Christmas time is all about tradition, but there are a few that have emerged over the last several years the world could probably do without. Singing light displays playing Dominick the Italian Christmas Donkey, 800 consecutive airings of the movie Elf, and the annual catastrophic DDoS attacks on online gaming platforms.
After 2014 to forget, Sony was able to breathe easier this holiday season, while Valve Corporation and their platform Steam were whacked with a DDoS attack that not only interrupted service of the Steam online store but also ended up exposing the personal information of up to 34,000 users. For as many headlines as this devastating attack has resulted in, it’s just one in the latest in a long string of attacks on online gaming platforms.
Where there’s smoke, there’s Steam
On Christmas morning, the Steam online store was targeted by a DDoS attack. Valve Corporation, along with several partner companies, attempted to deal with this attack while keeping the Steam store active for legitimate users. Unfortunately, one of these partner companies was a web caching service that deployed caching rules designed to minimize attack impact on the servers while also routing legitimate traffic.
One of the caching configurations deployed malfunctioned, returning pages to authenticated users that contained personal information of other authenticated users, including billing addresses, purchase histories, the last four digits of a Steam Guard phone number, the last two digits of a credit card number, and email addresses. According to Valve Corporation, none of these erroneously returned pages included passwords, full credit card numbers, or enough information for fraudulent purchases to be made. Nevertheless, user trust and loyalty has understandably been majorly impacted.
It’s not always good to be number one
Last Christmas it was the Sony Playstation Network and Microsoft’s Xbox Live Network that went down to DDoS attacks, with outages on Christmas Day affecting up to 160 million users – many of whom were trying to use their brand new Christmas presents. This attack was the work of the internet famous Lizard Squad, a group of hackers always looking for publicity for their DDoS-for-hire services. They’ve also claimed the credit for DDoS attacks on League of Legends servers, Destiny servers, and the Malaysian Airlines website, to name a few.
Though the Lizard Squad may gain the most publicity for their antics, they’re hardly the only ones targeting online gaming platforms and sites. A Q3 State of the Internet report released in December of 2015 found that the online gaming industry is the number one target of DDoS attacks, getting nailed with up to 50% of all attacks.
An unfortunately and obviously tempting target
Some of the reasons for online gaming sites being such big targets are visible. It’s well within the realm of possibility that angry gamers are taking aim at the servers of either game they don’t like, or games they’ve been banned from. This is especially possible thanks to the existence of the aforementioned DDoS-for-hire services, providing low-price access to botnets.
Online gaming servers also make an appealing target for hacker groups since gamers are so emotionally invested in the games they play. When a game goes down, the world is going to hear about it via social media and sites like Reddit, and thus hacking celebrities as the Lizard Squad are born. Successful DDoS attacks on gaming sites are made even easier when you consider that the game doesn’t have to be taken offline to disrupt users; it merely has to be slowed down enough to impact play. This is a matter of milliseconds.
With an assist from technological vulnerabilities
According to professional DDoS protection providers Incapsula, online gaming sites are also made tempting targets by their inherent technological vulnerabilities. The first of these is the custom network protocols that gaming platforms require providing the speed and performance their users demand. Because there is so little information available on how legitimate users interact with these networks, security services can have a difficult time distinguishing between legitimate users and security threats, and will always err on the side of letting traffic through to keep from blocking actual users.
Secondly, because DDoS attacks use large amounts of traffic to take down servers, these attacks are made infinitely easier by the certain high-traffic days gaming platforms experience. With a ton of legitimate traffic already straining a platform’s server, it doesn’t take much malicious traffic to tip it over the edge. These important high-traffic dates include new release dates and, yes, holidays.
“It’s very common for DDoS attackers to strike during peak traffic times, especially when going after big targets,” says the Incapsula PR team. “Such attacks maximize the damage potential of the assault by applying additional pressure to the already-strained organizations and network infrastructures. Even when unable to bring the target down completely, they can cause collateral damage as was seen here, with Valve having to roll out a new configuration while being bombarded with large amounts of fake traffic.”
Perhaps the biggest technological vulnerability stems from the online model that has turned gaming into what it is – an always on, always available service that provides a real addictive experience for users. The nature of this particular beast has created a massive vulnerability.
The single point of failure (SPOF)
To provide constant connectivity to its users, gaming companies have to build always available centralized gaming platforms. From a performance perspective, this is ideal. From a security perspective, this is a single point of failure. A single point of failure, technically speaking, is a part of a system that will stop an entire system from operating if it fails.
The centralized gaming platform acting as a single point of failure allows attackers to launch a narrowly-targeted DDoS attack that causes a widespread disorder. Major results from minimal input.
Forewarned not necessarily forearmed
None of this is necessarily new information to anyone in the online gaming industry. And yet? DDoS attacks on online gaming platforms still succeed. Valve Corporation was undoubtedly wary of a DDoS attack on Christmas and for all their efforts to deal with that anticipated attack, they ended up exposing the personal information of 34,000 users.
Unless a gaming company is capable of creating custom security that goes along with their custom protocols that can deal with massive amounts of both legitimate and malicious traffic and effectively guard against the SPOF, these companies need to invest in professional DDoS protection like the services offered by Incapsula that provide an uninterrupted gaming experience for legitimate users while keeping attack traffic from touching the servers.
There are enough irritating Christmas traditions, after all. Put a stop to this one.