Attack-Defense Routing

Generally A/D routing approaches can be split into two categories: those with a root node responsible for traffic shaping and SNAT, and those with multiple routers that handle a fraction of the total network load.

Star/Tree Topology

those where all the traffic eventually passes through a central node which does the SNAT and traffic control, and those where this functionality is distributed to a set of routers

Tree Routing is by far the simpler and more popular variety, which is demonstrated by its use in all of the well-known A/D gameservers, such as MarkusBauer/saarctf-gameserver, enowars/EnoEngine, fausecteam/ctf-gameserver and their derivatives. Having a single traffic shaping node means all game logic can be configured and stored in a single place. Additionally any live changes to the game network (such network open) can take place by applying rules to a single machine without having to worry about synchronization between routers.

Mesh Networking

Mesh networking is generally more complicated, but lends itself to scenarios where per-machine bandwidth and/or compute resources are limited, such that the entire game traffic cannot be processed on a single node.

Another upside of mesh networking is that for cloud-hosted CTFs, a DoS attack can only impact the teams associated with their router, since this is the only public-facing element of the game network that team will be aware of (scoreboard can be accessible through the game network and as such would not be affected by DoS'ing the public IP). If the router-mapping is N-to-N, which is practical for small CTFs, this allows direct attribution of attacks against the infrastructure.