Rivet Game Guard
Rivet Game Guard provides a layer of protection between the public internet and your game without impacting performance. You can think of like Cloudflare but for game traffic.
Game Guard serves two main purposes:
- DDoS mitigation
- SSL/TLS termination
Supported protocols
Protocol | Rivet Game Guard | Host Network (Open Source & Enterprise) |
---|---|---|
Requires single port | Requires port range | |
HTTPS / Secure WebSocket | ✅ | |
HTTP / WebSocket | ✅ | |
TCP + TLS | ✅ | |
TCP | ✅ | ✅ |
UDP / WebRTC / ENet / KCP | ✅ | ✅ |
DDoS mitigation
Game Guard helps mitigate DDoS attacks by:
- Whitelisting IPs for players in the lobby
- Enforcing max open connections per IP
- Preventing OSI layer 3 and layer 4 malicious traffic from reaching your game server
- OSI layer 7 rate limiting
Read more about the OSI model here.
Where Game Guard cannot help
While Game Guard can help mitigate serious DDoS attacks, your game server may still be vulnerable to certain kinds of attacks.
Make sure you are doing the following:
Disconnect invalid players
The Rivet Matchmaker has systems in place to ensure players are valid & optionally completed a captcha befor issuing a player token. Ensure this player token is valid before letting a player connect to your game.
Disconnect sockets immediately if matchmaker.players.connected returns an error. Specifically:
- MATCHMAKER_PLAYER_ALREADY_CONNECTED
- MATCHMAKER_PLAYER_REGISTRATION_EXPIRED
- MATCHMAKER_PLAYER_REMOVED
- MATCHMAKER_PLAYER_IN_DIFFERENT_LOBBY
- TOKEN_INVALID
Additionally, don't accept any packets from the client until matchmaker.players.connected has succeeded.
Limit packet size & frequency
Game Guard mitigates attacks of high-volume packet spamming, but you will likely want to implement your own packet rate limiting mechanism.
Still having issues?
No game on Rivet should be suffering from DDoS attacks if set up correctly.
If you're having issues with DDoS attacks on your game, contact us and we'll make sure your game is up and running.
SSL/TLS termination
You may need to use secure WebSockets or TCP+TLS when connecting to your game servers. For example, HTTPS websites require secure WebSockets or you may want to prevent Man in the Middle exploits by encrypting your game traffic.
Supporting this yourself requires you to regularly issue and update your own SSL and TLS certificates. Game Guard automatically manages SSL certificates for your game.
Why shouldn't I use something like Cloudflare for my game?
Cloudflare is great for protecting traditional web servers but does not work well for game traffic.
- Cloudflare only supports WebSockets (unless using Cloudflare Spectrum Enterprise)
- Cloudflare does not respect long-lived WebSockets; players will be disconnected sporadically if connected for a long time
- Cloudflare proxies game traffic through a different data center than where your game is running
- Cloudflare adds at least 10 ms latency to your game
Game Guard SSL/TLS termination & game server CPU load reduction
It's widely known that SSL only causes a negligible performance impact on traditional HTTP traffic.
However, when encrypting many packets per second for a real-time game, that performance impact can be noticeable (especially with poorly optimized libraries). We've seen CPU reductions in multiple games that move their SSL termination from the host to Game Guard.
We choose not to advertise this feature yet since we have not published benchmarks to back this up yet, but we believe it's worth mentioning.