The History of DDoS Attacks on l4d2center

DDoS attacks are a serious and often invisible problem. Most users never notice them directly, yet they shape how online services operate, what infrastructure they can afford, and sometimes whether a service can exist at all. This post tells the story of how DDoS attacks affected l4d2center, how they evolved, and how we adapted.

There is an important difference between DoS and DDoS attacks. A DoS attack comes from a single source and is usually not a real problem today. A DDoS attack comes from many sources at once and is what actually causes serious issues.

The main challenge of any DDoS protection is separating real players from malicious traffic. In theory, protection can be built using several layers:

• iptables – default Linux server-level filtering tool, works directly inside the operating system, good for blocking simple patterns and small attacks
  
• Custom server firewall – a custom application, logic running on the server itself, able to analyze traffic behavior and apply game-specific rules, but limited by the server’s network and CPU capacity.
  
• L4 protection (hosting level) – protection provided by the hosting company, works at the transport layer and is designed to absorb large volumes of traffic aimed at saturating bandwidth.
  
• L7 protection (hosting or CDN level) – application-level protection that understands protocols and request behavior, allowing precise filtering.

DoS attacks can usually be handled at the server level. Wide DDoS attacks require protection higher in the network. For L4D2 servers, L7 protection is extremely rare, and only a handful of hosting providers worldwide can offer that kind of protection, maybe around 3 or 4.

At the very beginning of l4d2center’s existence, the website itself was attacked. These attacks were clearly made by someone who understood how websites work. They targeted the backend API, specifically the player list on the main page, which at the time was the weakest point.

The attacks happened once or twice a day and lasted 5–10 minutes. That was enough to disrupt half of the active games due to lost connections, and the website itself became unavailable during those moments. This continued for about a week.

Eventually, a suitable Cloudflare configuration was found, and the site was adapted to work with it properly. After that, the problem was completely solved. Interestingly, since then, no one has ever attempted a technically competent DDoS attack on the website again.

For about a year and a half, there were no DDoS attacks at all, neither on the site nor on the game servers. During this time, servers operated normally in Europe, Canada, Virginia, Miami, Los Angeles, and Singapore (hosted by me, Sir, and J.)

After this quiet period, DDoS attacks began targeting the game servers. At first, they stayed within the bandwidth limits of the server channels. Sir, whose servers were listed on the platform, started improving iptables rules, while I collected logs to understand how the attacks bypassed existing protections.

After a couple of weeks, this paid off: attacks continued, but servers stopped lagging and games were no longer interrupted.

That didn’t last long. Soon the attack bandwidth increased significantly (up to 20-40 Gbps), far beyond the server channels. At that point, staying on unprotected hosting was no longer possible. Sir shut down his Miami servers, I removed mine in Los Angeles, and all J.'s servers (Singapore and LA) were removed from the server pool. Only Virginia, Canada, and Europe remained.

Sir’s servers had L7 protection, while mine did not. I couldn’t migrate immediately because my Canadian server was locked into a one-year contract with about a month remaining. While Sir’s servers continued to operate normally during attacks, I had to further improve iptables rules to handle traffic that OVH’s L4 firewall couldn’t filter. Eventually, this worked, and attacks stopped affecting gameplay.

Later, attack intensity increased again, over 100 Gbps. At this point, even Sir’s L7 firewall began to struggle. The servers themselves stayed online, but some players lost connection and were banned for leaving matches, because OVH incorrectly classified their traffic as malicious. Meanwhile, my less-protected Canadian servers were hit even harder, and games were consistently disrupted.

I started developing a new protection concept, but before I could finish, something unexpected happened. The attacker contacted me directly.

He spoke Russian. He used a throwaway account, so I couldn’t identify him. He apologized and explained his motivation. He said he didn’t play Left 4 Dead 2 at all and only watched streams. According to him, he had been paid to attack my servers earlier. Later, he continued attacking because someone told him that the l4d2center’s admin behaved badly and refused to open servers in Russia, which he considered unfair. Eventually, he realized the situation was more complex, felt guilty, and contacted me to apologize.

He even offered to help. I accepted and asked him to attack my servers when needed so I could test new defenses. He did this several times over the next few days, but then abruptly stopped cooperating, with clearly untrue explanations. Shortly after that, he blocked me without warning, and we never spoke again.

I finished implementing the new protection system, a strong combination of server firewall rules, client IP whitelisting, and per-gameserver hosting firewall configuration. But by then, the attacks had stopped, so I couldn’t properly test it.

After that, there was a relatively calm period that lasted several months. Occasionally, smaller-scale attacks appeared (around 20–30 Gbps), but they were handled by the basic filters, and never affected gameplay. Around the same time, attacks on the website resumed, though in a very primitive form. The attacker attempted to target individual HTML pages, which indicates a lack of basic understanding of how web infrastructure works: such requests are extremely cheap to serve, and when the site is behind Cloudflare, this type of attack is ineffective even in theory.

These incidents had no impact on availability, but they showed that someone was still periodically testing the protection.

After a few quiet months, I decided to bring back Miami servers. On the same day, they were hit by a DDoS attack. It was obvious that the attacker was still around and simply waiting for new targets to appear. Miami was removed again, and we continued operating only in Virginia, Canada, and Europe.

Another six months to a year later, strong DDoS attacks returned, reaching 80-130 Gbps. The protection system I had set up earlier worked very well: games ran smoothly despite ongoing attacks.

However, occasionally the attacker managed to degrade gameplay. Players didn’t disconnect, and the ping didn't go higher, but they started teleporting, making the game unplayable. This happened rarely, and I still don’t really know why. Most attacks still had no visible effect, but the attacker persisted, and managed to lag a small portion of games over a few days.

At that point, I activated an automatic IP whitelist system. This is the system that prevents players from reconnecting after changing IPs during a match. (At the time of writing, it is disabled; when active, the site shows a visible warning.) This fully protected the gameplay, and there was no more lagging.

As the attacks continued anyway, I began investigating who might be behind them. I assumed that the attacker was observing the results of the attacks in real time. During attacks, they never joined the servers, and the server list page does not show whether a server is lagging. That meant the most likely way for him to monitor the effect was through livestreams. I also noticed that only servers with active streams were being attacked.

It took 4 more DDoS attacks to identify a pattern. There was exactly one viewer who was present in all of the streams during those attacks. This person turned out to be a Russian player I didn’t recognize. However, one of my friends knew him and said that he doesn’t play L4D2 at all and only watches her streams.

Of course, this wasn’t enough to accuse anyone. Moreover, DDoS attacks against non-commercial projects are not illegal in Russia, so even with evidence, there would have been no legal consequences. Still, I found his social media and politely asked whether he was responsible for the attacks, and he politely denied it. However, after that conversation, the attacks immediately stopped and have not occurred at that scale since. And we never spoke with him again.

Today, attacks still happen occasionally, but they are weaker (20-30 Gbps) and easy to mitigate. They always start shortly after new servers appear on the site: either the same day or the next; and they look like a test of vulnerabilities. Even while the site hasn't been in a working state recently, several attacks happened shortly after new servers came online. By the way, this is the main reason why available server locations are currently limited. Locations like Miami, Peru, Novisibirsk, or Japan are frequently requested, but for now, they simply can’t be safely supported.

Today, attacks still happen, and they still affect how the project develops. However, they can no longer disrupt gameplay. Thanks to the protection systems built over time, and the experience gained through all of this, games remain stable even under active attacks.

Now you know what’s been happening behind the scenes all this time, and why certain decisions around the project exist the way they do.