If you’ve tried to use Xbox Live or PlayStation Network this month, you’ve probably experienced the effect of a Distributed Denial of Service attack. But what exactly does that mean? And why can such major, (generally) secure services be impacted by these attacks?
Denial-of-service attacks have been around for the equivalent of eons in the internet age. Online video game services are no strangers to being targets of DDoS attacks; previous generations of gaming have experienced them, though there has been a frequent spate of successful attacks against multiple gaming networks over the past year that have included Battle.net and specific games in addition to XBL and PSN.
Why are they so difficult to defend against? We reached out to security experts to shed some light on the issue. (We also contacted several video game publishers, but they declined to comment.)
For a lot of us without a deep understanding of network security, it is easy to think about DDoS attacks as a single “thing” companies can simply solve. But the term DDoS covers a large class of malicious attacks on network or internet infrastructure, so while some defenses may be simple, others are not so easily constructed.
According to Michael McKinnon, security advisor at AVG Technologies, the range of DDoS attacks includes those that flood servers with traffic to bring them down, but also a selection of them that known as application denial-of-service attacks. “Most common DDoS attacks work at a network layer, blasting senseless traffic at target systems, hoping to overwhelm them and exhaust all available bandwidth—this is the common understanding of what a DDoS represents for most people,” says McKinnon. “However, other denial-of-service attacks can include locking other users out, [like] through multiple failed password reset attempts and other such actions, or wiping databases and disrupting services in more specific ways.”
Most of the malicious attacks on the internet, in terms of volume, are reflection and amplification DDoS attacks. “These attacks can range from anywhere from a few tens of gigabits per second—[which is already] quite large—up to the largest attacks that [have] been confirmed so far [at] about 400 gigabits per second,” says Roland Dobbins, senior security engineering and response team (ASERT) analyst at Arbor Networks.
Dobbins adds that when troubleshooting and anticipating how to defend against attacks, there are a couple of considerations to take into account. “The first consideration is that they tend to fill up the last kilometer link between an ISP from whom a gaming provider is buying transit and that gaming providers internet data center. Another consideration is that the attacks which get into the dozens or hundreds of gigabits per second, can actually fill up the peering and the core links of all the ISPs in the path,” he explains. “And so they absolutely can consume the network capacity in multiple intervening networks between the reflectors, [the] amplifiers used in the attack, and the actual target.”
In other words, companies trying to protect themselves from ongoing or future DDoS attacks have several components of the network to monitor. Traffic can overwhelm the part of the pipeline between the ISP and the gaming service (be it Xbox Live or Battle.net), or it can flood the connections between the various ISPs and some big companies who’ve agreed to use each other’s network to channel traffic. Those waging the attack do so by sending requests to innocent computers while posing as the target; when those “reflectors” send a response, they direct them to the site or service that’s the intended victim.
Combined with amplifiers, or types of protocols used in conjunction with reflected attacks, the data being transmitted can be magnified by up to 179 times more. The servers used in the amplification attack ultimately flood the target site and the network it’s on with a huge amount of responses, meaning attackers don’t need a lot of network capacity themselves to increase the original amount of traffic by 6,000 to 9,000 times.
The end result: the attacking traffic ends up causing a shutdown of the overloaded target server(s), and/or squeezing out legitimate traffic to and from the target.
The mix of distributed attacking traffic and legitimate traffic during a DDoS attack is precisely why they’re so hard to defend against. “Identifying your attacker against a backdrop of legitimate users to your online service can be quite an art, and when you have only one attacker (i.e. a traditional DoS attack), blocking them is quite easy,” McKinnon says. “But, when you’re being simultaneously bombarded by hundreds or thousands of attackers it takes valuable time that you don’t have—and often battling against dwindling bandwidth and access to stop the attack.”
Defending against a DDoS attack is also difficult because of the cost involved. As McKinnon explains, companies must “over-invest” in bandwidth, applications, or infrastructure for a possibility that might happen rarely. This causes many companies to choose to view DDoS attacks as an occasional inconvenience.
“However, the seriousness of DDoS attacks should not be underestimated,” he adds. “Sometimes a DDoS attack can cause unintended consequences that may expose new vulnerabilities under load, or create opportunities for unauthorised access leading to other breaches.”
“When you’re running a publicly accessible service online, you need to allow the public to have access—and that means you’re never sure when you have to close the front doors to your virtual space to stop people coming in,” McKinnon explains. “[Also,] DDoS attacks from a technical perspective are about the simplest and easiest form of online attack available.“
In other words, DDoS attacks are familiar events because companies want everyone to be able to access their service, and executing one requires almost no technical knowledge—just the right tools.
However, Dobbins notes that while the volume of attacks presents some unique challenges for companies, they can be overcome.
He believes many online gaming operators continue to suffer because they opt out of participating in the global operational security community. These are close, vetted communities where operators involved not only marshal their own resources when under attack, but can reach out and ask other operators to assist them.
Others have not implemented the most current defenses to protect their network infrastructure as well as their routers and Layer 3 switches from attack. “In many cases, the attackers will try to attack the routers and switches rather than servers directly because network operators may not have implemented the best current practices required to enable these devices to defend themselves,” Dobbins says.
The architecture of games also is a problem, since online games usually rely on one or two of the models well-known to attackers. “The first model is that shared game sessions and gaming matchmaking are instantiated on servers which are owned by the gaming operator,” he says, explaining that a centralized architecture makes it relatively easy for attackers to identify and attack the architecture directly.
“The second model is a pseudo-decentralized model where the matchmaking and directory servers, where players find one another, are centralized, but the actual games run locally. One of the participants in a particular gaming session their PC or the console hosts the session and the shared game world. Since DDoS attackers have become quite adept at identifying games of this nature, it’s relatively easy for them to attack the IP address of the consumer users who are hosting the session and knock it over.
While some developers have begun to use a more decentralized directory model, Dobbins believes that changes in the architecture of even more games need to take place. In this way, the directory information and the game sessions would be spread out among a sea of users, and not rely on a particular player’s computer or a specific host. Dobbins explains: “The directory itself is distributed and the games sessions themselves are distributed; one particular player’s PC or console doesn’t host the entire game, but instead the game is sharded even further, so that the composite shared gaming session is shared amongst many different users. No one PC, no one console is will be the “master,” so if one is knocked over by an attack, the shared session continues.”
Gaming companies can also take advantage of gaming intelligence gathered from player behaviours within the shared gaming environment, according to Dobbins. Tracking and analysis of player behaviour can help identify player accounts that may be associated with a DDoS attack and allow companies to start building predictive models to see attacks ahead of time.
“There are some game operators who have done these things and they’re the operators who don’t go down,” Dobbins says. “[They’re the ones] who have learned through experience [and] have taken these lessons to heart.”