NetConnPacketTimeLimitMSPerFrame

NetConnPacketTimeLimitMSPerFrame

#Overview

name: NetConnPacketTimeLimitMSPerFrame

The value of this variable can be defined or overridden in .ini config files. 1 .ini config file referencing this setting variable.

It is referenced in 6 C++ source files.

#Summary

#Usage in the C++ source code

The purpose of NetConnPacketTimeLimitMSPerFrame is to set a time limit for processing NetConnection packets within a single frame for DDoS (Distributed Denial of Service) detection and prevention.

This setting variable is primarily used by the networking subsystem of Unreal Engine, specifically within the DDoS detection module. It’s part of the Net/Core module, which handles core networking functionalities.

The value of this variable is set through the game’s configuration file (GEngineIni). It’s read in the InitConfig function of the FDDoSDetection class.

NetConnPacketTimeLimitMSPerFrame interacts with other DDoS detection variables such as PacketLimitPerFrame and PacketTimeLimitMSPerFrame. Together, these variables form a set of limits to detect and prevent potential DDoS attacks.

Developers must be aware that this variable directly impacts the game’s network performance and security. Setting it too low might cause false positives in DDoS detection, while setting it too high might leave the game vulnerable to actual DDoS attacks.

Best practices when using this variable include:

  1. Carefully tuning its value based on your game’s specific networking requirements and expected player count.
  2. Testing thoroughly with various network conditions to ensure it doesn’t negatively impact legitimate players.
  3. Using it in conjunction with other DDoS prevention measures for a more robust security setup.
  4. Regularly reviewing and adjusting this value based on real-world performance data and any detected security incidents.
  5. Considering different values for different game modes or player counts if necessary.

#Setting Variables

#References In INI files

Location: <Workspace>/Engine/Config/BaseEngine.ini:1694, section: [DDoSDetection.DebilitatingDDoS]

#References in C++ code

#Callsites

This variable is referenced in the following C++ source code:

#Loc: <Workspace>/Engine/Source/Runtime/Net/Core/Private/Net/Core/Misc/DDoSDetection.cpp:139

Scope (from outer to inner):

file
function     void FDDoSDetection::InitConfig

Source code excerpt:

				GConfig->GetInt(*CurSection, TEXT("PacketLimitPerFrame"), CurState.PacketLimitPerFrame, GEngineIni);
				GConfig->GetInt(*CurSection, TEXT("PacketTimeLimitMSPerFrame"), CurState.PacketTimeLimitMSPerFrame, GEngineIni);
				GConfig->GetInt(*CurSection, TEXT("NetConnPacketTimeLimitMSPerFrame"), CurState.NetConnPacketTimeLimitMSPerFrame, GEngineIni);
				GConfig->GetInt(*CurSection, TEXT("CooloffTime"), CurState.CooloffTime, GEngineIni);

				if (GConfig->GetInt(*CurSection, TEXT("EscalateTimeQuotaMSPerFrame"), EscalateTime32, GEngineIni))
				{
					CurState.EscalateTimeQuotaMSPerFrame = IntCastChecked<int16>(EscalateTime32);
				}

#Loc: <Workspace>/Engine/Source/Runtime/Net/Core/Public/Net/Core/Misc/DDoSDetection.h:86

Scope: file

Source code excerpt:


	/** The limit for time spent processing NetConnection packets, each frame (counts all packets time, non-NetConn and NetConn) */
	int32 NetConnPacketTimeLimitMSPerFrame;

	/** The amount of time, in seconds, before the current DDoS severity category cools off and de-escalates */
	int32 CooloffTime;


	FDDoSState()

#Loc: <Workspace>/Engine/Source/Runtime/Net/Core/Public/Net/Core/Misc/DDoSDetection.h:100

Scope (from outer to inner):

file
function     FDDoSState

Source code excerpt:

		, PacketLimitPerFrame(-1)
		, PacketTimeLimitMSPerFrame(-1)
		, NetConnPacketTimeLimitMSPerFrame(-1)
		, CooloffTime(-1)
	{
	}

	/**
	 * Whether or not the specified counters and time passed has hit any of the quota's

#Loc: <Workspace>/Engine/Source/Runtime/Net/Core/Public/Net/Core/Misc/DDoSDetection.h:146

Scope (from outer to inner):

file
function     void ApplyState

Source code excerpt:

		Target.PacketLimitPerFrame					= PacketLimitPerFrame;
		Target.PacketTimeLimitMSPerFrame			= PacketTimeLimitMSPerFrame;
		Target.NetConnPacketTimeLimitMSPerFrame		= NetConnPacketTimeLimitMSPerFrame;
		Target.CooloffTime							= CooloffTime;
	}

	/**
	 * Applies only the per-frame adjusted state (based on expected vs actual framerate), to active DDoS protection.
	 * ApplyState should be called, first.

#Loc: <Workspace>/Engine/Source/Runtime/Net/Core/Public/Net/Core/Misc/DDoSDetection.h:160

Scope (from outer to inner):

file
function     void ApplyAdjustedState

Source code excerpt:

		Target.PacketLimitPerFrame				= (PacketLimitPerFrame == -1 ? -1 : (int32)((float)PacketLimitPerFrame * FrameAdjustment));
		Target.PacketTimeLimitMSPerFrame		= (PacketTimeLimitMSPerFrame == -1 ? -1 : (int32)((float)PacketTimeLimitMSPerFrame * FrameAdjustment));
		Target.NetConnPacketTimeLimitMSPerFrame	= (NetConnPacketTimeLimitMSPerFrame == -1 ? -1 : (int32)((float)NetConnPacketTimeLimitMSPerFrame * FrameAdjustment));
	}
};


/**
 * The main DDoS detection tracking class, for counting packets and applying restrictions.

#Loc: <Workspace>/Engine/Source/Runtime/Net/Core/Public/Net/Core/Misc/DDoSDetection.h:283

Scope (from outer to inner):

file
class        class FDDoSDetection : protected FDDoSPacketCounters, protected FDDoSState
function     bool CheckNetConnLimits

Source code excerpt:

	bool CheckNetConnLimits()
	{
		return NetConnPacketTimeLimitMSPerFrame > 0 &&
				(int32)((FPlatformTime::Seconds() - StartFrameRecvTimestamp) * 1000.0) > NetConnPacketTimeLimitMSPerFrame;
	}



protected:
	/** Whether or not DDoS detection is presently enabled */