Over the years Radware has followed the evolution of DDoS attacks directed at the gaming industry. For the industry, large-scale DDoS attacks can result in network outages or service degradation and has become an everyday occurrence. In 2016 Lizard Squad and Poodle Corp launched repeated attacks against EA, Blizzard and Riot Games, resulting in service degradation and outages for users around the world.
The main motivation for attackers in most situations is the simple thrill of disrupting game play and tournaments. A secondary motivation is disrupting crucial moments when gamers are trying to take advantage of new expansion packs or in-game specials.
Attackers targeting the gaming industry can range from users who pay for DDoS services to experienced attackers who possess the ability to launch large scale spoofed attacks. Experienced attackers are able to sustain high volumes of attack traffic. The advanced attackers are also able to consistently change attack vectors in an attempt to defeat mitigation systems. These vectors often include SYN floods, ACK floods, TCP reset attacks, UDP floods and fragmented UDP floods. The determination and systematic targeting of these services show how motivated attackers can be to knock a game offline.
Over the last month several gaming companies have been dealing with a series of Denial of Service attacks. Final Fantasy XIV specifically has been dealing with an advanced and persistent denial of service attack that has included changing attack vectors. These attacks that have flooded Square Enix’s networks resulted in intermittent service degradation and disconnection for over a month. Square Enix in a recent statement confirmed that they have experienced a series of attacks from a third party since mid-June. The attacks appear to have started in parallel with the release of the second expansion pack, Stormblood, for Final Fantasy XIV on June 16th. These attacks have now transferred from targeting Square Enix’s game servers to their upstream providers.
DDoS attacks and natural floods on the gaming industry also have an impact on network providers who must deal with potential Internet pipe saturation. As attacks continue to increase in quantity and volume they will not only pose a threat to the gaming operators, but also effect network providers who have to absorb these massive floods of traffic.
One of the biggest challenges for mitigating a DDoS attack against gaming platforms is distinguishing the difference between legitimate and malicious users. Attackers will often launch DDoS attacks during the release of a new title due to an increased load on the network. False positives and false negatives at moments like this can create major problems for gamers and providers. If a gamer’s traffic is falsely identified as malicious, it results in a loss of connectivity for that user. If the traffic is malicious and deemed legitimate, it allows the user to continue carrying out their attack.
Only advanced anti-DDoS solutions can successfully distinguish the difference between malicious traffic and legitimate users. An advanced anti-DDoS solution that includes behavioral analysis and challenge responses allow users to access gaming content during an attack. With a behavioral analysis algorithm, a baseline of application behavior can be established so when an attack is launched the traffic can be compare to the baseline allowing the system to detect and drop suspicious traffic. When looking for a solution, organizations should look for one that can accurately detect attacks in a very short timeframe without denying legitimate users access to network resources.
In addition, a challenge response (C/R) mechanisms can also help prevent malicious traffic from targeting networks. If the source is suspected to be suspicious, a challenge will be presented to the source so it can be determined if the request was legitimate.
Organizations should reevaluate today’s DDoS protection systems, and more specifically, solutions that rely on traditional, rate-based detection methods.
Read the 2016–2017 Global Application & Network Security Report by Radware’s Emergency Response Team.
Daniel Smith is an information security researcher for Radware’s Emergency Response Team. He focuses on security research and risk analysis for network and application based vulnerabilities. Daniel’s research focuses in on Denial-of-Service attacks and includes analysis of malware and botnets. As a white-hat hacker, his expertise in tools and techniques helps Radware develop signatures and mitigation attacks proactively for its customers.