Rivet Game Guard

Rivet Game Guard provides a layer of protection between the public internet and your game without impacting performance. You can think of like Cloudflare but for game traffic.

Game Guard serves two main purposes:

  • DDoS mitigation
  • SSL/TLS termination

Supported protocols

ProtocolRivet Game GuardHost Network
Requires single portRequires port range
HTTPS / Secure WebSocket
HTTP / WebSocket

DDoS mitigation

Game Guard helps mitigate DDoS attacks by

What Game Guard protects your game from

Game Guard protects your game from the following (and more):

  • Whitelist IPs for players in the lobby
  • Max connections open per IP
  • OSI layer 3 malicious traffic
  • OSI layer 4 and layer 7 rate limiting

Read more about the OSI model here.

Where Game Guard cannot help

While Game Guard can help mitigate serious DDoS attacks, your game server may still be vulnerable to some attacks.

Make sure you are doing the following:

Disconnect invalid players

The Rivet Matchmaker has systems in place to ensure players are valid & optionally completed a captcha before issuing a player token. Ensure this player token is valid before letting a player connect to your game.

Disconnect sockets immediately if matchmaker.players.connected returns an error. Specifically, MATCHMAKER_PLAYER_NOT_IN_LOBBY, MATCHMAKER_PLAYER_ALREADY_CONNECTED, and TOKEN_INVALID indicate the player may be malicious.

Additionally, don’t accept any packets from the client until matchmaker.players.connected has succeeded.

Limit packet size & frequency

Game Guard mitigates attacks of high-volume packet spamming, but you will likely want to implement your own packet rate limiting mechanism.

Still having issues?

No game on Rivet should be suffering from DDoS attacks if set up correctly.

If you’re having issues with DDoS attacks on your game, contact us and we’ll make sure your game is up and running.

SSL/TLS termination

You may need to use secure WebSockets or TCP+TLS when connecting to your game servers. For example, HTTPS websites require secure WebSockets or you may want to prevent Man in the Middle exploits by encrypting your game traffic.

Supporting this yourself requires you to regularly issue and update your own SSL and TLS certificates. Game Guard automatically manages SSL certificates for your game.

Why shouldn’t I use something like Cloudflare for my game?

Cloudflare is great for protecting traditional web servers but does not work well for game traffic.

  • Cloudflare only supports WebSockets (unless using Cloudflare Spectrum Enterprise)
  • Cloudflare does not respect long-lived WebSockets; players will be disconnected sporadically if connected for a long time
  • Cloudflare proxies game traffic through a different data center than where your game is running
  • Cloudflare adds at least 10 ms latency to your game

Game Guard SSL/TLS termination & game server CPU load reduction

It’s widely known that SSL only causes a negligible performance impact on traditional HTTP traffic.

However, when encrypting many packets per second for a real-time game, that performance impact can be noticeable (especially with poorly optimized libraries). We’ve seen CPU reductions in multiple games that move their SSL termination from the host to Game Guard.

We choose not to advertise this feature yet since we have not published benchmarks to back this up yet, but we belive it’s worth mentioning.