Why Lizard Squad and others target game servers with DDoS attacks

Recently, we’ve seen everyone from hacktivist collectives to lone wolves use distributed denial of service (DDoS) attacks to take down PlayStation, Xbox, Nintendo, League of Legends, and Blizzard networks.

As an avid gamer, and as someone who works to protect companies from DDoS attacks, these were especially interesting to witness—allowing me to experience them from two very different perspectives.

[aditude-amp id="flyingcarpet" targeting='{"env":"staging","page_type":"article","post_id":1703273,"post_type":"guest","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"games,security,","session":"C"}']

On one hand, I was right there in the Reddit trenches, commiserating with my fellow gamers who were also robbed of their favorite pastime. On the other, I had access to the “command tower” from which I could see how these attacks—like the NTP amplification attack on League of Legends last year—were reshaping the entire DDoS landscape.

From both perspectives, I gained insight into why gamers are being singled out by DDoS attackers, including the technical vulnerabilities that affect gaming platforms.

Why target game servers?

Over the past two decades, gaming has shifted toward an online model. We see it everywhere; from the rapid growth of the MMO scene to the emergence of DRM, conditioning us to expect constant connectivity—even as a part of our single-player experience.

Like anything else in life, the notion of constant connectivity has its up and down sides. From a security perspective, one such downside is the introduction of a new single-point-of-failure (SPOF) in the form of the always-available centralized gaming platform.

The existence of this SPOF is what keeps DDoSers gravitating toward gaming servers, where they can use narrowly targeted attacks to wreak havoc on a massive scale—mostly in an attempt to achieve instant Internet notoriety.

These mass-scale trolling attempts are successful due to the fact that the majority of gamers are under 30—the demographic most likely to take its collective frustration to social media.

Take Lizard Squad’s attack this past Christmas on the PlayStation and Xbox networks: In that 24-hour period, the group was mentioned more than 100,000 times on Twitter alone. As viral impact goes, these attacks reach the level of “Gangnam Style” notoriety—the best return on investment any attention-seeking perpetrator can hope for with a single DDoS burst.

The frustration factor

Looking beyond the demographics, emotional factors are a huge driver of those hundreds of thousands of conversations around game server DDoS attacks.

[aditude-amp id="medium1" targeting='{"env":"staging","page_type":"article","post_id":1703273,"post_type":"guest","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"games,security,","session":"C"}']

Perpetrators are exploiting the emotional investment gamers feel toward their games—be their connection to a character, the worlds, or their scores and competitive statuses. One way or another, gaming is a strong emotional experience for many of us; any interruption of it invokes an equally strong emotional response.

Expectations also play an important role in feeding our frustrations. We expect all online gaming platforms—even free ones—to provide a consistent and stable user experience. Looking into the amount of complaints about high pings and maintenance windows in any free MOBA forum illustrates customers’ expectation that gaming networks are always available and immediately responsive.

Part of this conditioning is the idea that all downtime must be stripped to a minimum and communicated ahead of time. Interestingly, we are now seeing DDoS attackers who announce their intentions and targets in advance. Such early warnings create preattack buzz and amplify gamers’ frustration, leaving them to question why sufficient defenses weren’t deployed rather than rally behind the target.

3 factors that make game networks vulnerable to DDoS

Gaming platforms have specific vulnerabilities that perpetrators exploit to their advantage. These include:

[aditude-amp id="medium2" targeting='{"env":"staging","page_type":"article","post_id":1703273,"post_type":"guest","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"games,security,","session":"C"}']

Predictable rush hours

DDoS attacks are meant to exhaust existing server and network resources. They are most effective when these resources are scarce, like when a network under use by a large number of people.

On days like this past Christmas—after Sony and Microsoft sold a combined 11 million consoles—it would be easy to predict that their networks would be pushed to their respective limits. During a time like that, when users already report a degradation of service due to the sheer volume of regular traffic, it’s much easier for an attacker to disrupt a service by causing saturation of an already-struggling network infrastructure.

Don’t even need to take it offline

[aditude-amp id="medium3" targeting='{"env":"staging","page_type":"article","post_id":1703273,"post_type":"guest","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"games,security,","session":"C"}']

Any gamer can tell you that you don’t need to shut down a server to bring it to a halt. Games, especially those featuring multiplayer competitive action, are all about instant user feedback; every additional millisecond between “order given” and “action taken” can severely disrupt the gaming experience.

Whereas an assault on an e-commerce website resulting in a half-second latency might go unnoticed, an attack on a Call of Duty server causing the same delay would completely stop all activity — not because the server is unavailable, but because it becomes unusable.

Custom protocols

DDoS mitigation is all about filtering out malicious traffic without impacting regular visitors. Achieving this is easier when dealing with a commonly used communication protocol such as HTTP, where network staff and mitigation service providers typically know what to expect and what “good guys” and “bad guys” look like.

[aditude-amp id="medium4" targeting='{"env":"staging","page_type":"article","post_id":1703273,"post_type":"guest","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"games,security,","session":"C"}']

Gaming platforms, however, rely on unique custom communication protocols, making mitigation much harder and more resource-intensive. Dealing with them requires security brains, not just network brawn.

What we can do

Of course, there are other reasons why gaming servers are vulnerable and other factors that make their takedown so frustrating. It all boils down to this: Attackers understand the innate vulnerabilities of gaming platforms and the emotional triggers of users. In both cases, they know how to push just the right buttons.

Even as you read this, someone is already scoping the next target. While there is no way to prevent that attack from happening, we can all do some things to make it less damaging.

Gaming companies should invest in mitigation solutions that provide on-demand scalability, increasing their resource pool when it’s needed the most. They should also be constantly aware of their relative weaknesses and, consequently, be proactive in their response to potential DDoS threats and predictable traffic peaks.

[aditude-amp id="medium5" targeting='{"env":"staging","page_type":"article","post_id":1703273,"post_type":"guest","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"games,security,","session":"C"}']

That said, it is up to gamers themselves to promote a significant paradigm shift in this new trend of DDoS attacks. One way to achieve that is to stop showering perpetrators with the attention they crave—their sole motivation for launching an attack in the first place. Attackers shouldn’t be criticized or glorified — just ignore them. Otherwise they’ll keep coming back as long as we collectively continue to “feed the trolls.”

Igal Zeifman is a product evangelist for Incapsula, a CDN and DDoS protection provider making the Web safer, faster, and more reliable. Igal is also an award-winning author, and — most recently — a level ​10 Aumaua Druid in the Eastern Reach of Eora.