Skip to main content

Protecting a Game Server with the Application Firewall

Stephanie R.
Updated

Learn about our Game DDoS Protection (also known as Game firewall) and how to configure effective protection for servers that support it.

Find more information on our Game DDoS Protection on our website.
NOTE: If you are using a Game server for purposes other than gaming, you may want to disable the Game Firewall, which is automatically enabled.

Our dedicated Bare Metal gaming servers include an additional network attack protection specifically designed to secure gaming applications against targeted attacks, ensuring stability and accessibility for gamers. This dedicated protection solution is both robust and easy to use, allowing you to focus on developing your business without the distraction of defending against cybercrime.

DS_network_GameFirewall01.png

OVHcloud Anti-DDoS infrastructure and game protection services diagram.

 

Requirements

NOTE: This feature might be unavailable or limited on servers of the Eco product line.
Please visit our comparison page for more information.

 

Instructions

Introduction

The Anti-DDoS Infrastructure and the Edge Network firewall keep the network safe from common threats (mostly focused on ISO OSI layers 3 and 4). Hosting gaming applications can be a challenging experience in terms of network security. Game DDoS Protection is here to help - this is a Layer 7 (application) firewall focused on protecting specific gaming protocols. Its main advantages are:

  • Very low latency: We know that latency and its stability are crucial for online gaming. These solutions are put as close as possible to the servers and work together with high-performance hardware.
  • 2-way: The platform analyzes incoming and outgoing traffic to best understand every player's situation.
  • Instant: It can distinguish real players from harmful attacks on a server from the very first network packets.
  • Always-on: The ability to detect and stop attacks ensures a smooth experience for sensitive gaming applications without any disruptions and latency changes.

 

Enabling and configuring Game DDoS Protection

The Game firewall protects the IP associated with a server. As a result, if you have a server with multiple IP addresses (i.e., Additional IP addresses), you need to configure each of them separately.

To configure game protection rules for your Bare Metal Game server, log in to the OVHcloud Control Panel and follow these steps:

  1. Click the Bare Metal Cloud tab.
  2. In the left-hand sidebar, under Network, click on IP.
    You can filter IP addresses by using the All services drop-down menu. Enter the name or category of your server.
  1. Click on the more options ... button next to the IP address of your Game server.
  1. Click on Configure the GAME firewall.

DS_network_GameFirewall02***.png

Now, you can configure game protection rules for the selected IP address.

It is important to note that Game DDoS Protection will not take any action unless game rules are configured.

To enable Game DDoS Protection, simply define the game applications and their associated network port range (or single port).

On the following screen, click the Add a rule button to add a rule to the GAME firewall.

DS_network_GameFirewall03**.png

GAME DDoS Protection allows you to configure up to 100 rules per IP address that points to a 3rd generation Bare Metal Game server (servers released in 2024 or later) or up to 30 rules per IP address for the older Bare Metal game ranges (usually listed as RISE-GAME or SYS-GAME).

Please note that supported gaming protocols (game titles and versions that can be protected) may change over time and that there may be differences between those used on the newer versus older Bare Metal game server ranges. The most recent list of supported game profiles can be found here.

Configure game protections by selecting a specific Protocol from the list and defining the port-range on which your gaming application is receiving connections (please refer to the game's setup documentation). Then click the Validate button to save your changes. You have now successfully configured Game firewall rules.

DS_network_GameFirewall04*.png

Game firewall protection rules must not overlap in terms of the ports defined.

The Game Protocol "Other" may be selected for applications hosted on specific ports (for which there is no available protection) to let the client traffic pass through. Please note that there is not much added security for the traffic matching the rule Other and it should be used with caution.

We also strongly recommend that you set the rule "Default policy = DROP" on every IP pointing to your Game server. That option will allow Game DDoS Protection to drop any traffic not matching the defined rules, i.e., all listed game applications will be protected and no other connections will be able to reach out to your server.
NOTE: Game DDoS protection takes effect after rules are defined in the Edge Network firewall. For both to work properly, the Edge Network protection cannot be too strict and needs to pass traffic to the GAME DDoS protection.

 

Game-specific notices

Ark Survival Evolved

  • Ark Survival Evolved: Basic protection engine
  • Ark Survival Evolved v.311.78: Updated protection engine, added in the 3rd generation of Bare Metal Game servers (2024 release)

 

Counter Strike 2

  • Counter Strike 2: New protection engine added in the 3rd generation of Bare Metal Game servers (2024)

 

FiveM

  • FiveM is a Grand Theft Auto V multiplayer mod by Cfx.re, which is now recognized by the game publisher Rockstar. We added FiveM support in the 3rd generation of Bare Metal Game servers (2024 release).

 

Rust

  • Rust is supported with a dedicated protection profile on all generations of Bare Metal Game servers. Please note that we updated this protection profile (i.e., added PakNet cookies support) for the 3rd generation of Bare Metal Game servers (2024 release). You can read more about hosting Rust on OVHcloud servers here.

 

Minecraft

Minecraft is well-supported in the following versions:

  • Minecraft Java: Should be the best fit for all Minecraft Java versions. It protects the Minecraft Query protocol and is tuned for TCP traffic. It was added in 2024 but is also available for previous generations of Bare Metal Game servers. Use with caution if other UDP games are hosted on the same UP.
  • Minecraft Query: General Minecraft Query protocol protection.
  • Minecraft Bedrock: Minecraft Bedrock protection (with RakNet cookies support), added in the 3rd generation of Bare Metal Game servers (2024 release).
  • Minecraft Pocket Edition: Minecraft PE/Bedrock protection.

 

Valheim

  • Valheim: New protection engine, added in the 3rd generation of Bare Metal Game servers (2024 release).

 

If you host a bigger service with one of the supported games but still observe false positives from the Anti-DDoS Infrastructure systems, please reach out to our support team with all the details to tune up the application profile.

 

Using Additional IPs with Game dedicated servers

Additional IPs offer a flexible way to manage your applications across multiple servers or hosted services. They provide value to your game-hosting infrastructure by allowing you to manage scalability or failover actions without an impact on public IP addresses. With Additional IPs, you can also define different geographical IP locations or even leverage your own IP block (using the BYOIP service) for OVHcloud Game servers.

While Additional IPs are enabling flexibility, some situations require some additional attention.

 

Per-IP configuration specific to a Game server generation

To provide the most flexibility of configuration, different gaming protection rules can be set on different Additional IPs pointing to the same Bare Metal Game server. The maximum number of rules and available protection settings are defined on a per-IP-address basis but are specific to the particular Bare Metal Game server generation behind the firewall.

There may be noticeable differences between the newer (Game Gen 3, released in 2024) and older (usually identified as RISE-GAME or SYS-GAME) Bare Metal Game server ranges.

 

Verifying supported game protections

All supported Game DDoS Protection protocols for a specific server are visible on the Configure GAME firewall page for any IP address pointing to that server in the Game protocols drop-down menu:

DS_network_GameFirewall05.png

If you prefer automation, protocol details can be retrieved using the OVHcloud APIv6:

GET /ip/{ip}/game/{ipOnGame}

Example response:

{
    ipOnGame: "1.2.3.4"
    maxRules: 30
    state: "ok"
    firewallModeEnabled: true
  - supportedProtocols: [
        "arkSurvivalEvolved"
        "arma"
        "gtaMultiTheftAutoSanAndreas"
        "gtaSanAndreasMultiplayerMod"
        "hl2Source"
        "minecraftPocketEdition"
        "minecraftQuery"
        "mumble"
        "other"
        "rust"
        "teamspeak2"
        "teamspeak3"
        "trackmaniaShootmania"
    ]
}

 

Moving an Additional IP between servers

While static configuration may be self-explanatory, Additional IP moving actions may require a few comments.

  • Moving an IP from an older to a newer generation of Bare Metal Game server:

    • The process is transparent and all protection rules and IP settings will be kept.

  • Moving an IP from a newer to an older generation of Bare Metal Game server:

    • If the destination server supports fewer protection rules than the origin server, an error will be displayed and the action will be stopped.
    • Otherwise:
      • Backward compatible rules are kept (protection profile name must be the same).
      • Rules that are not supported on the destination server will be removed.

  • Moving an IP from a Bare Metal Game server to other servers or services:

    • All Game DDoS Protection rules applied to the IP will be deleted, as they are not supported outside Bare Metal Game servers.

 

FAQ

Can I use Game DDoS Protection on other ranges than Bare Metal Game servers?

No, Game DDoS Protection is only available for our Bare Metal Game dedicated servers.

 

How can I ensure automation will work for an Additional IP between a new and an old generation of Bare Metal Game servers?

You can either limit your protection rules to 30 per IP or configure your automation scripts so they can remove and add rules before and after moving an IP to another server. We recommend using the latest generation of Bare Metal Game servers as they come with many improvements.

 

Can I disable Game DDoS Protection?

This is possible but not recommended. You can do it by removing all game protocol rules from the configuration and disabling the entry Default policy: DROP.

 

My game is not on the supported protocol list, what can I do?

You can propose your need on our infrastructure solutions roadmap on GitHub. This will help us to decide on prioritization of the next features to be developed.

 

While having configured my game with appropriate ports and default policy to drop, I still receive attacks that are impacting my Game server. What to do?

You will need to share relevant network traffic dumps as examples for such attacks (.pcap file) to request protection tuning of your profile. This can be done by contacting our support team.

 

Go further

For more information and tutorials, please see our other Dedicated Servers support guides or explore the guides for other OVHcloud products and services.

If you need training or technical assistance to implement our solutions, contact your sales representative or click on this link to get a quote and ask our Professional Services experts for a custom analysis of your project.

Related articles