game servers. Please note that we updated this protection profile (i.e., added RakNet cookies support) for the 3rd generation of Bare Metal Game servers (2024, EPYC based). You can read more about hosting Rust on OVHcloud servers here.

Minecraft

Minecraft is well-supported in the following versions:

Minecraft Java: Should be the best fit for all Minecraft Java versions. It protects the Minecraft Query protocol and is tuned for TCP traffic. It was added in 2024 but is also available for previous generations of Bare Metal Game servers. Use with caution if other UDP games are hosted on the same UP.
Minecraft Query: General Minecraft Query protocol protection.
Minecraft Bedrock: Minecraft Bedrock protection (with RakNet cookies support), added in the recent GAME-1 and GAME-2 Bare Metal Game servers (2024 and later).
Minecraft Pocket Edition: Minecraft PE/Bedrock protection.

Valheim

Valheim: New protection engine, added in the recent GAME-1 and GAME-2 Bare Metal Game servers (2024 and later).

If you host a bigger service with one of the supported games but still observe false positives from the Anti-DDoS Infrastructure systems, please reach out to our support team with all the details to tune up the application profile.

Using Additional IPs with Game dedicated servers

Additional IPs offer a flexible way to manage your applications across multiple servers or hosted services. They provide value to your game-hosting infrastructure by allowing you to manage scalability or failover actions without an impact on public IP addresses. With Additional IPs, you can also define different geographical IP locations or even leverage your own IP block (using the BYOIP service) for OVHcloud Game servers.

While Additional IPs are enabling flexibility, some situations require some additional attention.

Per-IP configuration specific to a Game server generation

To provide the most flexibility of configuration, different gaming protection rules can be set on different Additional IPs pointing to the same Bare Metal Game server. The maximum number of rules and available protection settings are defined on a per-IP-address basis but are specific to the particular Bare Metal Game server generation behind the firewall.

There may be noticeable differences between the newer (Game Gen 3, released in 2024) and older (usually identified as RISE-GAME or SYS-GAME) Bare Metal Game server ranges.

Verifying supported game protections

All supported Game DDoS Protection protocols for a specific server are visible on the Configure GAME firewall page for any IP address pointing to that server in the Game protocols drop-down menu:

If you prefer automation, protocol details can be retrieved using the OVHcloud APIv6:

GET /ip/{ip}/game/{ipOnGame}

Example response:

{
    ipOnGame: "1.2.3.4"
    maxRules: 30
    state: "ok"
    firewallModeEnabled: true
  - supportedProtocols: [
        "arkSurvivalEvolved"
        "arma"
        "gtaMultiTheftAutoSanAndreas"
        "gtaSanAndreasMultiplayerMod"
        "hl2Source"
        "minecraftPocketEdition"
        "minecraftQuery"
        "mumble"
        "other"
        "rust"
        "teamspeak2"
        "teamspeak3"
        "trackmaniaShootmania"
    ]
}

Moving an Additional IP between servers

While static configuration may be self-explanatory, Additional IP moving actions may require a few comments.

Moving an IP from an older to a newer generation of Bare Metal Game server:
- The process is transparent, and all protection rules and IP settings will be kept.
Moving an IP from a newer to an older generation of Bare Metal Game server:
- If the destination server supports fewer protection rules than the origin server, an error will be displayed, and the action will be stopped.
- Otherwise:
  - Backward compatible rules are kept (protection profile name must be the same).
  - Rules that are not supported on the destination server will be removed.
Moving an IP from a Bare Metal Game server to other servers or services:
- All Game DDoS Protection rules applied to the IP will be deleted, as they are not supported outside Bare Metal Game servers.

FAQ

Can I use Game DDoS Protection on other ranges than Bare Metal Game servers?

No, Game DDoS Protection is only available for our Bare Metal Game dedicated servers.

How can I ensure automation will work for an Additional IP between a new and an old generation of Bare Metal Game servers?

You can either limit your protection rules to 30 per IP or configure your automation scripts so they can remove and add rules before and after moving an IP to another server. We recommend using the latest generation of Bare Metal Game servers as they come with many improvements.

Can I disable Game DDoS Protection?

This is possible but not recommended. You can do it by removing all game protocol rules from the configuration and disabling the entry Default policy: DROP.

My game is not on the supported protocol list. What can I do?

You can propose your need to our infrastructure solutions roadmap on GitHub. This will help us to decide on the prioritization of the next features to be developed.

While having configured my game with appropriate ports and a default policy to drop, I still receive attacks that are impacting my Game server. What to do?

You will need to share relevant network traffic dumps as examples for such attacks (.pcap file) to request protection tuning of your profile. This can be done by contacting our support team.

Go further

For more information and tutorials, please see our other Dedicated Servers support guides or explore the guides for other OVHcloud products and services.

If you need training or technical assistance to implement our solutions, contact your sales representative or click on this link to get a quote and ask our Professional Services experts for a custom analysis of your project.