 |
UDocumentation UE5.7 10.02.2026 (Source)
API documentation for Unreal Engine 5.7
|
|
UDocumentation UE5.7 10.02.2026 (Source)
API documentation for Unreal Engine 5.7
|
#include <DDoSDetection.h>
Inheritance diagram for FDDoSDetection:Public Member Functions | |
| NETCORE_API | FDDoSDetection () |
| NETCORE_API void | Init (int32 MaxTickRate) |
| NETCORE_API void | InitConfig () |
| NETCORE_API void | SetMaxTickRate (int32 MaxTickRate) |
| NETCORE_API void | UpdateSeverity (bool bEscalate) |
| NETCORE_API void | PreFrameReceive (float DeltaTime) |
| NETCORE_API void | PostFrameReceive () |
| void | CondCheckNonConnQuotasAndLimits () |
| void | CondCheckNetConnLimits () |
| bool | CheckLogRestrictions () |
| bool | IsDDoSDetectionEnabled () const |
| bool | IsDDoSAnalyticsEnabled () const |
| bool | ShouldBlockNonConnPackets () const |
| bool | ShouldBlockNetConnPackets () const |
| void | IncNonConnPacketCounter () |
| int32 | GetNonConnPacketCounter () const |
| void | IncNetConnPacketCounter () |
| int32 | GetNetConnPacketCounter () const |
| void | IncDisconnPacketCounter () |
| int32 | GetDisconnPacketCounter () const |
| void | IncBadPacketCounter () |
| int32 | GetBadPacketCounter () const |
| void | IncErrorPacketCounter () |
| int32 | GetErrorPacketCounter () const |
| void | IncDroppedPacketCounter (int32 Count=1) |
| int32 | GetDroppedPacketCounter () const |
Public Attributes | |
| FDDoSSeverityEscalation | NotifySeverityEscalation |
Protected Member Functions | |
| NETCORE_API bool | CheckNonConnQuotasAndLimits () |
| bool | CheckNetConnLimits () |
| Protected Member Functions inherited from FDDoSPacketCounters | |
| FDDoSPacketCounters () | |
| Protected Member Functions inherited from FDDoSState | |
| FDDoSState () | |
| bool | HasHitQuota (FDDoSPacketCounters &InCounter, int32 TimePassedMS) const |
The main DDoS detection tracking class, for counting packets and applying restrictions. Implemented separate to the NetDriver, to allow wider use e.g. potentially at socket level, if useful.
| FDDoSDetection::FDDoSDetection | ( | ) |
Default constructor
DDoS Detection
DDoS (Distributed Denial of Service) attacks typically hinder game servers by flooding them with so many packets, that they are unable to process all of the packets without locking up and/or drowning out other players packets, causing players to time out or to suffer severe packet loss which hinders gameplay.
Typically these attacks use spoofed UDP packets, where the source IP is unverifiable, and so IP banning is usually not an effective or advisable means of blocking such attacks.
This DDoS detection focuses specifically on this situation, detecting/mitigating DDoS attacks based on spoofed UDP packets, which do not originate from an existing NetConnection. Flooding attacks coming from an existing NetConnection are a separate issue, as (due to the stateless handshake required before creating a NetConnection) the IP will be verified, and so such attacks should be dealt with through IP banning - this and other types of DoS attacks are not dealt with by this code.
Implementation:
DDoS attacks are detected by setting configurable thresholds for the number of packets per second, and milliseconds per frame spent processing packets, beyond which the DDoS detection will escalate to a higher severity state.
Each severity state has a different set of thresholds before it will escalate to the next state, and can also place a limit on the number of packets processed per second, and/or milliseconds spent processing.
The stronger the DDoS attack, the higher the severity state will escalate (based on the thresholds), and the stronger the limitations places on incoming packets will be, in order to try and maintain good server performance.
Limitations:
Heavy DDoS: While the code can withstand a heavy, locally hosted, multithreaded DDoS, past a certain point network hardware and bandwidth capacity will become a limit, and even with strong enough hardware, the OS kernel calls for receiving packets, will become a limit (for Linux, recvmmsg may be used to alleviate this later).
So this code just deals with as much of the DDoS as it can, at an application level - if you're getting hit with a bad enough DDoS, then you're going to have to look at measures at the network infrastructure level - for example, IP filtering at the edge of your network, communicating with the game server to only allow packets from existing NetConnection IP's.
Tuning thresholds per-Game: You will need to manually tune the packet thresholds specifically for your game, even for each different gametype within your game, and maybe even community server admins will need to retune, if hosting a server with mods etc..
Blocking new connections: If a DDoS is expensive enough, that you choose to drop non-NetConnection packets after a threshold (a wise move, for performance...), then new players will be blocked from entering the server. FDDoSDetection
|
inline |
Accessor for bDDoSLogRestrictions - doubles as a per-frame logspam counter, automatically disabling logs after a quota
|
inlineprotected |
Performs periodic checks on NetConnection packet limits
|
protected |
Performs periodic checks on trigger quota's and packet limits, for non-NetConnection packets
|
inline |
Rate limited call to CheckNetConnLimits
|
inline |
Rate limited call to CheckNonConnQuotasAndLimits
|
inline |
|
inline |
|
inline |
|
inline |
|
inline |
|
inline |
|
inline |
|
inline |
|
inline |
|
inline |
|
inline |
Initializes the DDoS detection settings
| MaxTickRate | The maximum tick rate of the server |
| void FDDoSDetection::InitConfig | ( | ) |
Initializes the settings from the .ini file - must support reloading of settings on-the-fly
|
inline |
|
inline |
| void FDDoSDetection::PostFrameReceive | ( | ) |
Triggered after packet receive ends, during the current frame
Triggered before packet receive begins, during the current frame
|
inline |
|
inline |
Updates the current DDoS detection severity state
| bEscalate | Whether or not we are escalating or de-escalating the severity state |
|
protected |
The currently active DDoS severity state settings
|
protected |
Whether or not analytics for DDoS detection is enabled
|
protected |
Whether or not DDoS detection is presently enabled
|
protected |
Whether or not restriction of log messages from non-NetConnection packets is enabled
|
protected |
Whether or not the current frame has reached NetConnection packet limits, and should block ALL further packets
|
protected |
Whether or not the current frame has reached non-NetConnection packet limits, and should block non-NetConnection packets
|
protected |
Limit checking previous states escalation conditions to once per frame
|
protected |
Stores enough per second quota history, to allow all DetectionSeverity states to recalculate if their CooloffTime is reached
|
protected |
The maximum number of non-NetConnection triggered log messages per frame, before further logs are dropped this frame
|
protected |
The different DDoS detection states, of escalating severity, depending on the strength of the DDoS
|
protected |
Timestamp for the end of the last frames receive loop
|
protected |
The expected time between frames (1.0 / MaxTickRate) - used for adjusting limits/quota's based on DeltaTime
|
protected |
The current frames adjustment/deviation, from ExpectedFrameTime
|
protected |
The number of consecutive frames spent hitching
|
protected |
The number of frames spent hitching, before disabling false positive detection, and treating packet buildup as potential DDoS
|
protected |
The amount of time since the previous frame, for detecting frame hitches, to prevent DDoS detection false positives
|
protected |
The last written index of CounterPerSecHistory
|
protected |
The last time the previous severity states escalation conditions were met (to prevent bouncing up/down between states)
|
protected |
Timestamp for the last time per-second quota counting began
|
protected |
Counter for log restriction hits, in the current frame
| FDDoSSeverityEscalation FDDoSDetection::NotifySeverityEscalation |
Analytics delegate for notifying of severity state escalations
|
protected |
Counts the packets from the start of the current frame
|
protected |
The timestamp for the start of the current frames receive
|
protected |
The worst DDoS severity state that has been active - used for limiting analytics events
1.9.8 