By Daniel Smith, head of security research, Radware's emergency response team
One of the most significant issues facing the online gaming industry is service availability as large-scale Distributed Denial of Service (DDoS) attacks are still an everyday occurrence.
Unfortunately, denial of service attacks have always and will always be a part of the gaming culture, but not every outage is considered malicious in nature. For example, when hundreds of thousands of users attempt to log in simultaneously, it creates tremendous stress on some of the largest networks in the world resulting in a natural flood of users that can cause an outage. For operators defending these networks, identifying and mitigating malicious traffic during these times can be difficult even for the most advanced team.
The good news is most of these attacks can often be forecast allowing operators time to prepare. In general, what makes target gaming companies attractive to “DDoSers” is their massive user base and potential impact. Criminals will often strategically launch DDoS attacks during a new release, tournament or special promotion because they know there will be an increase of traffic and stress put on the network allowing them to cause the greatest amount of damage and impact the most users. For example, in October 2018 Ubisoft’s new release, Assassin’s Creed: Odyssey, was targeted on its release day by a series of DDoS attacks that prevented users from connecting to the game’s servers.
Three Types of DDoS Attackers
There are numerous reasons why someone would launch a denial of service attack against an online gaming platform, but most can be categorized into one of three groups.
The first group is known for their trolling antics and a general desire to disrupt another person’s day. Their assaults typically come at the most crucial moments when gamers are looking to take advantage of particular in-game content or bonuses. These events occur on specific dates and times and attackers will deliberately target their DDoS attacks during these set times. This group gets the reaction they are looking for when gamers voice their frustration at the situation and gaming operators over social media.
The second group are those that attack in retaliation. For example, when Blizzard Entertainment banned a large group of users for using automatic triggering and aimbots, the company experienced a DDoS attack in response. This group attacks their targets immediately following the ban and its only goal is to inflict damage to the company directly.
The third group of attackers are attention seekers or profiteers. Their attacks are focused mainly on tournament disruption and booting specific players for profit or stunt DDoS'ing to advertise their services during major release or holidays. By launching these attacks, their mission is to generate profit and social klout.
DDoS attacks aimed at the gaming industry over the last five years has evolved at rapid rates mainly due to the adoption of Internet of Things (IoT) devices by general consumers. Typically, today's DDoS attacks target the game industry through IoT botnets like Mirai. They produce massive volumetric attacks causing severe problems not only to game operators and their users, but to service providers who will have to absorb the high volume attacks.
These DDoS campaigns are often conducted by attackers that have a basic to advanced understanding of network and application security. If they are unable to flood the gaming servers, they will find another bottleneck or attempting to target upstream providers.
Before the release of Square Enix’s Final Fantasy XIV expansion pack Stormblood in June 2017, the company relocated its servers to provide their users with better service availability and increased optimization. Unfortunately, attackers were still able to identify the locations of the new servers and DDoS attacks occurred in parallel with the release date of the Stormblood expansion. The attacks against the release persisted over several day and eventually escalated from targeting Square Enix’s game servers directly to attacking their upstream providers.
The advanced attackers are also able to consistently change attack vectors in an attempt to defeat modern day mitigation systems. One of the more prominent trends in 2017 was the increase in short-burst attacks, which over time have increased in complexity, frequency and duration. Burst tactics are typically used against gaming websites and service providers due to their sensitivity to service availability among their users. Timely or random bursts of high traffic can leave the targeted organization paralyzed causing a severe service disruption for its users.
Large-scale DDoS attacks and natural floods also have a significant impact on network providers who must deal with pipe saturations as massive volumetric attacks are directed at their clients. This kind of disruption typically leads to high latency and service degradation impacting additional enterprise customers of the ISP as the attack consumes provider resources.
As DDoS attacks increase in volume, they will continue to pose a threat not only to gaming operators, but for network providers as well.
The determination and systematic targeting of these services show how motivated attackers can be. Looking forward, one of the last major releases for the year, Battlefield V, will go live on November 20th. It's expected that due to high demand, the release could experience latency and service degradation due to natural floods of users or worse, targeted by a series of DDoS attacks. The last release of Battlefield 1 on October 21 2016, was severally affected along with other major services that day by a denial of service attack that was launched against Dyn’s managed DNS infrastructure.
Since these attacks generally occur in sync with the launch of significant tournaments, maintaining and inspecting networks is necessary to defend against these types of attacks. For the online gaming industry and service providers, it’s critical to get into a pattern of auditing their systems ahead of major tournaments and releases so that there is plenty of time to review and make the necessary adjustments if needed to prevent service outages. Most attacks targeting the gaming industry can be forecasted and with proper planning you can ensure service availability for both you and your users.
About Daniel SmithDaniel Smith is Head of Security Research for Radware’s Emergency Response Team. He focuses on security research and risk analysis for network and application based vulnerabilities.