Torrent Gear

DDoS protection and WAF for iGaming platforms

1) iGaming risk profile: how we differ from regular e-commerce

Traffic spikes on the schedule: tournaments, provider releases, streams; easily disguise L7 floods.

Cash flows: logins/deposits/conclusions - the goal for credential stuffing, carding, L7 floods for payment endpoints.

Real time: live games (WebSocket/WebRTC), quotes for betting; sensitive to p95> 150-250 ms.

Geo/licenses: geofencing; attackers use ASN proxy/rotation to bypass.

Protection KPI: uptime ≥99. 95%, p95 latency ≤ 200ms web/ ≤ 120ms API, FPR WAF <0. 3% on critical flow (login, deposit), MTTD <1 min, MTTR ≤ 15 min until complete stabilization.

2) Multi-level DDoS defense (L3-L7)

Network layer (L3/L4):

Anycast CDN/Edge + scrubbing centers: dispersion of volume attacks (UDP/ICMP, SYN/ACK flood).
BGP announcement via anti-DDoS provider: blackhole/RTBH as a last resort, better - cleaning on the perimeter.
Rate-limit on connections, SYN-cookies, cutoff of non-standard MSS/flags.

Application Layer (L7):

CDN cache and proto-validation (HTTP/2/3): discard abnormal headers, incomplete requests (Slowloris), strange ALPNs.
Request-budget on IP/ASN/session key; token-bucket (leaky bucket) to critical methods.
Dynamic upstream shedding: the perimeter "drops" unimportant roots (media, heavy-reports), leaving auth/payments.

3) WAF as L7-defense brain

Base profiles:

OWASP Top-10 (SQLi/XSS/XXE/RCE), protocol analysis (header tapes, method/content type), anti-evasions.
Positive model for API: strict schemes (JSON-Schema/OpenAPI), whitelisting methods and fields.

The specifics of iGaming:

Login/registration: limits by IP/device/subnet; JS challenge (invisible) instead of captcha on first attempts.
Payment forms: referrer verification, webhook signatures (HMAC with rotation), "cold" responses to frequent AVS/CVV errors.
Promo endpoints: protection against cash basting, frequency of requests for bonuses/freepins, idempotency keys.

Release Policies:

Shadow → simulate → block with FPR/TPR metrics.
Segmentation of rules by market (KYC-rigidity, local payment providers), by traffic (web/app/API).

4) Bots: from credential stuffing to bonus abuse

Signals:

IP/ASN rotation, headless browsers, stable inter-click intervals, lack of WebGL/fonts, ciphersuites are "depersonalized."
Behavior: multiple logins, attempts to select 2FA, high frequencies of promo/jackpot checks, sequences according to the dictionary of emails/numbers.

Measures:

JS/Behavioral Challenge (invisible checks) → captcha only on escalation.
Account protection layers: password + risk-based 2FA, progressive latency, device-bind.
Bot-management provider/module: models at the edge level, labels "probably bot."
Credential stuffing: have-I-been-pwned-like password checks, prohibition of leaked combinations.

5) API and real-time channel protection

API-WAF with positive model: JSON-Schema, depth/size limit, prohibition of unnecessary fields, canonicalization.

mTLS and request signatures (timestamp + nonce, window ≤ 300 s) for partner integrations.

WebSocket/WebRTC (live casino, real-time betting): authentication with a short TTL token, restarting at 401, limiting the frequency of messages, cutting off "empty" pings.

GraphQL (if any): prohibition of introspection in the program, limits on the complexity/depth of the request.

6) Edge/CDN architecture and cache

Anycast PoP closer to the player, static/media cache; bypass cache API with URI and header normalization.

Cache keys: do not include garbage parameters; hash-allowlist protection.

Слои: Edge-WAF → Origin-WAF → App-GW. Each has its own limits and canary rules.

7) Geo, ASN and Compliance

Geo-filters (off-license countries) on edge; soft response 403 with neutral page.

ASN lists: hosting/VPN as a "yellow list" with enhanced challenges; white lists of payment providers and live game studios.

Legal-hold: correct blocking pages (without leaks of technical details), exception logic for auditors/regulator.

8) Observability and early detection

SLO-set: p95/p99 latency, error-rate, saturation edge/origin, share challenges/blocks, success-ratio login/deposit.

Attack signatures: a surge in methods of the same type, an increase in 401/403/429, a "flat" geography, repetitive user-agents.

Synthetics: constant login/deposit/rates samples from different regions.

Threat-intel: subscriptions to botnets/indicators, auto-updates of lists.

9) Incident Management: First Minute to Post-Mortem

Runbook (abbr.):

1. Detect (alert by SLO/signature analysis) → declare the SEV level.

2. Layer identification: network (L3/L4) or application (L7).

3. Mitigate: turn on reinforced WAF profiles, raise rate-limits, turn on JS challenge, temporarily close heavy ruts/exports.

4. Agree on business exceptions: VIP/partners/allow-list payments.

5. Communication: status page, message templates for support (without unnecessary equipment).

6. De-escalation and retro: remove "tough" rules, fix patterns, update playbooks.

10) Defense testing and "combat drills"

Purple-team sessions: imitation of L7 floods (HTTP/2 rapid reset, header abuse, cache-busting), slow attacks (Slowloris/POST).

Load tests: peaks of promo/streams (x5-x10 baseline), profiles of "short explosions" (burst 30-90 s).

Chaos-drills: failure of PoP/CDN regions, withdrawal of one WebSocket channel, expiration of the edge certificate.

Canary rules: roll out new signatures to 5-10% of traffic.

11) Performance and UX with protection enabled

Differentiate friction: invisible JS challenge for everyone; captcha/step-up - only for risky signals.

Session pins: Pin a risk score on a session so as not to "pull" an honest player again.

Cache insensitive checks (AS reputation, geo) on TTL 10-30 min.

12) Integrating WAF with Antifraud/Risk

Event bus: WAF/bot manager tags → anti-fraud features (scoring login/payment).

Both ways solutions: The risk engine can ask WAF to raise the barrier to specific IP/ASN/devices and vice versa.

A single cabinet of cases: tracing "why the player is blocked" (for support and regulator).

13) Special areas: live casino and betting feeds

WebRTC/RTMP: TURN/STUN protection (rate-limit alloc/bind), tokens for 30-60 s, geo-limitation.

Coefficient feeds: read-only endpoints with hard limits and cache on the edge; signed requests for partners.

Content providers: dedicated channels/ASN allow-list, jitter/packet-loss monitoring.

14) Rule/Policy Examples (Simplified)

WAF positive model for POST/api/payments/deposit

Метод: `POST`, `Content-Type: application/json`

JSON-Schema: `amount:number 1..10000`, `currency:[EUR,USD,...]`, `payment_method:[card,crypto]`

Limits: '≤ 5 req/60s' on IP and '≤ 3 req/60s' on account

Actions: > limits → 429 + token challenge; schema-fail → 400 and label "schema_violation"

Bot-policy login

5 unsuccessful logins in 5 minutes → invisible challenge

10 failed captcha → + progressive delay

ASN = hosting + new device → JS challenge at once

Edge-rate-limit для /promo/claim

10 requests/IP/min; 2/min per account; caching the 30s response to edge.

15) Implementation checklist

Anycast CDN + L3/L4 scrubbing, BGP-protect.
WAF with OWASP profile + positive schemes for API.
Bot-management: invisible challenges, escalation to captcha.
Geo/ASN policies, allow-list payments/live game providers.
WebSocket/WebRTC protection: TTL tokens, message limits.
SLO monitoring, synthetics by key flow.
Incident runbook, communication templates, retro procedure.
Regular exercises: L7 floods, cache-busting, PoP failure.
Integration of WAF events ↔ anti-fraud/risk engine.

Resume Summary

Effective protection of the iGaming platform is a layer cake: Anycast + scrubbing on the network, smart WAF with a positive model on the application, bot management for accounting/promo/payments and strict SLO/incident management discipline. Customize the rules for real game flow, escalate friction only at risk, train the team on "combat" scenarios - and you will save uptime, speed and conversion even under a serious attack.