Tips On Defending Your HTML5 Game Against Malicious Attacks

2019.8.8 Uncategorized by COCOS

With so many games being released in HTML5, some gamers are trying to attack these online games to abuse other players, troll developers, or harm their competitors. DDoS was a question many people on our Chinese forum were asking about a few months ago.

 To avoid this happening to your online game, a developer in the forum shared a few tips to help you fight these types of attacks. But note, because some tips involve additional confidential information, the complete solutions might not be disclosed in this article.

DDoS attacks

DDoS is just a general term for traffic attacks. Generally, an individual attacker can initiate a traffic attack from 50GB to 100GB. Some teams can launch 200GB+ traffic attacks, and of course some can do 400GB+, 600GB+, 800GB+, 1TB+ and so on.

The first thing to note here is that, in theory, DDoS attacks are unpredictable. You can defend 1TB attack today, and another will hit you with a 2TB attack tomorrow.

The only solution: A hard defense (aka a hardware defense.)

The basic principle is to identify DDoS by analyzing the class and source address characteristics of the packages on its entrance device, such as a router. Once the source address is identified as having DDoS behavior, the packet address is changed and directed to the traffic cleaning system.

The traffic then flows into a cleaning system, who can help you with your “maximum defense.”

There are two types of cleaning systems:

One is using a BGP center, which will mitigate the traffic to a scrubbing center to make sure the DDoS doesn’t hit your servers. The defense is generally limited to 200GB of a load. If you need a better defense, talk to your DDoS mitigation vendor for more capacity, or they can help you re-route your host.

 The other is an ordinary hosting company. This kind of defense can achieve about 300GB with the help of purchased software and hardware. However, in the same way as BGP centers, if you want better support, you will have to deal with purchasing more from a server provider and service providers.

 How to fight an attack using multiple IPs to the client? The best strategy is intelligent DNS domain name resolution, which will help you resolve the IP to the current user.

If we want to defend against the attack on your game, and you have to consult a third-party company, be prepared to spend more than $10,000 a month. For some games with lots of money coming in, this number does not matter. However, for a game in the initial stages, the price might be way too much. So, is there any way we can spend less? Not really. These services are expensive and a requirement if your game becomes a big hit. So plan out what you need to do to scale your services in case of attacks.

One tip we recommend is using four 300G high defense parallel servers, that is, 1.2T defense. Four sets protection there are four IP addresses. How do you operate this? This will be handed over to the client. If the client is offline, they can choose another one that can be used.

These four units do not necessarily have to be load balanced. Because we want to ensure that when the player is attacked, there are servers available, rather than to load the load through load balancing. What if I have tens of thousands of people online on your platform? That’s easy; you can do it with ten 1TB defenses as well.

CC (Challenge Collapsar)

There are several common routines for DDoS.

  1. Initiate super long links (for long-link servers), encroach on server IO resources
  2. Initiate super-multiple packets (long and short links are available)
  3. Challenge Collapsar (CC)

The first two have better defenses because most high-defense servers can automatically recognize it. In fact, the most harmful are CC attacks.

There are several main routines for CC attacks.

Capture packet replay

Through software, the legitimate traffic packet sent by the client to the server is captured and then sent directly.

If history is being used in real-time from the database, then the query and traffic of the database server will overflow. It’s common to get the database process on MYSQL to go over 100%.

Second, if the history is cached into memory, then they can amplify the attack and magnify the return packet size/request packet size by replaying the defense of the attack.

SQL injection

 The SQL injection is very simple; I will demonstrate. SELECT * FROM history WHERE userid = $userid. If the client passes this $userid, then the problem we face is that the $userid may not be the integer you expect.

 For example, the following may occur (the bold part is the value of $userid)

This SQL statement calls a concat_ws, cast, ifnull, and other SQL functions. Trying to consume the CPU of the MYSQL database process and returning a large number of query results.

 The defense of SQL injection requires everyone to do a good job when passing the value to the client, especially when splicing SQL statements, pay special attention to possible problems.


Cracked means that the attacker has cracked open your code and knows all your tricks, which is the most difficult to defend. However, everyone should assume that such a possibility may arise because it can happen.

In order to defend this step, only thoughtful planning of your code, making each request strictly valid.


We hope that from our friend in our community, you will take advantage of our information. You need to pay attention to security protection as your game continues to grow. Don’t let the money you should have earned, disappear from many attacks!



Pin It on Pinterest

Share on Social Media