SARD Proxy

The SARD Proxy enforces network protection, traffic control, encryption, and player validation, providing secure, kernel-level traffic routing from public endpoints to private game servers and allowing verification of proper installation and operation.

1. Overview

SARD Proxy is a high-performance kernel-level gateway that provides:

Transparent traffic routing
Game traffic encryption / decryption
Packet integrity enforcement
Player validation
Immediate kick / connection termination
Anti-sniffing and anti-packet manipulation protection

It operates entirely at Layer 4 using Linux Netfilter hooks and does not require application-level proxying.

2. Architecture

Standard Deployment Model

Player
↓
Public IP (EIP)
↓
SARD Proxy
↓
Kernel inspection hook
↓
Encryption / Decryption
↓
Player validation
↓
Game Server (Private IP)

Key properties:

Game server is NOT publicly exposed
All traffic must pass through SARD Proxy
Return traffic is forced back through Proxy
Fully transparent to the game application

3. Core Capabilities

3.1 Transparent Routing

DNAT ingress routing
SNAT return enforcement
Forced gateway model
No direct public exposure of game server

3.2 Encrypted Game Traffic (Anti-Sniff / Anti-Packet Hack)

SARD Proxy supports real-time encryption and decryption of game traffic between client and server.

Purpose:

Prevent packet sniffing
Prevent replay attacks
Prevent packet manipulation tools
Protect against custom packet injection
Protect sensitive gameplay state

Encryption is session-based and transparent to the game server.

3.3 Kernel-Level Packet Inspection

FORWARD path interception
Stateful session tracking
Protocol-aware processing
Packet size validation
Header integrity validation
Timing anomaly detection

4. Player Validation (Built Into Proxy)

SARD Proxy performs player validation directly at the network layer.

No external validation gateway is required.

Validation occurs:

Before traffic reaches the game server
At session establishment
Continuously during gameplay

Validation Capabilities

Active SARD session verification
Client integrity state validation
Handshake completion enforcement
Session binding to connection
Protocol compliance verification
Encryption negotiation validation

If validation fails, traffic never reaches the game server.

5. Kick & Enforcement Mechanism

SARD Proxy supports immediate player disconnection without involvement of the game server.

Enforcement Actions

TCP connection termination
Silent packet drop
Immediate RST injection
Session invalidation
IP-based blocking (optional)

Benefits:

Zero load on game server
Immediate enforcement
Deterministic security model
No race conditions

6. Server Requirements

6.1 Proxy Server

Component	Requirement
Operating System	Ubuntu 22.04 / 24.04
Linux Kernel	Version 5.15+
Kernel Headers	Installed
Netfilter	Enabled
IP Forwarding	Enabled

Recommended Hardware:

Expected CCU	CPU	RAM	Network
Up to 5k	4 vCPU	8 GB	1 Gbps
5k–20k	8 vCPU	16 GB	10 Gbps
20k+	16+ vCPU	32+ GB	10–25 Gbps

Encryption and validation increase CPU usage proportionally to traffic volume.

6.2 Game Server

Private IP only
Default gateway = Proxy
No public exposure
No encryption logic required
No validation gateway required

7. Performance Characteristics

Kernel-level packet processing
No user-space TCP relay
No application-level proxy
Minimal latency overhead
Suitable for FPS/MMO environments

Typical additional latency: < 0.2 ms intra-region.

8. Operational Requirements

Kernel modules must match running kernel version
Kernel updates require module rebuild
Production kernel should be pinned
NAT and FORWARD chain monitoring recommended

9. Summary

SARD Proxy provides:

Network isolation
Traffic encryption
Packet validation
Player validation
Immediate kick enforcement
No external validation gateway required
High-performance kernel-level processing
Transparent integration

For integration planning, partners should provide:

Expected CCU
Game ports used
Hosting provider
Network topology
DDoS mitigation layer (if any)

SARD Proxy ​

1. Overview ​

2. Architecture ​

Standard Deployment Model ​

3. Core Capabilities ​

3.1 Transparent Routing ​

3.2 Encrypted Game Traffic (Anti-Sniff / Anti-Packet Hack) ​

3.3 Kernel-Level Packet Inspection ​

4. Player Validation (Built Into Proxy) ​

Validation Capabilities ​

5. Kick & Enforcement Mechanism ​

Enforcement Actions ​

6. Server Requirements ​

6.1 Proxy Server ​

6.2 Game Server ​

7. Performance Characteristics ​

8. Operational Requirements ​

9. Summary ​