jester/zlh-grind
1
0
Fork 0
Code Issues 14 Pull Requests Actions Packages Projects Releases Wiki Activity

docs: update DDoS section — Velocity proxy means minimal attack surface

Browse Source
This commit is contained in:
jester 2026-03-28 19:00:49 +00:00
parent 91f3b15992
commit d59b295eee
1 changed files with 11 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
OPEN_THREADS.md
View File

@ -182,18 +182,19 @@ GTHost Detroit is the primary host. Decision made to stay on GTHost long-term:
- OVH: more expensive, overkill for current scale
- Hetzner: Proxmox install was painful historically
### DDoS Protection (Resolved — Accepted Risk at Launch)
### DDoS Protection (Resolved — Minimal Attack Surface, Accepted Risk)
Investigation complete:
- GTHost Detroit page: no DDoS mention
- GTHost Chicago page: vague mention, no specs
- Cloudflare Spectrum: ~$30k/year, not viable
- Path.net: enterprise-focused, requires consult, not on our radar yet
- OPNsense provides basic rate limiting and firewall protection
- Cloudflare DNS (non-proxied) hides real IP from casual attackers
Investigation complete. Attack surface is actually very small:
- All infrastructure is internal to Proxmox — not publicly exposed
- Portal, API, admin access all internal or behind Twingate
- Minecraft player traffic is proxied through Velocity VM — individual game containers never directly exposed
- Only the Velocity VM TCP port is public-facing
- Minecraft Java uses TCP — harder to volumetric flood than UDP games
- OPNsense rate limiting on Velocity-facing port is sufficient for launch
- Cloudflare DNS (non-proxied) hides real IP from casual attackers
**Decision:** Accept DDoS risk at launch. Low threat profile for Minecraft-only soft launch with small user base. Revisit when revenue supports it or if an attack occurs.
**Decision:** Architecture is well-designed — attack surface is minimal. Accept remaining risk at launch. Revisit if attack occurs or revenue supports additional mitigation.
---
@ -253,5 +254,5 @@ Future work:
- ✅ Browser IDE fully loading at dev-<vmid>.zerolaghub.dev
- ✅ CF Tunnel created and connected to bastion VM
- ✅ Portal copy rewrite — landing, features, FAQ, about, pricing
- ✅ DDoS investigation — accepted risk at launch, revisit post-launch
- ✅ DDoS investigation — minimal attack surface, Velocity proxy + internal architecture, accepted risk
- ✅ Hosting provider decision — GTHost Detroit, most cost-effective option