DDoS mitigation for WebRTC media servers

DDoS mitigation for WebRTC media servers
4 April 2023

Managing a global Real-Time Communications (RTC) application, whether you are leveraging the WebRTC protocol or one of many others is no easy feat. Even if you have your infrastructure strategy in place and have improved your user experience by managing jitter, packet loss and latency, you still may be targeted for a Distributed denial of service (DDoS) attack. In this blog, we do a quick rundown on what the impact of a (D)DoS attack may be, specifically looking at WebRTC media servers.

Table of Contents

What are WebRTC media servers?

A WebRTC media server is the multimedia middleware that acts between communicating peers. In layman’s terms, it is the server that arranges participants of a call to see each other faces on their laptops or phones and hear their voices through on a video call.

To do so, a WebRTC media server facilitates the transfer of media traffic from the source to its destination. It does so through stream processing, group communication and media mixing, among others. Due to this server managing most of the traffic and the heavy lifting in general, they are at the core of your application as well as your infrastructure strategy.

Why are media servers vulnerable to DDoS?

Media servers are the cornerstone of your infrastructure strategy, but being critical to your application is not the only reason you should protect them from DDoS, there are a plethora of other reasons from which we’d like to highlight two:

High bandwidth usage

As WebRTC involves real-time streaming of audio and video data media servers utilize a lot of bandwidth. As the servers’ act as a relay for the data, they may be an attractive target for attackers to create a bottleneck in your network and disrupt communication.

Publicly accessible

In some applications we still see media servers being publicly accessible, meaning they can be accessed by anyone with an internet connection, which puts an easy target on their backs.

How can DDoS attacks damage your WebRTC application?

Regardless of the reason behind a DDoS attack on your infrastructure, the results may be dire. They can have a devastating impact on real-time communication applications, such as video conferencing platforms that rely on WebRTC technology. These attacks work by overwhelming a server with a flood of traffic, rendering it inaccessible to legitimate users.

DDoS attacks can disrupt users’ communication

For example, for video conferencing applications DDoS attacks disrupt the real-time communication itself as video conferencing relies on the ability of users to transmit audio and video data in real-time, which requires a consistent and stable network connection. When a DDoS attack floods the server with traffic, it can cause delays, jitter, and packet loss, all of which can severely degrade the quality of the audio and video streams. This can make it impossible for users to communicate effectively, resulting in a frustrating and ineffective user experience.

DDoS attacks can increase downtime for WebRTC applications

In addition to disrupting the communication itself, DDoS attacks can also damage the underlying infrastructure of the video conferencing application. Servers that are targeted by DDoS attacks can suffer from performance issues, crashes, and even complete system failures. This can result in extended downtime for the application, leaving users unable to access the service at all.

DDoS attacks can increase business expenses

DDoS attacks can also put a strain on the resources of the organization hosting the video conferencing application. As an attack floods the server with traffic, it can consume a significant amount of bandwidth and processing power, causing additional expenses for the organization. In some cases, the organization may even need to purchase additional resources to handle the increased traffic, further adding to the costs.

DDoS attacks can disrupt communication, damage infrastructure, and cause significant financial losses. As such, it is crucial for organizations to implement robust DDoS mitigation measures to protect their real-time communication applications and ensure that users can continue to communicate effectively and efficiently.

The challenges of securing media servers against DDoS

Protecting WebRTC media servers against DDoS attacks is a challenging task because DDoS attacks are designed to overwhelm and saturate server resources, making them inaccessible to legitimate users.

Can you achieve complete protection from DDoS attacks for media servers?

While it is possible to implement various measures to mitigate the effects of DDoS attacks, it is impossible to completely protect a WebRTC media server from a determined and well-coordinated DDoS attack. We list some reasons for this below.

Battling against botnets

One reason why it is difficult to achieve 100% protection against DDoS attacks is that these attacks can be launched from a vast network of compromised devices or botnets. Botnets are a collection of devices that are infected with malware and attackers can use these botnets to launch massive DDoS attacks on target servers. Botnets are distributed across many different devices and locations, and it can be challenging to identify and block all the sources of the attack.

Constantly evolving attack methods

Another reason why it is difficult to completely protect WebRTC media servers from DDoS attacks is that these attacks are continually evolving and becoming more sophisticated. Attackers can use a variety of techniques, such as amplification attacks, SYN floods or DNS reflection attacks to target WebRTC media servers. These attacks can be difficult to detect and block, especially if they are specifically crafted to evade detection.

Cost and resource limitations

Finally, protecting against DDoS attacks requires significant investment in resources, including hardware, software, and personnel. While many organizations may have some level of protection against DDoS attacks, achieving 100% protection can be prohibitively expensive. As a result, organizations may need to balance the cost of protection against the potential damage caused by a successful DDoS attack.

Anti-DDoS in the network stack

There are, thankfully, a variety of tools available on the market today that protect your resources from DDoS attacks. All tools work differently and can be implemented at different layers of the network stack, ranging from Layer 1 (the physical layer) to Layer 7 (the application layer). Each layer provides different protection angles against DDoS attacks, and a combination of multiple layers is often used to provide comprehensive DDoS protection.

Key considerations for selecting an anti-DDoS solution for your media server

Depending on your infrastructure strategy, to what extent you want to protect your network stack from DDoS attacks and whether you have the in-house knowledge and staff to protect your application, you may want to look for external products to protect your real time communication application. Due to the complexity of anti-DDoS measures across the network stack we’d like to provide you with some pointers on what to look out for when selecting an Anti-DDoS product.

Avoid ‘’free DDoS protection’’

Nothing in life is free—neither is your DDoS protection. Although there is a sense of truth in it if your infrastructure provider (whether that is managed hosting, unmanaged hosting, or simply the rental of compute resources) provides you with free DDoS protection. If your infrastructure provider does offer this, it will usually be low in the network stack usually on L1, L2 and potentially L3. Why? Well, it is still your providers’ infrastructure that they likely also use for other customers. So, if a DDoS attack comes in, that provider will have anti-DDoS measures in place to protect their own infrastructure to safeguard yours and other customers’ service. This may filter out some unwanted traffic on your servers, however it will surely not catch everything, neither will it “really” protect your real time communication application from DDoS attacks.

An example of how these types of services may protect your resources from DDoS attacks could be null routing. Null routing is a DDoS mitigation technique that blocks traffic to a targeted IP address by routing it to a “null” or non-existent destination that is implemented at the network layer (Layer 3). Although this deals with the DDoS attack and therefore protects your infrastructure, an unwanted side effect of null routing may be that legitimate users of your real-time communication application may be unable to access your service. Either way, you will experience user impact.

Go for Layer 3 – 4 Protection

While layer 1–3 protections are a good thing, going up one layer in the network stack will be valuable in the protection of your real-time communication application. An example of protection on this layer are: (Custom) Access Control List (ACL) filters and edge filters. Both are network security measures implemented at the network layer (L3) and the transport layer (L4) of the network stack, respectively.

How do ACL filters protect your WebRTC media server?

(Custom) ACL filters are used to limit access to the network by blocking or allowing traffic based on predefined rules. In the context of DDoS protection, (custom) ACL filters can be used to block traffic from known sources of DDoS attacks or traffic with suspicious characteristics. For example, a (custom) ACL filter could be configured to block traffic from IP addresses known to be part of a botnet or traffic with unusually high request rates. The goal of (custom) ACL filters is to prevent malicious traffic from reaching the target network or application, serving as a bouncer — if you’re on the black-list you’re not coming in the venue.

How do edge filters protect your WebRTC media server?

Edge filters are similar to ACL filters but are applied at the edge of the network, usually on a border router or firewall. Edge filters can be used to block traffic based on various criteria, including source IP address, destination IP address, protocol type and port number. In the context of DDoS protection, edge filters can be used to block traffic from known DDoS attack sources, such as blacklisted IP addresses or entire subnets. They can also be used to filter out specific types of traffic, for example to filter out all ICMP traffic, since UDP traffic is widely used for WebRTC media servers.

For both protection mechanisms, however, a balance must be achieved. If the filters are set to be too restrictive, legitimate users may be unable to access the service. On the other hand, if the filters are too permissive, they may not effectively protect against DDoS attacks. It is thus important to carefully configure the filters and monitor them for any false positives or false negatives.

Advantages of authenticating traffic for WebRTC

Authenticating all traffic at the edge can provide several benefits for DDoS protection on WebRTC media servers, especially when the authentication is done by a dynamic black/grey/whitelist.

Early filtering of malicious traffic to your media servers

IP authentication at the edge allows the filtering of traffic before it reaches the WebRTC media server. This can help to reduce the load on the server and improve its performance. By verifying the legitimacy of traffic before it is allowed to pass through, the authentication system can block malicious traffic and only allow legitimate traffic to reach the server. This filtering can also help to prevent the server from being overwhelmed by a flood of traffic, which is a common tactic used in DDoS attacks.

Improved efficiency of filtering malicious traffic

Secondly, using a dynamic black/grey/whitelist can provide a more effective and flexible way to authenticate traffic. These lists can be automatically updated in real-time to add or remove IP addresses based on their behavior, reputation, or other criteria. For example, IP addresses that have been identified as part of a botnet or that are known to be sources of malicious traffic can be automatically added to a blacklist, while IP addresses that have a good reputation can be added to a whitelist. IP addresses that are neither clearly malicious nor trustworthy can be added to a greylist and subjected to more scrutiny before being allowed to pass through.

The option to use dynamic listing is an exclusive i3D.net offering in our Anti-DDoS solution, something that most other providers do not provide. By using these dynamic lists, the authentication system can adapt quickly to changing conditions and respond to new threats. This can be especially important in the case of DDoS attacks, where attackers may use many compromised devices to generate traffic from multiple IP addresses. By continuously monitoring and updating the lists, the authentication system can effectively block traffic from these sources and prevent the DDoS attack from succeeding.

Securing media servers without compromising on latency

But dynamic listings or not, you’d want to implement any anti-DDoS mechanism without any added latency. Since many DDoS mitigation techniques are executed in “scrubbing centers”, they may add additional latency in some cases. A DDoS scrubbing center is a specialized facility that provides DDoS protection and mitigation services to organizations that are at risk of DDoS attacks. These ‘facilities” however, are usually data centers with overcapacity in select regions. This means that your end-users’ data packages are sent halfway across the world, then get scrubbed before being sent back, adding additional latency in the progress.

Overall, authenticating all traffic at the edge using dynamic black/grey/whitelists can provide an effective way to prevent DDoS attacks on WebRTC media servers. By filtering traffic before it reaches the server and making real-time updates to the authentication lists, this approach can provide a high level of protection against both known and unknown threats.

There is a vast difference between DDoS mitigation options. Depending on the level of risk you want to assume, and to what extent user impact is crucial for your application, it may pay off to do your due diligence on the Anti-DDoS measures you have in place today. How your providers protect you today and to what extent you are at risk are questions you should have answers for.

Main Take-Aways

Managing a global RealTime Communications (RTC) application, whether you are leveraging the WebRTC protocol or one of many others is no easy feat. Even if you have your infrastructure strategy in place and have improved your user experience by managing jitter, packet loss and latency, you still may be targeted for a Distributed denial of service (DDoS) attack.

Get in touch with our experts and discover what our anti-DDoS solution can do for your WebRTC application.