Protecting SFU servers' IP

Is there any way to protect the IP addresses of the SFU servers? We’ve been having some issues with DDoS attacks, and we’re trying to find a way to protect the SFU server’s IP address from clients.

I would say adding rate limit and authentication is a good 1st step.
There’s more sophisticated approaches but they are normally used when you are being directly targeted with custom tools, bot nets…
Is there a point on your media servers you notice is being abused? Like web sockets, http ports…?

Well, It’s a UDP flood, but my provider tells me that the only way to protect the server is by ensuring that the IP is not leaked. They haven’t told me what port, but I’m not sure that it matters. I think they detect a flood targeting one of their IPs in their network and block it soon?

This is a very interesting approach on provider’s side, to hide IP of publicly available service on the Internet :joy:

This was their exact message:

In this case, ufw rules won’t stop this type of traffic from reaching the infrastructure level, which our Operations team monitors. Traffic for your Droplet is null-routed or “blackholed” at the infrastructure level to prevent the large flood of traffic heading your way from impacting other users on the infrastructure. Cloudflare and new Droplet IP addresses should help but just be careful that your IP addresses aren’t exposed anywhere else. Bad actors will often change their attack patterns and their origin IP addresses if they are intent on disrupting your traffic.

That makes sense, but I don’t think CloudFlare supports arbitrary TCP/UDP forwarding (at least they didn’t last time I checked), so in this case you are on your own.

You can actually hide your app by forcing all of the traffic to go through TURN server that may be separate VM/machine, which you may have multiple of.
But in the end you need to handle an attack somewhere.

Can you apply a firewall rule in Digital Ocean to the ip range being used for the attack or is it a bot net sophisticated attack where many unpredictable IPs are used?

It was a DDoS attack, so probably not possible to protect with firewall rules?

Are there any examples of how to use TURN servers? I tried specifying iceServers as part of TransportOptions and I see that the RTCPeerConnection received it, but the SFU IP (modified in screenshot) is still being leaked as part of RTCIceCandidate's IP. I’m probably doing something wrong…

SFU would need to have a private IP address that only TURN server can reach (like internal network in the DC).
In which case IP will be visible, but not publicly reachable except through TURN server.
HTTP/WS endpoint can then be protected by CloudFlare and not disclosed publicly as well.

It’s a bit of a naff response from DigitalOcean, these ips are designed to be public and as the network provider they should be able to provide mitigation!

Normally to “hide” the servers IP you’d out a load balancer in there, allowing for better shaping of network traffic before it hits your instance.

Does DO allow exposing a range of UDP ports on their load balancer solution?

1 Like