From d59b295eeef835026caf1faf299705349e02a4b6 Mon Sep 17 00:00:00 2001 From: jester Date: Sat, 28 Mar 2026 19:00:49 +0000 Subject: [PATCH] =?UTF-8?q?docs:=20update=20DDoS=20section=20=E2=80=94=20V?= =?UTF-8?q?elocity=20proxy=20means=20minimal=20attack=20surface?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- OPEN_THREADS.md | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/OPEN_THREADS.md b/OPEN_THREADS.md index 42d4e1d..e75c4f0 100644 --- a/OPEN_THREADS.md +++ b/OPEN_THREADS.md @@ -182,18 +182,19 @@ GTHost Detroit is the primary host. Decision made to stay on GTHost long-term: - OVH: more expensive, overkill for current scale - Hetzner: Proxmox install was painful historically -### DDoS Protection (Resolved — Accepted Risk at Launch) +### DDoS Protection (Resolved — Minimal Attack Surface, Accepted Risk) -Investigation complete: -- GTHost Detroit page: no DDoS mention -- GTHost Chicago page: vague mention, no specs -- Cloudflare Spectrum: ~$30k/year, not viable -- Path.net: enterprise-focused, requires consult, not on our radar yet -- OPNsense provides basic rate limiting and firewall protection -- Cloudflare DNS (non-proxied) hides real IP from casual attackers +Investigation complete. Attack surface is actually very small: + +- All infrastructure is internal to Proxmox — not publicly exposed +- Portal, API, admin access all internal or behind Twingate +- Minecraft player traffic is proxied through Velocity VM — individual game containers never directly exposed +- Only the Velocity VM TCP port is public-facing - Minecraft Java uses TCP — harder to volumetric flood than UDP games +- OPNsense rate limiting on Velocity-facing port is sufficient for launch +- Cloudflare DNS (non-proxied) hides real IP from casual attackers -**Decision:** Accept DDoS risk at launch. Low threat profile for Minecraft-only soft launch with small user base. Revisit when revenue supports it or if an attack occurs. +**Decision:** Architecture is well-designed — attack surface is minimal. Accept remaining risk at launch. Revisit if attack occurs or revenue supports additional mitigation. --- @@ -253,5 +254,5 @@ Future work: - ✅ Browser IDE fully loading at dev-.zerolaghub.dev - ✅ CF Tunnel created and connected to bastion VM - ✅ Portal copy rewrite — landing, features, FAQ, about, pricing -- ✅ DDoS investigation — accepted risk at launch, revisit post-launch +- ✅ DDoS investigation — minimal attack surface, Velocity proxy + internal architecture, accepted risk - ✅ Hosting provider decision — GTHost Detroit, most cost-effective option