docs: update DDoS section — Velocity proxy means minimal attack surface
This commit is contained in:
parent
91f3b15992
commit
d59b295eee
@ -182,18 +182,19 @@ GTHost Detroit is the primary host. Decision made to stay on GTHost long-term:
|
|||||||
- OVH: more expensive, overkill for current scale
|
- OVH: more expensive, overkill for current scale
|
||||||
- Hetzner: Proxmox install was painful historically
|
- Hetzner: Proxmox install was painful historically
|
||||||
|
|
||||||
### DDoS Protection (Resolved — Accepted Risk at Launch)
|
### DDoS Protection (Resolved — Minimal Attack Surface, Accepted Risk)
|
||||||
|
|
||||||
Investigation complete:
|
Investigation complete. Attack surface is actually very small:
|
||||||
- GTHost Detroit page: no DDoS mention
|
|
||||||
- GTHost Chicago page: vague mention, no specs
|
- All infrastructure is internal to Proxmox — not publicly exposed
|
||||||
- Cloudflare Spectrum: ~$30k/year, not viable
|
- Portal, API, admin access all internal or behind Twingate
|
||||||
- Path.net: enterprise-focused, requires consult, not on our radar yet
|
- Minecraft player traffic is proxied through Velocity VM — individual game containers never directly exposed
|
||||||
- OPNsense provides basic rate limiting and firewall protection
|
- Only the Velocity VM TCP port is public-facing
|
||||||
- Cloudflare DNS (non-proxied) hides real IP from casual attackers
|
|
||||||
- Minecraft Java uses TCP — harder to volumetric flood than UDP games
|
- Minecraft Java uses TCP — harder to volumetric flood than UDP games
|
||||||
|
- OPNsense rate limiting on Velocity-facing port is sufficient for launch
|
||||||
|
- Cloudflare DNS (non-proxied) hides real IP from casual attackers
|
||||||
|
|
||||||
**Decision:** Accept DDoS risk at launch. Low threat profile for Minecraft-only soft launch with small user base. Revisit when revenue supports it or if an attack occurs.
|
**Decision:** Architecture is well-designed — attack surface is minimal. Accept remaining risk at launch. Revisit if attack occurs or revenue supports additional mitigation.
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
@ -253,5 +254,5 @@ Future work:
|
|||||||
- ✅ Browser IDE fully loading at dev-<vmid>.zerolaghub.dev
|
- ✅ Browser IDE fully loading at dev-<vmid>.zerolaghub.dev
|
||||||
- ✅ CF Tunnel created and connected to bastion VM
|
- ✅ CF Tunnel created and connected to bastion VM
|
||||||
- ✅ Portal copy rewrite — landing, features, FAQ, about, pricing
|
- ✅ Portal copy rewrite — landing, features, FAQ, about, pricing
|
||||||
- ✅ DDoS investigation — accepted risk at launch, revisit post-launch
|
- ✅ DDoS investigation — minimal attack surface, Velocity proxy + internal architecture, accepted risk
|
||||||
- ✅ Hosting provider decision — GTHost Detroit, most cost-effective option
|
- ✅ Hosting provider decision — GTHost Detroit, most cost-effective option
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user