Case Study
Game-Breaking for $5: When DDoS Attacks Target Online Gaming
Distributed denial of service attacks are nothing new, but they have seen a resurgence of late, with the online gaming industry rising as a favoured target. Lucy Ingham speaks to Igal Zeifman, director of marketing at Imperva Incapsula, to find out how such attacks work, and what other industries can learn from how online gaming handles DDoS
We tend to associate cybersecurity with the new; fresh attack types pose fresh challenges, which security professionals scramble to come up with a solution to before the challenge changes again. However, some types of attacks are older than the perpetrators behind them, having hung on by morphing and adapting to the ever-changing online world.
Distributed denial of service (DDoS) attacks are one of this group, having advanced from denial of service (DoS) attacks, a familiar part of the early wild west-like web.
“A denial of service attack is exactly as the name implies: it's basically an attack, the intent of which is not to steal information or private data, or any other motivation behind other cyberattacks, but just take a service offline, so basically make a service unavailable or unusable for its users,” explains Igal Zeifman, director of marketing at Imperva Incapsula.
Back in the day, DoS attacks were regularly used by hackers to take websites offline, by simply overwhelming their servers with bot traffic that stopped any real users from getting access. As all this traffic was coming from one source, cybersecurity professionals wised up, and DoS went from a devastating attack type to something that was easy to stop.
But then DDoS emerged, which used the same method of overwhelming a server, but from a multitude of different sources.
“A distributed denial of service attack is an attack that attempts to do that but is coming from multiple sources, hence the distributed nature of it,” says Zeifman.
Typically DDoS attacks use a host of devices that have been unwittingly been co-opted into forming a network of bots – a botnet – often through malware packaged in with other downloaded software.
“A DDoS attack in a very basic form, is somebody taking over connected devices, let’s say just installing a virus or a trojan on 50 home computers, and then remotely telling them to start flooding a target with traffic with the intent of basically sending more traffic than that target can handle,” he adds.
And while even DDoS is relatively old, it has recently seen a resurgence as the number of easy to co-opt online devices has multiplied.
“It's not a new phenomenon by any stretch, but in the last few years, and specifically in the last two years, there was a - I would describe it as a spike in DDoS activity,” he explains.
“It has to do with different macro trends that happen in the internet, in the world around us. The introduction of IoT devices, which are used for DDoS attacks; just a general growth of internet population; increase in internet connectivity, which is used by those offenders.”
But this spike hasn’t affected all online industries equally. Online gaming has been the prime target, with Blizzard’s World of Warcraft, Overwatch and Hearthstone games being among the plethora of targets in recent months.
DDoS on a budget: powerful attack, no skill required
One of the biggest reasons DDoS attacks have seen such a spike is that it has become shockingly easy to perform them.
“In the last few years what's happened is that such platforms, called botnets, they became a service of sorts,” summarises Zeifman. “So people started making money from compromising large clusters of devices, it could be computers, it could be CCTV cameras, it could be routers, maybe monitors, whatever. As long as it’s connected to the Internet and you can install a trojan on it, you can compromise it.
“So there are groups of people right now, a lot of them actually, and that's what they do, they basically compromise those devices in bulk, and then they create a service out of it and rent the use of those devices to large DDoS attacks.”
“If you can launch an attack for $5 you're going to get a lot of non-professionals using those services just out of spite, boredom, vandalism.”
For many professional hackers, the value has shifted from the attack itself to the development of tools that other, more amateurish, users can utilise, bringing the ability to perform these attacks to anyone with only basic computer skills and the willingness to pay a small amount for the privilege. Which essentially means bored kids can now attack companies with their pocket money.
“If you just go to Google and Google stresser or booter, you just find a service that allows you to launch a DDoS attack for a little as $5 or $4 per attack,” explains Zeifman.
“Now that obviously influences the type of perpetrators that are launching those attacks, and if you can launch an attack for $5 you're going to get a lot of non-professionals, and in even simpler terms youngsters, using those services just out of spite, boredom, vandalism.”
Online gaming: a prime target for DDoS
The ability for so many young people to perform attacks goes a long way in explaining why online gaming has been so heavily targeted.
“A lot of those non-professional attackers are also involved in the gaming industry, basically they are gamers. And a lot of times DDoS is for them to lash out, maybe against somebody they just played with, so there is a method where you can basically send somebody a Skype invite and if he accepts you can get his home IP from his Skype, and then you can attack his home IP,” he explains.
“Or you can just go ahead and attack the gaming platform because, I don't know, you are unhappy with some decision they made, either you just had a bad time or you want to - I don't know - get some bragging rights in front of your community.”
“You don't need to take a gaming service offline to make it unusable.”
Annoyed gamers can now use DDoS to vent their rage against a platform, making it a common choice of target. However, this is not the only reason it is so frequently attacked.
“When I described a denial of service attack, I mentioned that the intent was basically to take the service offline. With gaming platforms, the goal actually becomes easier: you don't need to take the service offline, it's enough for you to disturb it,” says Zeifman.
“Let's say I wanted to distract an e-commerce site. I'm using my botnet to send a flood of traffic to it, and the best I can do is not take it down completely but cause a small amount of latency to its users, let's say it takes an additional half a second for a page of that website to load. That's not a big deal for e-commerce sites: you can still use Amazon working on a half-second delay,” he explains.
“Now if I'm doing the same on an online game, especially games that happen in real-time, it's as good as taking that game down because you can't play an online game if you experience a half a second latency.”
In an online shooter, for example, such a delay will prevent players from adequately reacting to other players’ attacks, meaning they cannot engage appropriately. As a result, it becomes near impossible to play the game properly, meaning it might as well be offline.
“You don't need to take a gaming service offline to make it unusable. It's actually enough for you to cause a very minor amount of disturbance to its users to make them quit the game.”
Professionals and promotions: the non-amateurs taking on the giants
Of course, while many contemporary DDoS attacks are perpetrated by amateurs with beef, there are also professional attackers getting involved. But while amateurs will typically attack the games they themselves are familiar with, professionals will go after the industry giants, in a bid to gain notoriety and leverage it for financial gain.
“The bigger gaming platforms – and we're talking about the likes of Microsoft Live – platforms like that draw the attention of the more professional attackers, for a very simple reason: there's a lot of money involved, and they're highly reliant on their online presence,” he says.
“There's a lot of bragging rights in taking somebody as visible as - let's say - the Microsoft network, because you have to have the ability impact the experience of users around the world; very few platforms will allow you to do that.”
For these professional attackers, the overall motives are largely financial. For some, for example, it is a simple matter of extortion.
“It’s usually launching a small attack and sending an email saying 'hey, I just DDoS'd you for five minutes, in two hours I'm going to DDoS you for 48 hours unless you pay me a Bitcoin or two', or whatever the amount is,” says Zeifman.
“The bigger gaming platforms draw the attention of the more professional attackers, for a very simple reason: there's a lot of money involved.”
However, there are those that pursue notoriety in order to make money through services, and it is often these groups that make the headlines.
“Almost two years ago, a group by the name of Lizard Squad made a name for themselves by taking down PSN [PlayStation Network] and Xbox Live services. On Christmas Eve no less: the perfect time to aggravate as many users as possible,” he explains.
“Now that caused a huge splash and basically got them a lot of PR, major recognition, a lot of Twitter followers, and they were able to leverage that to start selling those DDoS-for-rent services that I described earlier. Basically they said, hey, this is the platform to take down Microsoft, pay $15 and you can use it.“
Not just gaming: other industries at risk
While online gaming is unusually vulnerable to DDoS attacks due to its need for very low latency, it is not the only industry that is at risk.
“It's all about real-time: that's the sensitive component of it. So things that rely on real-time responsiveness are as vulnerable,” he says.
“There's not a lot of those industries, but definitely one of those is online trading, the likes of Bitcoin exchanges or exchanges in general. Latencies there can affect trade in a way that becomes uneven for users, and that's a huge problem for those types of services.
“Those are, I would say, almost as vulnerable, but you would need to still cause a significantly high amount of disturbance for them to become unusable, it's going to be more than half a second latency to make it partially inaccessible.”
“It's all about real-time: that's the sensitive component of it.”
It is also important to note that while the attacks on major companies are the ones that grab the headlines, small companies are also frequently targeted by such attacks, and it is these companies that turn to services provided by the likes of Imperva Incapsula.
“We actually have a lot of gaming companies using us, and those are, I would say, second-tier players, not the Microsoft and Sonys of the world who use their own proprietary services, but you know if you're a mobile platform and you have 10, 15 million users across 5 or 6 games, you're not big enough to afford to be doing it on your own, but you still need the service because you're already big enough to be targeted.”
Stopping a DDoS attack
For companies operating within this space, the mitigation of DDoS attacks has become a standard expense, which for large companies with large numbers of servers to spare can be performed in-house, while for small companies is resolved through the use of a third-party company.
“A lot of companies today offer DDoS mitigation services, a lot of infrastructure providers offer DDoS mitigation services, either as a reseller or on their own, and I think a lot of the bigger companies, they have in-house solutions,” explains Zeifman.
“Smaller companies, they use services like ours, and what we do for companies, and what other companies like us do, is basically we deploy our service on the network edge, and we become the first gateway for incoming traffic.
“We have a very powerful network, and its entire purpose is being able to accept a lot of traffic and deflate a DDoS attack in that manner, and also scrub the traffic and basically identify what needs to go through and what doesn't. What goes through are legitimate users, in this case gamers, and what doesn't go through is the DDoS traffic that never reaches its destination. There's a lot of magic to what I just described, of course, but just in broad strokes, this is how DDoS mitigation works, and this is the solution to that problem.”
“We deploy our service on the network edge, and we become the first gateway for incoming traffic.”
As part of this process, companies such as Zeifman’s have to differentiate between real and false traffic, which can be easier said than done.
“For gaming platforms it’s actually quite tricky – it’s never that easy but it’s really more tricky for gaming platforms. Usually what you do is you rely on signatures, so every one of us has some kind of signature attached to the browser that we use, the IP that we come from, the behaviour pattern that we display on the website or inside the service, so we track those and we look at what looks like a legitimate user and what doesn't, and because we have a lot of experience we mitigate roughly 5,000 attacks per quarter, so 20,000 attacks per year, and we do it for 160,000 organisations and millions of sites, so we have a lot of information about what a legitimate user looks like, and also what a bad actor looks like,” he explains.
“IP reputation is major, because if you can map a lot of those botnets, you can attach a risk factor to traffic for an IP that you also used in an attack before, you can look what type of network packages its sending you - what looks normal, what looks abnormal – there are a lot of tell-tale signs inside the communication attempts and inside the session information that we use to filter those out.
“In gaming platforms, though, it becomes trickier because most of gaming platforms use non-regular communication protocols, so when you're trying to connect to a gaming platform, you're not using any type of regular internet protocol, you're using something that is either proprietary or used by a relatively small number of other platforms like it. And then it becomes trickier, and what we do is again we leverage our knowledge of what a bad actor looks like, because that's still relevant, and we also sample traffic from that gaming platform and learn the specifics of its traffic pattern all the time, and then when an attack comes in, we're ready for it.”
Forever changing: the future of DDoS
As with all cybersecurity related issues, the state of DDoS is not static: it is forever changing, and will continue to do so in the future.
“We see two very consistent trends across these four last quarters, and one of those is attacks become more frequent, and the other is attacks become shorter. So that's the ecosystem right now: shorter attacks that are the result of people using those DDoS-for-rent services, because they only allow you to attack a target for a few minutes, half an hour, per month, and on the other hand because it’s so easy to attack someone, we see the frequency of attacks increasing,” he says.
For companies such as Imperva Incapsula, the changing nature of attacks means a continuous adjusting of responses to effectively maintain the success of mitigation attempts. However, while change is a constant in cybersecurity, Zeifman does not anticipate DDoS being replaced with something completely new and different any time soon.
“It’s going be DDoS for at least a few more years.”
“It works too well, it’s too easy. What I'm actually seeing is more attacks, price drops in the cost of DDoS-for-rent services, more powerful botnets, so all the signs point the other way,” he explains.
“The only reason something like that would happen is there needs to be a coalition of ISPs who are the only ones in a position to just block those attacks on a higher network level, to not allow them to reach the targets. This is a highly unlikely scenario. The ISP market is very diverse, and I don't think it’s motivated enough to just go after this problem, so no, it’s going be DDoS for at least a few more years.”
Image courtesy of Blizzard