Six years of DDoS in the game industry: What kind of architecture can be immune to DDoS?

Abstract:  I have been in contact with DDoS related technologies and products for 8 years, of which 6 years have been exploring the DDoS attack problems in the game industry. In my opinion, the game industry has always been one of the most complex "areas" to compete and attack. When many game companies develop their businesses, there are many blind spots for their own systems and business security; they have no real understanding of what DDoS attacks are and how to fight them.

I have been in contact with DDoS related technologies and products for 8 years, of which 6 years have been exploring the DDoS attack problems in the game industry.

In my opinion, the game industry has always been one of the most complex "areas" to compete and attack. When many game companies develop their businesses, there are many blind spots for their own systems and business security; they have no real understanding of what DDoS attacks are and how to fight them.

I have seen enthusiastic entrepreneurial teams and products with unique gameplays stifled in the cradle by this Internet attack problem; I have also seen a well-operated product collapsed due to DDoS attacks.

This is why I want to share my 6-year DDoS experience in the game industry with everyone, help companies that are advancing at full speed in the game field, understand the security situation of the industry, and give some useful suggestions.

In the process of contacting the security team of the game company, I saw that the game industry has two big misunderstandings about security.

The first misunderstanding is that I am safe without direct losses.

In fact, compared to other industries, the game industry has a higher volume and complexity of attacks. Every game company, every application, has actually been attacked. However, many game security leaders will still "listen to thunder in the dark", unaware of the ongoing attack, or simply turn a blind eye, thereby burying security risks.

The second misunderstanding is that many game industry security leaders think that as long as a firewall is installed, most attacks can be blocked.

However, the functionality of firewalls is actually very limited. This also illustrates the root cause of many weak security in the game industry from the side: only do a good job in one point, but cannot see the whole picture.

However, attackers will always compromise internal systems across the gaming industry from unexpected weak points.

Taking DDoS attacks as an example, in 2016, the recorded DDoS peaks in the world were nearly 600G, and DDoS attacks over 300G were not uncommon in the game industry.

Why are games the hardest hit by DDoS attacks? Here are a few main reasons.

First of all, because the attack cost in the game industry is low, which is 1/N of the protection cost, the two ends of the attack and defense are extremely unbalanced. As the attacking side's tactics become more and more complex and there are more and more attack points, the basic static protection strategy cannot achieve good results, which aggravates this imbalance.

Second, the game industry has a short life cycle. It takes half a year for a game to go from birth to demise. If it can't resist a big attack, it is likely to die halfway. Hackers also took aim at this point and determined that as long as an attack is launched, the game company will definitely give a "protection fee".

Thirdly, the game industry has high requirements for continuity and needs to be online 7*24. Therefore, if the game business is attacked by DDoS, a large number of players will be lost in the game business. I have seen game companies drop from tens of thousands to hundreds of players 2-3 days after being attacked.

Finally, vicious competition among game companies has also intensified DDoS attacks against the industry.

The types of DDoS attacks against the gaming industry are also very complex and diverse. To sum up, it can be roughly divided into the following categories:

The first is the empty connection: the attacker frequently establishes a TCP connection with the server, occupying the connection resources of the server, some will be disconnected, and some will be maintained; for example, when a noodle restaurant is opened, the "gang force" always queues up, but does not consume , then normal guests will not be able to go in and consume at this time.

The second is the traffic type attack: the attacker uses udp packets to attack the game port of the server, which affects the speed of normal players; in the above example, the traffic type attack is equivalent to the bad guy directly blocking the door of the noodle shop.

Again, CC attack: the attacker attacks the server's authentication page, login page, game forum, etc. This is a relatively advanced type of attack. This situation is equivalent to the bad guy occupying the checkout at the cashier and asking the waiter to order food, resulting in the inability of normal guests to enjoy the service.

Then, the dummy attack: simulates the process of game login and character creation, causing the server to be overcrowded and affecting normal players.

There are also DDoS attacks on players: for combat games, attack the network of the opponent player to make the game drop or slow down and DDoS attacks on the gateway: attack the gateway of the game server, the game runs slowly.

Finally, there is the connection attack: frequent attacks on the server, sending junk packets, causing the server to be busy decoding junk data.

I take common DDoS and CC attacks as examples to explain their attack methods.

The main methods of DDoS attacks are traffic-based attacks such as syn flood, ack flood, and udpflood. The attack method itself is very simple. No matter which method is used, the premise is that the traffic is large. If the defender has sufficient bandwidth resources, the current technical means of defense will not be difficult; for UDP flood, in fact, many games do not need to use the UDP protocol at present, and can be discarded directly.

There are two types of CC attacks. Generally, the attack on WEB website is called CC attack, but the attack on game server is also called CC attack by many people.

The CC for the website is as follows. Generally, after the connection is established, the browser is forged and a lot of httpget requests are initiated, exhausting the resources of the server.

For the CC of the game server, after the connection is established, the communication message of the forged game keeps the connection unbroken. Some attack programs do not even read the normal messages of the game, but directly forge some spam messages to keep the connection.

​​​​​​​

Original link