Hello! I am faced with the task of broadcasting a video stream using a mediasoup, for broadcasting a stream from a server to a client, a webrts transport is used. When we create this transport, we indicate the announced IP address and port for the connection, which is not visible, for example, in the network tab, but I am sure that those who want to do DDoS will be able to detect it. What can we do in this case, when we need 0 latency and a closed, secure channel to transfer the stream from the server to the client? How is the community tackling this problem?
I would say you want beefy machines and multiple instances using Pipe transports such that if one instance or the whole machine is overloaded at least not all viewers are impacted. And the source instance should not be publicly reachable, so that it can always feed other routers.
by the source instance, you mean a server that connects directly to the client (browser) or a server that sends a stream to a proxy server that is already sending a stream to the client?
Second of course
There are no problems with this, I just use the pipe transport to send a stream from one server to another, in order to then send it to the client. And the server “owner” of the stream does not reveal its data in any way, I am more worried about the proxy server
You cannot avoid DDoS. If your machines are targeted they’ll go down if the attack is strong enough. Also if a port were closed/opened it can still be hit consuming your entire network, closed ports help hide our IP from public scans! 
In my case I generally run 25-200 servers (individual cores) to span my network so if attacks to go down it’s a real task to get all the servers offline at that point.
Just a joke but with more servers send the DDOS back! (Don’t do this!!!)
Oh, thank you. Probably, it’s right way to “avoiding” ddos)
Truthfully not something to worry about,
Just focus stability when it comes to these attacks. Make sure the server attacked can fail, restore and continue (in that order).
Your goal is that when this happens no other server connected currently is affected. So in case of small attacks you can merry-go-round them and in large ones learn to null-route all new connections for a moment of time and determine what’s allowed from there. (Cloud network usually for this level of blocking)
I would though worry most about the code allowing DDOS. So many services fail to queue and handle large query rates and thus fail to ping due to the event-loop becoming overwhelmed.
E.g. I send a request to the websocket telling it to let me subscribe to a broadcaster but determine no rate-limit here and learn I can send this request thousand times per second. Depending on the network/server that’ll destroy the event-loop and cause server to fail at pinging. Forces a freeze till tasks finish.
Good luck!
1 Like
Hello! The solution in this case can be the setting of turn servers, all the necessary information is in the documentation for the mediasoup-client, I am delighted with what happened in the end!