Introduction
Keywords
There are few specific keywords used in this document, which have specific meanings, here is quick list of them for easier understanding:
- SteelShield Subsystem - Unreal Engine Subsystem for SteelShield, used for starting and stopping the DDOS protection layer
- SteelShield Token Service - SteelShield backend hosted by Nitrado used for getting SteelShield tokens
- SteelShield Token - Token acquired from
SteelShield Token Service
- Certificate - RSA256 Certificate, acquired from Nitrado staff or generated by integrators and given to Nitrado staff
- JWT - Json Web Token, signed by
Certificate
and submitted toSteelShield Token Service
- Game Client - The game which is run on the end users computer
- Game Server - The dedicated game server which is run in Nitrado infrastructure
- Game Backend - The backend system implement by the game developer used to authenticate and track players
- Roll Over - The process of receicing a new
SteelShield Token
before the current one expires - SteelShield Plugin - This Unreal Engine Plugin that implements the required code to prefix network packets with the
SteelShield Token
Description
SteelShield is a DDOS protection system designed for the specific purpose of protecting game servers from large scale DDOS attacks. It achieves this by intercepting network traffic on the path to the game server, and identifying wether the combination of source address, destination address, port and network packet contents match the type of packets which would normally be expected for that game server.
The SteelShield Plugin for Unreal Engine enables better and more accurate packet matching by the SteelShield service. This is achieved by having a backend system, typically the game server, authenticate the client via a username/password account system, and then issue the game client a JWT containing the account and game details, and signed with a certificate that is shared between the game author and Nitrado.
This JWT is then submitted to the SteelShield Token Service by the game client, where the certificate and game credentials are validated, and a SteelShield Token is issued to the game client.
This SteelShield Token is then prepended to all network packets sent by the game client, where the SteelShield Service is able to intercept them, and validate that the prepended SteelShield Token matches one that was issued by the SteelShield Token Service.
Should the SteelShield Token be missing, or not match one issued by the SteelShield Token Service, then the network packet is dropped by the SteelShield Service and is never received by the game server.
This ensures that large DDOS attacks from botnets or via reflection attacks are prevented from reaching the game server as they would not have been able to go through the authentication process to receive a valid SteelShield Token which allows their traffic to pass through the SteelShield Service
Should an attacker perform the authentication process and then use their received SteelShield Token is used in an attack, the SteelShield Token would be able to be traced back to that individuals account, and the user banned.
SteelShield Tokens are also set to roll over every 15 minutes (by default) in order to ensure that the token can not be used in future DDOS attacks.