NetConnPacketTimeLimitMSPerFrame
NetConnPacketTimeLimitMSPerFrame
#Overview
name: NetConnPacketTimeLimitMSPerFrame
The value of this variable can be defined or overridden in .ini config files. 1 .ini config file referencing this setting variable.
It is referenced in 6 C++ source files.
#Summary
#Usage in the C++ source code
The purpose of NetConnPacketTimeLimitMSPerFrame is to set a time limit for processing NetConnection packets within a single frame for DDoS (Distributed Denial of Service) detection and prevention.
This setting variable is primarily used by the networking subsystem of Unreal Engine, specifically within the DDoS detection module. It’s part of the Net/Core module, which handles core networking functionalities.
The value of this variable is set through the game’s configuration file (GEngineIni). It’s read in the InitConfig function of the FDDoSDetection class.
NetConnPacketTimeLimitMSPerFrame interacts with other DDoS detection variables such as PacketLimitPerFrame and PacketTimeLimitMSPerFrame. Together, these variables form a set of limits to detect and prevent potential DDoS attacks.
Developers must be aware that this variable directly impacts the game’s network performance and security. Setting it too low might cause false positives in DDoS detection, while setting it too high might leave the game vulnerable to actual DDoS attacks.
Best practices when using this variable include:
- Carefully tuning its value based on your game’s specific networking requirements and expected player count.
- Testing thoroughly with various network conditions to ensure it doesn’t negatively impact legitimate players.
- Using it in conjunction with other DDoS prevention measures for a more robust security setup.
- Regularly reviewing and adjusting this value based on real-world performance data and any detected security incidents.
- Considering different values for different game modes or player counts if necessary.
#Setting Variables
#References In INI files
Location: <Workspace>/Engine/Config/BaseEngine.ini:1694, section: [DDoSDetection.DebilitatingDDoS]
- INI Section:
DDoSDetection.DebilitatingDDoS - Raw value:
100 - Is Array:
False
#References in C++ code
#Callsites
This variable is referenced in the following C++ source code:
#Loc: <Workspace>/Engine/Source/Runtime/Net/Core/Private/Net/Core/Misc/DDoSDetection.cpp:139
Scope (from outer to inner):
file
function void FDDoSDetection::InitConfig
Source code excerpt:
GConfig->GetInt(*CurSection, TEXT("PacketLimitPerFrame"), CurState.PacketLimitPerFrame, GEngineIni);
GConfig->GetInt(*CurSection, TEXT("PacketTimeLimitMSPerFrame"), CurState.PacketTimeLimitMSPerFrame, GEngineIni);
GConfig->GetInt(*CurSection, TEXT("NetConnPacketTimeLimitMSPerFrame"), CurState.NetConnPacketTimeLimitMSPerFrame, GEngineIni);
GConfig->GetInt(*CurSection, TEXT("CooloffTime"), CurState.CooloffTime, GEngineIni);
if (GConfig->GetInt(*CurSection, TEXT("EscalateTimeQuotaMSPerFrame"), EscalateTime32, GEngineIni))
{
CurState.EscalateTimeQuotaMSPerFrame = IntCastChecked<int16>(EscalateTime32);
}
#Loc: <Workspace>/Engine/Source/Runtime/Net/Core/Public/Net/Core/Misc/DDoSDetection.h:86
Scope: file
Source code excerpt:
/** The limit for time spent processing NetConnection packets, each frame (counts all packets time, non-NetConn and NetConn) */
int32 NetConnPacketTimeLimitMSPerFrame;
/** The amount of time, in seconds, before the current DDoS severity category cools off and de-escalates */
int32 CooloffTime;
FDDoSState()
#Loc: <Workspace>/Engine/Source/Runtime/Net/Core/Public/Net/Core/Misc/DDoSDetection.h:100
Scope (from outer to inner):
file
function FDDoSState
Source code excerpt:
, PacketLimitPerFrame(-1)
, PacketTimeLimitMSPerFrame(-1)
, NetConnPacketTimeLimitMSPerFrame(-1)
, CooloffTime(-1)
{
}
/**
* Whether or not the specified counters and time passed has hit any of the quota's
#Loc: <Workspace>/Engine/Source/Runtime/Net/Core/Public/Net/Core/Misc/DDoSDetection.h:146
Scope (from outer to inner):
file
function void ApplyState
Source code excerpt:
Target.PacketLimitPerFrame = PacketLimitPerFrame;
Target.PacketTimeLimitMSPerFrame = PacketTimeLimitMSPerFrame;
Target.NetConnPacketTimeLimitMSPerFrame = NetConnPacketTimeLimitMSPerFrame;
Target.CooloffTime = CooloffTime;
}
/**
* Applies only the per-frame adjusted state (based on expected vs actual framerate), to active DDoS protection.
* ApplyState should be called, first.
#Loc: <Workspace>/Engine/Source/Runtime/Net/Core/Public/Net/Core/Misc/DDoSDetection.h:160
Scope (from outer to inner):
file
function void ApplyAdjustedState
Source code excerpt:
Target.PacketLimitPerFrame = (PacketLimitPerFrame == -1 ? -1 : (int32)((float)PacketLimitPerFrame * FrameAdjustment));
Target.PacketTimeLimitMSPerFrame = (PacketTimeLimitMSPerFrame == -1 ? -1 : (int32)((float)PacketTimeLimitMSPerFrame * FrameAdjustment));
Target.NetConnPacketTimeLimitMSPerFrame = (NetConnPacketTimeLimitMSPerFrame == -1 ? -1 : (int32)((float)NetConnPacketTimeLimitMSPerFrame * FrameAdjustment));
}
};
/**
* The main DDoS detection tracking class, for counting packets and applying restrictions.
#Loc: <Workspace>/Engine/Source/Runtime/Net/Core/Public/Net/Core/Misc/DDoSDetection.h:283
Scope (from outer to inner):
file
class class FDDoSDetection : protected FDDoSPacketCounters, protected FDDoSState
function bool CheckNetConnLimits
Source code excerpt:
bool CheckNetConnLimits()
{
return NetConnPacketTimeLimitMSPerFrame > 0 &&
(int32)((FPlatformTime::Seconds() - StartFrameRecvTimestamp) * 1000.0) > NetConnPacketTimeLimitMSPerFrame;
}
protected:
/** Whether or not DDoS detection is presently enabled */