Ray Hosting Ray Hosting Deploy Node →
L7 DDoS Protection — Game Servers

Stop Application-Layer Attacks
Before They Hit Your Server

Ray Hosting deploys per-port nftables chains with eBPF/XDP hardware offloading on every game node. Confirmed attacker IPs are offloaded to the NIC driver in <1ms — before your server allocates a single byte of CPU memory.

Deploy a Protected Node
Always-on. No config required.
Sub-second mitigation Zero false positives Game protocol-aware
MALICIOUS L7 / BOTSYN flood · A2S_INFO · HTTP slowEDGE GAME NODEBaseDDoS → nftables priority -300XDP daemon sync <1ms · SYNPROXY TCP✗ DROP@blacklist 300s✓ CLEANconntrack · QoSDOCKER SWARM CLUSTERYour game server — clean traffic only ipset ban per-port chain

The Protection Stack

Three Layers. Zero Compromise.

XDP Hardware Offload

Confirmed attacker IPs are synced to the NIC's eBPF map by ray-xdp-sync.sh in under 1ms via a journalctl streaming pipeline. Malicious packets are dropped at the driver level — before CPU memory is allocated or kernel network stack is touched.

eBPF/XDP · NIC-level drop

Per-Port nftables Chains

Every game port gets its own named chain in /etc/nftables.d/. TCP uses SYNPROXY to validate handshakes cryptographically before opening server state. UDP uses a dual-threshold strategy: a soft rate limit drops flood packets silently; a hard threshold 10× above it bans the source IP for 5 minutes via an auto-expiring set.

nftables · SYNPROXY · flock concurrency

Game Protocol L7 Inspection

For query and combined port types, nftables reads transport-relative UDP payload offsets (e.g. @th,64,40) and matches known game protocol signatures like 0xffffffff54 (Source Engine). Traffic not matching the expected protocol signature is rate-limited and the source IP is added to the 5-minute ban set.

UDP payload matching · Source Engine aware

The Clean Pipe Promise

Your players never feel it.
Attackers hit a wall.

Blacklisted IPs are dropped at kernel raw hook priority -300 — before any connection tracking, NAT, or Docker networking is involved. The auto-expiring timeout 300s set means no cron job, no manual cleanup, and no growing memory footprint during sustained attacks.

A FirewallGarbageCollectionService runs every 6 hours across all live nodes — reconciling the kernel ruleset against the database using word-boundary grep to prevent prefix collisions between ports (port 80 never touches port 8080). Your protection is always in sync with your deployed servers.

<1ms
XDP offload latency after log event
-300
nftables raw hook priority — before NAT
5 min
Auto-expiring IP ban — no manual cleanup
Protection profiles: Loose · Std · Strict · Under Attack
Under attack right now?

Provision a protected node
in under 60 seconds.

Automated provisioning installs and activates the full nftables + XDP stack before your first player connects. No SSH into your server. No manual firewall configuration. Just click deploy.

Deploy Now — No Config Required

Always-on DDoS mitigation included with every game server plan. No additional fees. No contracts.