Radar has landed - discover the latest DDoS attack trends. Get ahead, stay protected.Get the report
Under attack?

Products

Solutions

Pricing

Resources

Partners

Why Gcore

Under attack?
Contact us
Contact us Sign up for free
  1. Home
  2. Blog
  3. How We Manage XDP/eBPF Effectively for Superior DDoS Protection

How We Manage XDP/eBPF Effectively for Superior DDoS Protection

  • By Gcore
  • May 13, 2024
  • 7 min read
How We Manage XDP/eBPF Effectively for Superior DDoS Protection

Table of contents

Try Gcore Security

Try for free

This article originally appeared on The New Stack, where Gcore developers are regular expert contributors.

At Gcore, we’re continuously enhancing our packet processing core to strengthen Gcore DDoS Protection. This involves integrating key features like the regular expression engine and adapting to the dynamic requirements of online traffic. Our customers frequently update their security policies, and we consider it crucial to adapt our protection suite to those changes as part of our commitment to evolving and improving cybersecurity. In this article, we’ll explain the techniques we use to manage eBPF/XDP effectively and discuss the importance of flexibility and adaptability in DDoS protection to accommodate our customers’ changing security policy settings.

How Gcore Innovates With eBPF for Enhanced DDoS Protection Configuration

The development team at Gcore has faced the unusual challenge of creating systems to serve a broad customer base, setting us apart from the usual practice of developing for internal use. Recognizing the need for rapid and frequent updates to Gcore DDoS Protection, we have moved beyond the standard one or two daily updates for self-hosted solutions to the almost constant updates required by service providers. This need, often overlooked in Linux applications, prompted us to embrace eBPF technology, enabling quick, uninterrupted updates.

Our progress towards this solution was deliberate, involving a thorough exploration of various approaches to ensure optimal management of our eBPF configurations. We share our insights and strategies, encouraging careful planning and execution of eBPF programs for peak efficiency. We’ll explore these strategies and their benefits in the following sections of this article, providing insights into maximizing eBPF’s full potential.

Configuration Management of XDP

eBPF maps serve as a sophisticated interface for the atomic update of shared memory segments, functioning as shared memory and providing a robust configuration interface for eBPF programs. The Read-Copy-Update mechanism minimizes performance footprint in the hot path. Additionally, eBPF maps allow exclusive access to shared memory fragments. A combination of map types, including arrays, hash tables, bloom filters, queues, and ring buffers, accommodates any complex configuration.

As configuration complexity grows, so does the need for more connections between different maps’ entries. Eventually, if the number of connections between map entries becomes excessive, the ability to perform atomic configuration updates diminishes. Furthermore, updating a single map entry might necessitate simultaneous updates in other maps, risking inconsistency during the update period.

Consider a simple XDP (eXpress Data Path) program that classifies and filters traffic based on a prioritized 5-tuple ruleset. The program processes the next packet based on a combination of the rule’s priority, and the packet’s source IP address, destination IP address, protocol, and source and destination port.

Here are examples of rules for a network configuration:

  1. Always allow ANY traffic from subnet A.
  2. Restrict access to web servers in subnet B for clients from subnet C.
  3. Restrict access to web servers in subnet B.
  4. Deny all other access.

These rules require storing both traffic classification rules and restrictions in the configuration, which can be achieved by using eBPF maps.

Understanding Configuration in eBPF Programs as a Tree Structure

We can visualize configurations as a hierarchical tree, with a “configuration root” at its base serving as the foundation. This root, which may be virtual, primarily organizes various configuration entities to form the active configuration. Entities either connect directly to the root for immediate global access or nest within other entities for structured organization. Accessing a specific entity begins at the root, progressing sequentially or “dereferencing” level by level to the desired entity. For example, to retrieve a Boolean flag from an “options” structure within a collection, one navigates to the collection, locates the structure, and then retrieves the flag.

This tree-like structure offers flexibility in configuration management, including atomic swaps of any subtree, ensuring smooth transitions without disruption. However, increased complexity brings challenges; as configurations become more intricate, the interconnections among entries intensify. It’s common for several parent entries to point to a single child entry, and for an entry to play dual roles, acting as a property of one entity while also being part of a collection.

Modern programming languages have developed mechanisms to manage complex configurations safely. Developers use reference counters, mutable and immutable references, and garbage collectors to ensure safe updates. However, it’s critical to understand that safety in managing these configurations doesn’t guarantee atomicity when switching between configuration versions.

The limitations of eBPF maps have led our team at Gcore to rethink our configuration storage strategies. The inability of eBPF map entries to store direct pointers to arbitrary memory segments, due to kernel safety verifications, requires us to use search keys for map entry access, slowing down the lookup process. However, this drawback offers a benefit: it allows for dividing complex configuration trees into smaller, more manageable segments, linked directly to the configuration root, ensuring consistency even during non-atomic updates.

Next, we’ll look into specific configuration update strategies employed in eBPF environments, highlighting their suitability for the system’s unique requirements and limitations.

Strategies for Safe Configuration Updates

Optimizing configuration management is essential in XDP/eBPF programming. This section outlines strategies to enhance program updates, ensuring high performance and flexibility. We discuss incremental updates and map/program replacement techniques to improve configuration management, enabling developers to manage updates in XDP/eBPF programs effectively while maintaining system integrity and performance.

Update Strategy #1: A Step-by-Step Transition

This strategy allows incremental configuration updates across several maps, useful when processing data in one map provides a lookup key for another. In such cases, where multiple map entries need to be updated, atomic transitions are not feasible. However, through precise and sequential update operations, it’s possible to update the configuration methodically, keeping it valid at each step.

With this approach, some operations on referenced configuration subtrees become safe if executed in the correct order. For example, in the context of classification and processing, the classification layer provides a lookup key for a matching security policy, suggesting that update operations should follow a specific sequence:

  • Inserting a new security policy is safe since new policies are not yet referenced.
  • Updating an existing security policy is also safe, as updating them individually generally presents no issues. Although an atomic update would be desirable, it does not offer significant advantages.
  • Updating classification layer maps to reference new security policies and remove references to obsolete ones is safe.
  • Purging unused security policies from the configuration is safe once they are no longer referenced.

Even without atomic updates, it is possible to perform a safe update by correctly ordering the update procedure. This approach works best for independent maps that are not closely linked with other maps. Incremental updates, as opposed to updating the entire map at once, are recommended. For instance, incremental updates to hashmaps and arrays are perfectly safe. However, that is not the case with incremental updates to LPM maps, because the lookup depends on the elements already present in the map. This also arises when creating the lookup key for another table requires manipulating elements from multiple maps. The classification layer, often implemented using several LPM and hash tables, is a perfect example of this.

Update Strategy #2: Map Replace

For maps that cannot be updated incrementally without inconsistencies, such as LPM maps, replacing the entire map is the solution. To replace a map for an eBPF program, a map of maps must be used. A user-space application can create a new map, populate it with the necessary entries, and then atomically replace the old one.

Dividing the configuration into separate maps, each describing the settings for a single entity, offers an added benefit of resource isolation and avoids the need to recreate a full configuration during minor updates. The configuration for each of the multiple entities can be stored in a replaceable map.

Although this approach has advantages, it also has drawbacks. The userspace needs to unpin the previous map to maintain the previous pin path, since the replacement map cannot be pinned to the same location as the previous one. This is particularly important to consider for long-lived programs that frequently update configurations and rely on map pinning for stability.

Update Strategy #3: Program Replace

When linking multiple maps together, the map replace method may fail to work. Updating them individually can result in an inconsistent or invalid state—neither reflecting the old nor the new intended configuration. This can be remedied once all map updates are completed.

To address this issue, atomic updates should take place at a higher level. Although eBPF lacks a mechanism to replace a set of maps atomically, maps are usually linked to a specific eBPF program. Dividing the interconnected maps and corresponding code into separate eBPF programs, linked by tail calls, can address this.

Implementing this requires loading a new eBPF program, creating and filling maps for it, pinning both, and then updating the ProgMap from user space. This process is more labor-intensive than a simple map replacement but allows for simultaneous updates of maps and associated code, facilitating runtime code adjustments. However, this strategy may not always be efficient, especially when updating a single map entry in a complex program with multiple maps and sub-programs.

What You Should Know about Error Handling

This guide emphasizes the importance of updating configurations to prevent inconsistencies, while highlighting the complexities involved in error handling. When errors occur during an update, they can lead to ambiguous configurations, making automated recovery mechanisms essential to minimize manual corrections. Organizing errors into categories of recoverable and unrecoverable, with explicit recovery protocols for each, allows for efficient error management and ensures issues are resolved promptly and clearly:

  • Recoverable: If a recoverable error occurs during an update, the entire process is halted without committing any changes to the configuration. Recovery can be initiated without risk.
  • Unrecoverable: These require cautious recovery strategies as they impact specific configuration entities, aiming to prevent broader system disruption.

Organizing updates by configuration entity rather than update type is crucial. This approach ensures that errors affect only the targeted configuration entity, rather than all of them simultaneously. For instance, in our example with classification and processing, where different network segments have defined classification rules and security policies, it’s more effective to update them in separate cycles based on network segments rather than by update type. That simplifies the implementation of automatic recovery procedures, and provides clarity on which segment was impacted if an unrecoverable error occurs. Only one network segment will have an inconsistent configuration, while others will remain unaffected or can be easily switched to a new configuration.

Managing eBPF Program Lifecycles for Updates

The lifecycle management of an eBPF program is crucial, especially for programs requiring persistence, frequent updates, and state retention across different code instances. For example, if an XDP program requires frequent code updates while maintaining existing client sessions, it is essential to manage its lifetime effectively.

Developers focusing on maximizing flexibility while minimizing constraints should aim to retain only indispensable information between reloads, information that cannot be sourced from non-volatile storage. This approach allows for dynamic configuration adjustments within eBPF maps.

Simplifying the hot code reload process involves distinguishing state maps from configuration maps, reusing state maps during reloads, and repopulating configuration maps from non-volatile storage. Transitioning processing from an old to a new program and informing all eBPF map users about the change poses a significant challenge.

Two main approaches are commonly used:

  • Atomic Program Replacement. Directly attaching the XDP program to a network interface and atomically swapping it during updates. This approach may be less suitable for large, complex eBPF programs that interact with multiple user-space programs and maps.
  • libxdp-like Approach. A dispatcher program, once linked to the network interface, uses tail-calls for processing in the next program from the ProgMap for actual processing. The dispatcher program, besides managing map usage and pinning, coordinates multiple processing programs, enabling quick transitions between them.

The hot reload process ensures prompt detection and correction of configuration issues, quickly reverting to a previous stable version when necessary. For advanced scenarios like A/B testing, the dispatcher can augment itself with a classification table to direct specific traffic flows to a new version of an XDP program.

Conclusion

We’re constantly pushing the boundaries of network security and performance optimization to combat emerging threats—including by using advanced eBPF/XDP features. As we continue to evolve our packet processing core, we remain committed to delivering cutting-edge solutions that ensure our customers’ networks are both robust and agile.

For proven DDoS mitigation, try Gcore DDoS Protection. Our all-in-one service provides real-time DDoS protection for websites, apps, and servers, with a 99.99% SLA for your peace of mind.

Discover Gcore DDoS Protection

Table of contents

Try Gcore Security

Try for free

Related articles

How to comply with NIS2: practical tips and key requirements

The European Union is boosting cybersecurity legislation with the introduction of the NIS2 Directive. The new rules represent a significant expansion in how organizations across the continent approach digital security. NIS2 establishes specific and clear expectations that impact not just technology departments but also legal teams and top decision-makers. It refines old protocols while introducing additional obligations that companies must meet to operate within the EU.In this article, we explain the role and scope of the NIS2 Directive, break down its key security requirements, analyze the anticipated business impact, and provide a checklist of actions that businesses can take to remain in compliance with continually evolving regulatory demands.Who needs to comply with NIS2?The NIS2 Directive applies to essential and important organizations operating within the European Union in sectors deemed critical to society and the economy. NIS2 also applies to non-EU companies offering services within the EU, requiring non-EU companies that offer covered services in the EU without a local establishment to appoint a representative in one of the member states where they operate.In general, organizations with 50 or more employees and an annual turnover above €10M fall under NIS2. Smaller entities can also be included if they provide key services, including energy, transport, banking, healthcare, water supply, digital infrastructure, and public administration.4 key security requirements of NIS2Under the NIS2 Directive, organizations are required to have an integrated approach to cybersecurity. There are 10 basic measures that companies subject to this legislation must follow: risk policies, incident handling, supply-chain security, MFA, cryptography, backups, BCP/DRP, vulnerability management, security awareness, crypto-control, and “informational hygiene”. In this article, we will cover the four most important of them.These four are necessary steps for limiting disruptions and achieving full compliance with stringent regulatory demands. They include incident response, risk management, corporate accountability, and reporting obligations.#1 Incident responseUnder NIS2, a solid incident response is required. Companies must document processes for the detection, analysis, and management of cyber incidents. Additionally, organizations must have a trained team ready to respond quickly when there's a breach, reducing damage and downtime. Having the right plan in place can make the difference between a minor issue and a major disruption.#2 Risk managementContinuous risk evaluation is paramount within NIS2. Businesses should constantly be scouting out internal vulnerabilities and external dangers while following a clear, defined risk management protocol. Regular audits and monitoring help businesses stay a step ahead of future threats.#3 Corporate accountabilityNIS2 emphasizes corporate accountability by requiring clear cybersecurity responsibilities across all management levels, placing direct oversight on executive leadership. Additionally, due to the dependency of most organizations on third-party suppliers, supply chain security is paramount. Executives need to check the security measures of their partners. One weak link in the chain can destroy the entire system, making stringent security measures a prerequisite for all partners to reduce risks.#4 Reporting obligationsTransparency lies at the heart of NIS2. Serious incidents need to be reported promptly to maintain the culture of accountability the directive encourages. Good reporting mechanisms ensure that vital information is delivered to the concerned authorities in a timely manner, akin to formal channels in data protection legislation such as the GDPR.What NIS2 means for applicable organizationsSome of the potential implications of NIS2 include an increased regulatory burden, financial and reputational risks, and operational challenges. These apply to all businesses that are already established in the European Union. With compliance now becoming mandatory in all member states, businesses that have lagged behind in implementing effective cybersecurity measures will be put under increased pressure to improve their processes and systems.Increased regulatory burdenFor most firms, the new directive means a huge increase in their regulatory burden. The broadened scope of the directive applies to more industries, and this may lead to additional administrative tasks. Legal personnel and compliance officers will need to sift through current cybersecurity policies and ensure all parts of the organization are in line with the new requirements. This exercise can entail considerable coordination between different departments, including IT, risk management, and supply chain management.Financial and reputational risksThe penalty for non-compliance is steep. The fines for failure to comply with the NIS2 Directive are comparable to the GDPR fines for non-compliance, up to €10 million or 2% of a company's worldwide annual turnover for critical entities, while important organizations face a fine of up to €7M or 1.4% of their global annual turnover. Financial fines and reputational damage are significant risks that organizations must take into account. A single cybersecurity incident can lead to costly investigations, legal battles, and a loss of trust among customers and partners. For companies that depend on digital infrastructure for their day-to-day operations, the cost of non-compliance can be crippling.Operational challengesNIS2 compliance requires more than administrative change. Firms may have to make investments into new technology when trying to meet the directive's requirements, such as expanded monitoring, expanded protection of data, and sophisticated incident response protocols. Legacy system firms can be put at a disadvantage with the need for rapid cybersecurity improvements.NIS2 compliance checklistDue to the comprehensive nature of the NIS2 Directive, organizations will need to adopt a systematic compliance strategy. Here are 5 practical steps organizations can take to comply:Start with a thorough audit. Organizations must review their current cybersecurity infrastructure and identify areas of vulnerability. This kind of audit helps reveal areas of weakness and makes it easier to decide where to invest funds in new tools and training employees.Develop a realistic incident response plan. It is essential to have a short, actionable plan in place when things inevitably go wrong. Organizations need to develop step-by-step procedures for handling breaches and rehearse them through regular training exercises. The plan needs to be constantly updated as new lessons are learned and industry practices evolve.Sustain continued risk management. Risk management is not a static activity. Organizations need to keep their systems safe at all times and update risk analyses from time to time to combat new issues. This allows for timely adjustments to their approach.Check supply chain security. Organizations need to find out how secure their third-party vendors are. They need to have clear-cut security standards and check periodically to help ensure that all members of the supply chain adhere to those standards.Establish clear reporting channels. Organizations must have easy ways of communicating with regulators. They must establish proper reporting schedules and maintain good records. Training reporting groups to report issues early can avoid delays and penalties.Partner with Gcore for NIS2 successGcore’s integrated platform helps organizations address key security concerns relevant to NIS2 and reduce cybersecurity risk:WAAP: Real-time bot mitigation, API protection, and DDoS defense support incident response and ongoing threat monitoring.Edge Cloud: Hosted in ISO 27001 and PCI DSS-compliant EU data centers, offering scalable, resilient infrastructure that aligns with NIS2’s focus on operational resilience and data protection.CDN: Provides fast, secure content delivery while improving redundancy and reducing exposure to availability-related disruptions.Integrated ecosystem: Offers unified visibility across services to strengthen risk management and simplify compliance.Our infrastructure emphasizes data and infrastructure sovereignty, critical for EU-based companies subject to local and cross-border data regulation. With fully-owned data centers across Europe and no reliance on third-party hyperscalers, Gcore enables businesses to maintain full control over where and how their data is processed.Explore our secure infrastructure overview to learn how Gcore’s ecosystem can support your NIS2 compliance journey with continuous monitoring and threat mitigation.Please note that while Gcore’s services support many of the directive’s core pillars, they do not in themselves guarantee full compliance.Ready to get compliant?NIS2 compliance doesn’t have to be overwhelming. We offer tailored solutions to help businesses strengthen their security posture, align with key requirements, and prepare for audits.Interested in expert guidance? Get in touch for a free consultation on compliance planning and implementation. We’ll help you build a roadmap based on your current security posture, business needs, and regulatory deadlines.Get a free NIS2 consultation

Securing vibe coding: balancing speed with cybersecurity

Vibe coding has emerged as a cultural phenomenon in 2025 software development. It’s a style defined by coding on instinct and moving fast, often with the help of AI, rather than following rigid plans. It lets developers skip exhaustive design phases and dive straight into building, writing code (or prompting an AI to write it) in a rapid, conversational loop. It has caught on fast and boasts a dedicated following of developers hosting vibe coding game jams.So why all the buzz? For one, vibe coding delivers speed and spontaneity. Enthusiasts say it frees them to prototype at the speed of thought, without overthinking architecture. A working feature can be blinked into existence after a few AI-assisted prompts, which is intoxicating for startups chasing product-market fit. But as with any trend that favors speed over process, there’s a flip side.This article explores the benefits of vibe coding and the cybersecurity risks it introduces, examines real incidents where "just ship it" coding backfired, and outlines how security leaders can keep up without slowing innovation.The upside: innovation at breakneck speedVibe coding addresses real development needs and has major benefits:Allows lightning-fast prototyping with AI assistance. Speed is a major advantage, especially for startups, and allows faster validation of ideas and product-market fit.Prioritizes creativity over perfection, rewarding flow and iteration over perfection.Lowers barriers to entry for non-experts. AI tooling lowers the skill floor, letting more people code.Produces real success stories, like a game built via vibe coding hitting $1M ARR in 17 days.Vibe coding aligns well with lean, agile, and continuous delivery environments by removing overhead and empowering rapid iteration.When speed bites backVibe coding isn’t inherently insecure, but the culture of speed it promotes can lead to critical oversights, especially when paired with AI tooling and lax process discipline. The following real-world incidents aren’t all examples of vibe coding per se, but they illustrate the kinds of risks that arise when developers prioritize velocity over security, skip reviews, or lean too heavily on AI without safeguards. These three cases show how fast-moving or under-documented development practices can open serious vulnerabilities.xAI API key leak (2025)A developer at Elon Musk’s AI company, xAI, accidentally committed internal API keys to a public GitHub repo. These keys provided access to proprietary LLMs trained on Tesla and SpaceX data. The leak went undetected for two months, exposing critical intellectual property until a researcher reported it. The error likely stemmed from fast-moving development where secrets were hardcoded for convenience.Malicious NPM packages (2024)In January 2024, attackers uploaded npm packages like warbeast2000 and kodiak2k, which exfiltrated SSH keys from developer machines. These were downloaded over 1,600 times before detection. Developers, trusting AI suggestions or searching hastily for functionality, unknowingly included these malicious libraries.OpenAI API key abuse via Replit (2024)Hackers scraped thousands of OpenAI API keys from public Replit projects, which developers had left in plaintext. These keys were abused to access GPT-4 for free, racking up massive bills for unsuspecting users. This incident shows how projects with weak secret hygiene, which is a risk of vibe coding, become easy targets.Securing the vibe: smart risk mitigationCybersecurity teams can enable innovation without compromising safety by following a few simple cybersecurity best practices. While these don’t offer 100% security, they do mitigate many of the major vulnerabilities of vibe coding.Integrate scanning tools: Use SAST, SCA, and secret scanners in CI/CD. Supplement with AI-based code analyzers to assess LLM-generated code.Shift security left: Embed secure-by-default templates and dev-friendly checklists. Make secure SDKs and CLI wrappers easily available.Use guardrails, not gates: Enable runtime protections like WAF, bot filtering, DDoS defense, and rate limiting. Leverage progressive delivery to limit blast radius.Educate, don’t block: Provide lightweight, modular security learning paths for developers. Encourage experimentation in secure sandboxes with audit trails.Consult security experts: Consider outsourcing your cybersecurity to an expert like Gcore to keep your app or AI safe.Secure innovation sustainably with GcoreVibe coding is here to stay, and for good reason. It unlocks creativity and accelerates delivery. But it also invites mistakes that attackers can exploit. Rather than fight the vibe, cybersecurity leaders must adapt: automating protections, partnering with devs, and building a culture where shipping fast doesn't mean shipping insecure.Want to secure your edge-built AI or fast-moving app infrastructure? Gcore’s Edge Security platform offers robust, low-latency protection with next-gen WAAP and DDoS mitigation to help you innovate confidently, even at speed. As AI and security experts, we understand the risks and rewards of vibe coding, and we’re ideally positioned to help you secure your workloads without slowing down development.Into vibe coding? Talk to us about how to keep it secure.

How AI is improving L7 DDoS protection solutions

How AI is improving L7 DDoS protection solutionsDDoS attacks have always been a concern for organizations, but with the recent rise of AI and machine learning, the threat has grown. Layer 7 attacks are particularly damaging, as they focus on the application layer that users utilize to interact with your system. Unlike traditional DDoS attacks, which aim to overwhelm the servers with sheer traffic, these advanced threats imitate real user behavior, making it incredibly difficult for defenses to identify and block malicious traffic.While this challenge is complex, it is far from insurmountable. In this situation, the mantra "fight fire with fire" really applies. By using machine learning and AI against AI-based attacks, organizations can then retaliate with equally advanced Layer 7 protection. These newer technologies can offer something beyond what more traditional techniques could hope to achieve, including significantly faster response times, smarter threat detection, and precision. Here’s how AI and ML are redefining how businesses stay online and secure.Why L7 DDoS attacks are dangerous and hard to stopL7 DDoS attacks are sneaky. Unlike network-based attacks that flood your bandwidth, these attacks go after your application logic. Picture thousands of fake users trying to log in, search for products, or complete transactions all at once. Your systems become overwhelmed, not because they’re receiving a massive amount of data, but because they’re handling what looks like genuine traffic.The big challenge is filtering out the bad traffic while letting legitimate users through. After all, if you accidentally block real customers, you’re essentially doing the attackers’ job for them.Manual defenses used in the past, such as rate limiting with static thresholds, can result in a lose-lose situation. When the threshold is set too high, attackers can enter, often in place of traditional users. If the threshold is set too low, legitimate users are left unable to access the application. This acts as a collective punishment, blocking users out of fear of a few malicious actors rather than an accurate solution that can identify the malicious activity and block it without compromising users’ experience. Traditional defenses, based on static rules or human intervention, simply cannot scale at the speed and intricacy of a modern attack. They’re reactive when they need to be proactive.Filtering traffic without blocking customersAI and ML avoid the pitfalls of traditional security systems by continuously analyzing traffic and identifying anomalies dynamically. One of the biggest pain points in DDoS defense is false positives, which block legitimate users because their behavior looks suspicious.Traditional solutions relying on static rules simply block any IPs displaying suspicious behavior, while AI and ML track the activity of IPs over time, building a detailed profile of legitimate traffic. Sometimes referred to as IP profiling, this process groups together the IP addresses that interact predictably and legitimately with your systems. By analyzing both current and historical data, these systems can differentiate suspicious IPs from legitimate users. In the event of an attack, “safe” IPs are automatically allowed through, while suspicious ones are challenged or blocked.These AI systems learn over time from previous attacks they’ve encountered, adapting for greater accuracy without any manual updating or intervention to counter-changing tactics. This allows the systems to correlate current traffic with historical profiles and continuously reassess the safety of certain profiles. This ensures that legitimate accounts can continue to access services unimpeded while malicious traffic is contained.Traditional systems cannot achieve this level of precision, and instead tend to shut down applications during attacks, essentially allowing the attackers to win. With advanced AI and ML based defenses, businesses can maintain their service undisturbed for real users, even during an attack.Fighting AI attacks with AI defensesDDoS attacks are becoming increasingly adaptive, using AI to mimic real users, leaving the static rules in traditional solutions unable to identify the subtle signs of attack traffic. Attackers constantly change their methods to avoid fixed security rules. Manually updating defenses each time a new attack method pops up is time-consuming and inefficient.AI-powered solutions overcome this limitation by using the same strategy as attackers, continuously learning from data input to adapt to increasingly convincing DDoS traffic in real time. This can stop even zero-day and self-evolving AI cyberattacks.Staying Ahead of Attackers With Smarter DefensesOur AI-driven WAAP solution delivers intelligent, interconnected protection, enabling businesses to stay ahead of even the most advanced and evolving threats, including L7 DDoS attacks. By leveraging deep traffic analysis, heuristic tagging, and adaptive learning, it provides a proactive defense strategy. With cross-domain capabilities and actionable security insights, Gcore WAAP is an essential asset for security architects and key decision-makers, seamlessly blending innovation with practicality to meet the demands of today’s digital landscape.Interested in exploring WAAP further? Download our ebook to discover cybersecurity best practices, the most prevalent threats, and how WAAP can protect your business’s digital infrastructure. Or, reach out to our team to learn more about Gcore WAAP.Discover why WAAP is a must-have for modern businesses—get your free ebook

Introducing Super Transit for outstanding DDoS protection performance

We understand that security and performance for your online services are non-negotiables. That’s why we’re introducing Super Transit, a cutting-edge DDoS protection and acceleration feature designed to safeguard your infrastructure while delivering lightning-fast connectivity. Read on to discover the benefits of Super Transit, who can benefit from the feature, and how it works.DDoS mitigation meets exceptional network performanceSuper Transit intelligently routes your traffic via Gcore’s 180 point-of-presence global network, proactively detecting, mitigating, and filtering DDoS attacks. When an attack occurs, your customers don’t notice any difference: Their connection remains stable and secure. Plus, they get an enhanced end-user experience, as the delay between the end user and the server is significantly reduced, cutting down latency.“Super Transit allows for fast, worldwide access to our DDoS protection services,” explains Andrey Slastenov, Head of Security at Gcore. “This is particularly important for real-time services such as online gaming and video streaming, where delay can significantly impact user experience.”Who needs Super Transit?Super Transit is designed for enterprises that require both high-performance connectivity and strong DDoS protection. Here’s how it helps different roles in your organization:CISOs and security teams: Reduce risks and help ensure compliance by integrating seamless DDoS protection into your network.CTOs and IT leaders: Optimize traffic performance and maintain uninterrupted business operations.Network engineers and security architects: Simplify security management with API, automated attack mitigation, and secure GRE tunneling.How Super Transit worksSuper Transit optimizes performance and security by performing four steps.Traffic diversion: Incoming traffic is automatically routed through Gcore’s global anycast network, where it undergoes real-time analysis. Malicious traffic is blocked before it can reach your infrastructure.Threat detection and mitigation: Using advanced filtering, Super Transit identifies and neutralizes DDoS attacks.Performance optimization: Legitimate requests are routed through the optimal path within Gcore’s high-performance backbone, minimizing latency and maximizing speed.Secure tunneling to your network: Traffic is securely forwarded to your origin via stable tunneling protocols, providing a smooth, uninterrupted, and secure connection.Get Super Transit today for high-performance securitySuper Transit is available now to all Gcore customers. To get started, get in touch with our security experts who’ll guide you through how to get Super Transit up and running. You can also explore our product documentation, which provides a clear and simple guide to configuring the feature.Our innovations are driven by cutting-edge research, enabling us to stay one step ahead of attackers. We release the latest DDoS attack trends twice yearly, so you can make informed decisions about your security needs. Get the H1 2024 report free.Discover the latest DDoS attack trends with Gcore Radar

How gaming studios can use technology to safeguard players

Online gaming can be an enjoyable and rewarding pastime, providing a sense of community and even improving cognitive skills. During the pandemic, for example, online gaming was proven to boost many players’ mental health and provided a vital social outlet at a time of great isolation. However, despite the overall benefits of gaming, there are two factors that can seriously spoil the gaming experience for players: toxic behavior and cyber attacks.Both toxic behavior and cyberattacks can lead to players abandoning games in order to protect themselves. While it’s impossible to eradicate harmful behaviors completely, robust technology can swiftly detect and ban bullies as well as defend against targeted cyberattacks that can ruin the gaming experience.This article explores how gaming studios can leverage technology to detect toxic behavior, defend against cyber threats, and deliver a safer, more engaging experience for players.Moderating toxic behavior with AI-driven technologyToxic behavior—including harassment, abusive messages, and cheating—has long been a problem in the world of gaming. Toxic behavior not only affects players emotionally but can also damage a studio’s reputation, drive churn, and generate negative reviews.The online disinhibition effect leads some players to behave in ways they may not in real life. But even when it takes place in a virtual world, this negative behavior has real long-term detrimental effects on its targets.While you can’t control how players behave, you can control how quickly you respond.Gaming studios can implement technology that makes dealing with toxic incidents easier and makes gaming a safer environment for everyone. While in the past it may have taken days to verify a complaint about a player’s behavior, today, with AI-driven security and content moderation, toxic behavior can be detected in real time, and automated bans can be enforced. The tool can detect inappropriate images and content and includes speech recognition to detect derogatory or hateful language.In gaming, AI content moderation analyzes player interactions in real time to detect toxic behavior, harmful content, and policy violations. Machine learning models assess chat, voice, and in-game media against predefined rules, flagging or blocking inappropriate content. For example, let’s say a player is struggling with in-game harassment and cheating. With AI-powered moderation tools, chat logs and gameplay behavior are analyzed in real time, identifying toxic players for automated bans. This results in healthier in-game communities, improved player retention, and a more pleasant user experience.Stopping cybercriminals from ruining the gaming experienceAnother factor negatively impacting the gaming experience on a larger scale is cyberattacks. Our recent Radar Report showed that the gaming industry experienced the highest number of DDoS attacks in the last quarter of 2024. The sector is also vulnerable to bot abuse, API attacks, data theft, and account hijacking.Prolonged downtime damages a studio’s reputation—something hackers know all too well. As a result, gaming platforms are prime targets for ransomware, extortion, and data breaches. Cybercriminals target both servers and individual players’ personal information. This naturally leads to a drop in player engagement and widespread frustration.Luckily, security solutions can be put in place to protect gamers from this kind of intrusion:DDoS protection shields game servers from volumetric and targeted attacks, guaranteeing uptime even during high-profile launches. In the event of an attack, malicious traffic is mitigated in real-time, preventing zero downtime and guaranteeing seamless player experiences.WAAP secures game APIs and web services from bot abuse, credential stuffing, and data breaches. It protects against in-game fraud, exploits, and API vulnerabilities.Edge security solutions reduce latency, protecting players without affecting game performance. The Gcore security stack helps ensure fair play, protecting revenue and player retention.Take the first steps to protecting your customersGaming should be a positive and fun experience, not fraught with harassment, bullying, and the threat of cybercrime. Harmful and disruptive behaviors can make it feel unsafe for everyone to play as they wish. That’s why gaming studios should consider how to implement the right technology to help players feel protected.Gcore was founded in 2014 with a focus on the gaming industry. Over the years, we have thwarted many large DDoS attacks and continue to offer robust protection for companies such as Nitrado, Saber, and Wargaming. Our gaming specialization has also led us to develop game-specific countermeasures. If you’d like to learn more about how our cybersecurity solutions for gaming can help you, get in touch.Speak to our gaming solutions experts today

The rise of DDoS attacks on Minecraft and gaming

The gaming industry is a prime target for distributed denial-of-service (DDoS) attacks, which flood servers with malicious traffic to disrupt gameplay. These attacks can cause server outages, leading to player frustration, and financial losses.Minecraft, one of the world’s most popular games with 166 million monthly players, is no exception. But this isn’t just a Minecraft problem. From Call of Duty to GTA, gaming servers worldwide face relentless DDoS attacks as the most-targeted industry, costing game publishers and server operators millions in lost revenue.This article explores what’s driving this surge in gaming-related DDoS attacks, and what lessons can be learned from Minecraft’s experience.How DDoS attacks have disrupted MinecraftMinecraft’s open-ended nature makes it a prime testing ground for cyberattacks. Over the years, major Minecraft servers have been taken down by large-scale DDoS incidents:MCCrash botnet attack: A cross-platform botnet targeted private Minecraft servers, crashing thousands of them in minutes.Wynncraft MC DDoS attack: A Mirai botnet variant launched a multi-terabit DDoS attack on a large Minecraft server. Players could not connect, disrupting gameplay and forcing the server operators to deploy emergency mitigation efforts to restore service.SquidCraft Game attack: DDoS attackers disrupted a Twitch Rivals tournament, cutting off an entire competing team.Why are Minecraft servers frequent DDoS targets?DDoS attacks are widespread in the gaming industry, but certain factors make gaming servers especially vulnerable. Unlike other online services, where brief slowdowns might go unnoticed, even a few milliseconds of lag in a competitive game can ruin the experience. Attackers take advantage of this reliance on stability, using DDoS attacks to create chaos, gain an unfair edge, or even extort victims.Gaming communities rely on always-on availabilityUnlike traditional online services, multiplayer games require real-time responsiveness. A few seconds of lag can ruin a match, and server downtime can send frustrated players to competitors. Attackers exploit this pressure, launching DDoS attacks to disrupt gameplay, extort payments, or damage reputations.How competitive gaming fuels DDoS attacksUnlike other industries where cybercriminals seek financial gain, many gaming DDoS attacks are fueled by rivalry. Attackers might:Sabotage online tournaments by forcing competitors offline.Target popular streamers, making their live games unplayable.Attack rival servers to drive players elsewhere.Minecraft has seen all of these scenarios play out.The rise of DDoS-for-hire servicesDDoS attacks used to require technical expertise. Now, DDoS-as-a-service platforms offer attacks for as little as $10 per hour, making it easier than ever to disrupt gaming servers. The increasing accessibility of these attacks is a growing concern, especially as large-scale incidents continue to emerge.How gaming companies can defend against DDoS attacksWhile attacks are becoming more sophisticated, effective defenses do exist. By implementing proactive security measures, gaming companies can minimize risks and maintain uninterrupted gameplay for customers. Here are four key strategies to protect gaming servers from DDoS attacks.#1 Deploy always-on DDoS protectionGame publishers and server operators need real-time, automated DDoS mitigation. Gcore DDoS Protection analyzes traffic patterns, filters malicious requests, and keeps gaming servers online, even during an attack. In July 2024, Gcore mitigated a massive 1 Tbps DDoS attack on Minecraft servers, highlighting how gaming platforms remain prime targets. While the exact source of such attacks isn’t always straightforward, their frequency and intensity reinforce the need for robust security measures to protect gaming communities from service disruptions.#2 Strengthen network securityGaming companies can reduce attack surfaces in the following ways:Using rate limiting to block excessive requestsImplementing firewalls and intrusion detection systemsObfuscating server IPs to prevent attackers from finding them#3 Educate players and moderatorsSince many DDoS attacks come from within gaming communities, education is key. Server admins, tournament organizers, and players should be trained to recognize and report suspicious behavior.#4 Monitor for early attack indicatorsDDoS attacks often start with warning signs: sudden traffic spikes, frequent disconnections, or network slowdowns. Proactive monitoring can help stop attacks before they escalate.Securing the future of online gamingDDoS attacks against Minecraft servers are part of a broader trend affecting the gaming industry. Whether driven by competition, extortion, or sheer disruption, these attacks compromise gameplay, frustrate players, and cause financial losses. Learning from Minecraft’s challenges can help server operators and game developers build stronger defenses and prevent similar attacks across all gaming platforms.While proactive measures like traffic monitoring and server hardening are essential, investing in purpose-built DDoS protection is the most effective way to guarantee uninterrupted gameplay and protect gaming communities. Gcore provides advanced, multi-layered DDoS protection specifically designed for gaming servers, including countermeasures tailored to Minecraft and other gaming servers. With a deep understanding of the industry’s security challenges, we help server owners keep their platforms secure, responsive, and resilient—no matter the type of attack.Want to take the next step in securing your gaming servers?Download our ultimate guide to preventing Minecraft DDoS

Subscribe to our newsletter

Get the latest industry trends, exclusive insights, and Gcore updates delivered straight to your inbox.

Subscribe