DDoS Mitigation Tactics for Gaming Enterprises

Top game developer and publisher Blizzard Entertainment Inc. was hit by another distributed denial-of-service (DDoS) attack on September 20, bringing their gaming platform to a standstill. This attack came only two days after they were hit with a DDoS attack that affected latency and connections to their global gaming platform. DDoS attacks are a common tactic used to make a service unavailable to legitimate users. The attacks typically involve malicious actors sending huge amounts of traffic to overwhelm and disable a targeted system.

These past few months have seen Blizzard managing continuous DDoS attacks—the company seems to have suffered at least one in April, two in August, and two this September. The attacks ranged in severity and targeted the game servers of Battle.net, the online platform that hosts Blizzard games. On August 2, Battle.net went down for a few hours, preventing players of popular games Overwatch and Hearthstone from connecting to the game servers. The attack on August 31 was less severe, affecting the latency of the games and frustrating active players who intermittently lost connection. This latest attack kept players off Battle.net for less than an hour, though latency issues continued for a period. The groups claiming responsibility for these attacks were seemingly keen on getting publicity from hitting such a high profile target. They took to social media to stake their claim and asked for retweets to stop the assault. The attacks seem to be timed with new content releases from the company, just when the volume of players is at its peak, media attention is on the games, and excitement is high.     

The Continuing Rise of DDoS

According to a new Q2 2016 security report from content delivery network and cloud services provider Akamai Technologies Inc., there has been a 129% increase in total DDoS attacks since Q2 2015. But while the number of attacks increased, there has been a definitive decrease in severity—the median attack bandwidth dropped 36% from the previous quarter. In contrast, the number of “mega-attacks” (above 100 Gbps) rose, counting a 363Gbps attack—the largest Akamai recorded, within the same period.

The gaming industry has long been the top target for DDoS attacks, and the report confirms that the trend is continuing. The research determined that a majority of their documented DDoS attacks were spread between two industries—online gaming with 57% of the attacks, software and technology had 26%.

There are varying reasons why cybercrime groups frequently target the gaming industry. The notoriety that comes from successfully disrupting a popular target is a motivating factor, as is the increasing ease of executing a DDoS attack. The trend can also be attributed to the following factors:

• How easy it is to mount an attack—in some cases, hitting a single server or finding an unnoticed vulnerability is enough for cybercriminals. In 2014, criminals exploited the legacy Network Time Protocol for an easy yet effective attack. And the gaming industry is particularly vulnerable because companies often use a central platform (like Blizzard's Battle.net) for all their games, giving cybercriminals a vital and exposed target.
• The readily available options to help even casual cybercriminals organize a DDoS attack, such as easy-to-use tools, are available online.
• The levels of attack severity that can be inflicted on targets—there are low-budget options for more cautions cybercriminals, but there are many avenues of attack. These open avenues allow creators to create sophisticated, multi-pronged campaigns.
• There are many routes to take advantage of—gaming companies, in particular, have custom protocols that are security “soft spots” because they can’t differentiate the bad traffic from the good traffic.  
• There are many methods that a well-equipped DDoS attacker can use to disrupt the operations. Some are more favored than others—the Q2 2016 report noted a 276% increase in NTP reflection attacks, which is when an attacker sends network traffic to a “booster site” impersonating a potential target. The booster site sends its replies to the target, amplifying the DDoS attack and overpowering the target.  
• Cybercriminals are going beyond using self-supplied PCs and devices compromised by malware. Instead, they’re turning to Web servers, which can send 100 times as much data per second as a PC.

Defending against DDoS

There are a number of possible attack vectors that can be exploited by DDoS attackers. The best strategy is to implement layered solutions that protect infrastructure and applications from danger.

• Have a tiered plan of action for dealing with a DDoS attack, starting with detection and monitoring the network for unusual activity.
• Establish access control lists on border routers to protect infrastructure and reduce traffic handled by firewalls.
• Mask the IP or add a multilayered firewall.
• Be proactive and limit internet-facing services and protocols.
• Have backup servers and a dynamic system that deploys additional servers in case of a DDoS attack. These can keep services running even during an ongoing attack.
• Draw up an action plan based on enterprise risk assessment. Establish a communication chain, especially with your Internet Service Provider (ISP), to determine what to do in a DDoS scenario. For more detailed instructions to minimize DDoS and other cybersecurity measures, read this step-by-step guide.

DDoS mitigation requires a mix of strategic internal policies and technical solutions to be adequately managed. Trend Micro™ Deep Security™ can help enterprises secure physical, virtual, and cloud servers from a single integrated platform.