| Item | Detail |
|---|---|
| Hosting | Viettel (Vietnam) - cannot migrate (regulation) |
| Protocol | TCP only (no UDP) |
| Game Server Port | 3001 |
| Networking | Custom raw TCP sockets (System.Net.Sockets) |
| Architecture | Unity Client <-> TCP/IP <-> GameServer (C# .NET) |
- DDoS protection for custom TCP traffic on port 3001
- Server must remain on Viettel (regulatory requirement)
- Solution must work as a proxy/shield in front of Viettel server
- Low latency for Vietnamese players (primary audience)
How it works: Cloudflare proxies TCP traffic through their global network (405 Tbps), filtering DDoS before forwarding clean traffic to origin server.
Why Enterprise is required:
| Plan | TCP (custom port) | UDP | Price |
|---|---|---|---|
| Free | No | No | $0 |
| Pro ($20/mo) | No (SSH/Minecraft only, fixed ports) | No | $20/mo + $1/GB |
| Business ($200/mo) | No (SSH/Minecraft/RDP only) | No | $200/mo |
| Enterprise | Yes (any port) | Yes | Negotiated (~$2,500+/mo) |
Pro/Business plans only support specific protocols on fixed ports:
- SSH: port 22
- Minecraft: port 25565
- RDP: port 3389 (Business+)
None of these can be repurposed for custom game server TCP traffic.
Pros:
- Industry-leading DDoS mitigation (405 Tbps network)
- Global anycast network reduces latency
- No code changes needed
Cons:
- Expensive (Enterprise required for custom TCP)
- Pricing not transparent, requires sales negotiation
Contact: https://www.cloudflare.com/plans/enterprise/contact/
Questions for Cloudflare sales:
- What is the Spectrum TCP pricing for a single origin server in Vietnam?
- Is there a minimum commitment period?
- What is the bandwidth allowance before overage charges?
- Do you have a PoP in Vietnam for low latency?
How it works: Vietnamese DDoS protection provider with game-specific filtering. TCP proxy sits between players and your Viettel server.
Features:
- AI-powered attack detection
- Designed for small-medium game publishers
- L3/L4/L7 protection
- TCP proxy support
Pros:
- Vietnamese company (low latency to Viettel)
- Game-server specific solution
- 7-day free trial available
- Likely cheaper than Cloudflare Enterprise
Cons:
- Smaller network capacity than Cloudflare
- Less proven at massive scale
Contact: https://vnso.vn/en/anti-ddos-game/
Questions for VNSO:
- Pricing for TCP game server protection (single server, port 3001)?
- What is your network capacity (Tbps)?
- Do you have infrastructure peering with Viettel?
- What is the added latency for players in Vietnam?
- Can we do a 7-day trial with our game server?
How it works: Vietnamese cybersecurity company with SOC centers. Provides Anti-DDoS Proxy service filtering at L3/L4/L7.
Features:
- SOC Centers in Vietnam
- Anti-DDoS Proxy for game servers
- Protects against: UDP Flood, TCP SYN Flood, SYN-ACK Reflection, ICMP, DNS Amplification, HTTP attacks
Pros:
- Established Vietnamese company
- Local SOC support
- Game server experience
Cons:
- Pricing not public
- Need to evaluate capacity
Contact:
- Hotline: (028) 7306 8789
- Email: sales@vnetwork.vn
- Website: https://www.vnetwork.vn/en-US/news/cach-chong-ddos-cho-server-game/
Questions for VNETWORK:
- Pricing for TCP game server protection (single server, port 3001)?
- What is your total mitigation capacity?
- Latency overhead for Viettel-hosted origin?
- Do you offer a trial period?
- What SLA do you provide for uptime and mitigation response time?
These services provide a protected IP that proxies clean traffic to your Viettel server. Server stays where it is.
| Service | Starting Price | Website |
|---|---|---|
| Iceline Shield | ~$15/mo | https://iceline-hosting.com/ddos-protection/game-proxy |
| EvoShield | ~$10/mo | https://evolution-host.com/remote-ddos-protection.php |
| X4B | Custom | https://www.x4b.net/kb/Tutorials/ProtectedGameServer |
Pros:
- Cheapest options
- No server migration needed
Cons:
- Servers likely in EU/US (high latency for VN players)
- Smaller companies, less reliable
- May not have Asian PoPs
Questions for international providers:
- Do you have a PoP in Asia (Singapore, Hong Kong)?
- What latency can we expect for Vietnam players?
- What is your mitigation capacity?
Code changes to GameServer to reduce DDoS impact. Should be done regardless of which external provider is chosen.
Improvements to implement:
- Connection rate limiting per IP (partially done in PR #1721)
- Max concurrent connections per IP cap
- TCP handshake validation before allocating server resources
- Idle connection timeout
- Packet size validation at socket layer
- IP blacklist/whitelist (already exists in SocketListener.cs)
Cost: Free (development time only) Limitation: Cannot stop volumetric attacks that saturate the network link
| Criteria | Cloudflare Enterprise | VNSO | VNETWORK | Int'l Proxy | Code Hardening |
|---|---|---|---|---|---|
| Est. Cost | $2,500+/mo | TBD (contact) | TBD (contact) | $10-50/mo | Free |
| Latency (VN) | Low (if VN PoP) | Very Low | Very Low | High | None |
| Capacity | 405 Tbps | TBD | TBD | TBD | N/A |
| Code Changes | None | None | None | None | Yes |
| Server Migration | No | No | No | No | No |
| Trial | No | 7 days free | TBD | TBD | N/A |
| Volumetric Attack | Yes | Yes | Yes | Yes | No |
- Immediate: Request Cloudflare dashboard access (in progress)
- Parallel Track A: Contact Cloudflare sales for Enterprise Spectrum quote
- Parallel Track B: Contact VNSO (free trial) and VNETWORK for quotes
- Parallel Track C: Implement application-level hardening (free)
- Compare: Evaluate quotes on cost, latency, capacity, and reliability
- Decision: Choose provider based on budget and requirements
Document prepared: 2026-03-24 Author: An Vo Purpose: Collect quotes and evaluate DDoS protection options