Pokemon Go launched recently on July 6 with an overwhelming response from fans and players signing up in unprecedented numbers. By July 12, there were over 21 million active users who had downloaded the game to their phones to catch Pokemon like Pikachu and Charmander.
Of course, with the massive influx of players to the game, there were connectivity issues. Potential players could not create accounts and afterwards, they were only logging into the game intermittently. This is most likely due to the game’s designers not properly predicting the number of people wanting to play and scaling out the appropriate pieces of the infrastructure including the registration servers, authentication servers, and application servers.
Second launch, same results
On Saturday, July 16, the game was made available in 26 new countries, mostly in Europe. This second wave of people downloading and playing the game overloaded the game authentication and application servers again. This time, soon after the European launch, some hacker groups claimed responsibility for launching a DDoS attack on the game’s infrastructure, causing the outages. Both OurMine and PoodleCorp claimed responsibility and achieved some credit in the media that they launched an attack to successfully disable the Pokemon Go game temporarily.
In reality, there is little evidence to conclude that they actually caused the outage or if they even launched a DDoS attack. It is more plausible that they are claiming credit after the fact, latching onto the intense media attention being paid to the game. It was most likely the launch of the game in 26 new countries and the influx of new registrations and players that caused the recent game disruptions. This is not different from terrorist organizations claiming responsibility after the fact for disasters which are often due to other causes that the terrorist group had no influence on (natural disaster, mechanical failure, human error, etc.).
Having said that, the potential for a DDoS attack to succeed against an already stressed infrastructure is much higher than normal. The threshold for the systems to be affected is now much lower because the player registrations and logons are essentially creating a legitimate DDoS attack on their own.
Learn from your mistakes
Businesses need to properly prepare and have contingency plans for scenarios such as this. It is unfortunate, though understandable, that the Pokemon Go developers missed the surge of interest at the initial game launch.
One is less forgiving for the game developer to experience a similar situation 10 days later with the expanded launch. This hurts the credibility of the game, the experience of the players, and directly impacts the potential revenue due to the lost players who either did not download the game or had problems with the game and abandoned it.
They also expose themselves to nefarious groups who want to ride on the coattails of the media attention that the game is getting by claiming responsibility for attacks that may not have happened. This shows how vulnerable the infrastructure is to real DDoS threats in the future and will only continue to provide unwanted negative attention to an otherwise popular and successful game.