Games are a large target for DDoS attacks, and outages can be costly and damaging for a game's reputation and a player’s experience. Traditionally, mitigating DDoS attacks has been an expensive process, requiring many people to manage and support it. In this session, we look at how to design your backend architecture to automatically identify and mitigate DDoS attacks. We explore ways to incorporate services such as AWS Shield to help manage attacks and AWS WAF to deflect unwanted traffic. For game servers, we learn how Amazon GameLift can help minimize the attack surface and blast radius of your multiplayer games.

1. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Building a DDoS-Resilient
Architecture for Your Games
Peter Chapman
Specialist Solutions Architect
Amazon GameTech
C h a l k T a l k : G A M 3 0 3
Arni Birgisson
Solutions Architect
Amazon Web Services

2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What to expect
• Context setting – The common
sites of attack
• Starting points for handling
attacks
• White boarding
• Conclusion

3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
DDoS – Common sites of attack
Backend Services
• Authentication
• Session discovery System
• Matchmaking
• Leaderboard requests
• Teams
• Chat
• Content distribution
Game Servers
• Dedicated Servers
• Realtime Game Sessions
• Voice Chat

4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Players Game Clients
Player data access
Matchmaking and
session discovery
Connection to
game server Session requests
Request operations –
Login, game session,
matchmaking etc.
Game session results and player skill updates
Player
database
Back end
services
servers
Datacenter
Session storeSession
discovery/
management
server
Game servers
Attacker Compromised
Devices
Attacker Compromised
Devices
Session data
access
DDoS – Common sites of attack

5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Handling attacks – Starting points
Scale to cope with
traffic
Block unwanted
traffic
Do both!

6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Shield
AWS Shield Standard
• Layer 3/4 Protection for Everyone
• Layer 7 Protection Available via
AWS WAF
AWS Shield Advanced
• DDoS Response Team (DRT)
• Layer 7 attack detection
• Baselining and Anomaly detection
• Enhanced Layer 3 attack detection
• DDoS Cost Protection for Amazon
CloudFront, ELB, Elastic IP, Amazon
Route 53 and Amazon EC2
A Managed DDoS Protection Service
There are two tiers of AWS Shield:

7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Lets get started…

8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Conclusion
• Gain access to AWS Shield through one of the services it supports
• Aim to scale to meet demand
• Use AWS services that will scale to meet the demand, for game servers consider Amazon
Gamelift and AWS Auto Scaling to help with this.
• Look for ways to avoid the need to scale
• Keep your attack surface as small as possible
• Use Amazon CloudFront for relevant tasks that can be cached, CloudFront can absorb the
attack
• Quickly understand and block the unwanted traffic using AWS Shield and AWS WAF

9. Thank you!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Please remember to complete your evaluations

10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon API
GatewayGame Clients
Client Connects to Dedicated Game Server Dedicated
Game Server
AWS
Lambda
Amazon
DynamoDB
Session management
operations
AWS Cloud
AWS
Lambda
Request
persistence
Session
requests
Amazon
Route 53 –
GeoDNS
Routing
Amazon
CloudFront
AWS WAFAWS Shield
Elastic IP
Solution:
Automatic
WAF rules
VPC
Flow
Logs
Request Logs AWS
Lambda
VPC
Public subnet
VPC Flow
Logs
Modification of rules

12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon API
GatewayGame Clients
Client Connects to Dedicated Game Server Dedicated
Game Server
AWS
Lambda
Amazon
DynamoDB
Session management
operations
AWS Cloud
AWS
Lambda
Request
persistence
Session
requests
Amazon
Route 53 –
GeoDNS
Routing
Amazon
CloudFront
AWS WAFAWS Shield
Elastic IP
Solution:
Automatic
Security
Group Rules
VPC
Flow
Logs
Request Logs
AWS
Lambda
Modify SG Rules
/ NACLs
VPC
Public subnet
VPC Flow
Logs
Security Group
Rules/NACLs
Modify SG Rules / NACLs

13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Game Clients
Dedicated
Game Server
AWS Cloud
Elastic IP
(5.6.7.8)
Dedicated
Game Server
Elastic IP
(1.2.3.4)
Dedicated
Game Server
Game Clients
Attacker Elastic IP
(1.2.3.4)
Elastic IP
(9.10.11.12)
VPC
AWS
Lambda
VPC Flow
Logs
Amazon
CloudWatch
AWS Shield

15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Game Clients
Dedicated
Game Server
(5.6.7.8)
AWS Cloud
Region A
Dedicated
Game Server
(9.10.11.12)
Game Clients
Attacker
Dedicated
Game Server
(1.2.3.4)
Amazon
GameLift
Fleet