That Time I Banned Hetzner From Discord

I recently read a news post from the tor project and a related blog post from Pierre Bourdon which reminded me of an interesting anecdote from my experiences at Discord. Both talk about the issue of SYN spoofing on the modern internet, which can often be used as a social engineering attack to get cheap hosts to null-route or otherwise block customer services. While it's not a widely known or exploited attack vector, it should have been solved many years ago, and it's annoying that community-based services are the most subjected to this issue.

In the early days, one of Discord's main selling points for adoption was its ability to mask and protect your IP. At the time, DDoS (and, in most cases, just simple DoS) attacks against individuals (usually via Skype) or dedicated TS3/mumble servers were very common. To implement this, we had to ensure that 100% of user traffic was proxied through infrastructure managed by Discord. This included anything an end-user would interact with, from voice and video data to the images shared in chat.

The largest amount of end-user traffic that needed to be proxied and masked was via our real-time infrastructure. These servers managed all the data transmitted during a voice or video call. Data sent by users is encrypted (today, this is E2EE via DAVE, but at the time, it was purely via symmetric encryption), and thus, these servers had to decrypt and re-encrypt traffic as they proxied it.

Leave a Comment