I have seen passionate entrepreneurial teams and products with unique gameplay strangled in the cradle by this kind of Internet attack problem; I have also seen a well-operated product crippled by DDoS attacks.
This is why I want to share my 6 years of experience in DDoS in the gaming industry with everyone, to help companies that are advancing at full speed in the gaming field understand the security situation of the industry and give some available suggestions.
Overview of the game industry—opportunities and risks coexist
It is very common for games to be attacked. According to statistics, more than half of domestic DDoS attacks are targeted at the gaming industry. At present, the game industry in general has both opportunities and risks. In 2017, the scale of China's online game market has exceeded 200 billion, but online games are also the number one disaster area for DDoS attacks. In fact, it is not just China, but also the global market for games. DDoS attacks always come first, and this phenomenon is even more serious in China. Especially in this wave of attacks that lasted from before the Spring Festival this year to March, many game manufacturers have been suppressed by DDoS attacks. In addition, the rapid growth of mobile terminals has also brought about mobile security issues, and there has also been the use of fraudulent means or game vulnerabilities to destroy the game environment.
Analysis of DDoS attack trends and causes
For DDoS attacks, the average defense cost shows an accelerating upward curve with the growth of DDoS attack traffic. According to calculation data analysis, if the DDoS attack traffic reaches 250G, the monthly defense cost will be about 50,000 US dollars; if it reaches 300G, it will cost 60,000 US dollars per month; when it reaches 350G, the defense cost will be 8 per month. US$10,000; if the attack traffic reaches 500G, the defense cost will be US$140,000, which means that it will cost about one million yuan per month to defend against DDoS attacks. In 2017, attacks above 300G have become normal. Regarding the loss of business value caused by DDoS attacks per hour, according to statistics, 36% of the applications that were attacked lost between US$5,000 and US$20,000 per hour, and 34% lost between US$20,000 and US$100,000. , and 15% will lose more than $100,000 per hour when attacked.
In addition, certain regularities can also be analyzed based on the time dimension data of hacker attacks: basically between 3 a.m. and 9 a.m. every day, hacker attacks will be in the sleep period. This time period actually belongs to the period of hacker attacks. During this time, they will prepare the list of targets to be attacked and the scripts to be used for the next day. At 9 o'clock in the morning, the hacker's script will automatically run and launch a new wave of attacks. Therefore, hacker attacks are more frequent between 9 a.m. and 3 a.m.
In addition, there are currently two major black organizations in China. These two organizations are also spread throughout Southeast Asia. Their top-level organizations are outside China, and the attack traffic they control has exceeded 1 T. You can imagine that this kind of attack traffic will be fatal to any game company or application. The largest black organization has 800G of attack traffic, and the smaller ones have about 600G of attack traffic, so They basically have the ability to attack any game company until it dies.
Today, the cost for hackers to launch attacks is actually very low. For example, for overseas UTB packets, one gigabyte costs only 50 yuan a day, and even the most expensive DNS reflection attack only costs 350 yuan a day for one gigabyte. But hackers obviously don’t quote like this. For example, if a hacker targets a certain game, he will purchase an attack package on a daily or monthly basis or pay according to the results. He will definitely beat the game service to death, and even provide a service that cannot be killed. A "beat it to death" service that collects money. Some time ago, you may have seen that Wu Hanqing of Alibaba Cloud posted an article on his official account and talked about the 29 months since he returned to Alibaba. In fact, this article also mentioned that in 2016, Alibaba Cloud cracked down on one of the two illegal organizations just mentioned. Within a few months after the crackdown, the entire illegal organization in China actually It disappeared. The volume of domestic DDoS attacks also dropped by 56%. At the same time, the volume of global DDoS attacks also dropped by 8%. However, because the core members of the black organization are outside China, the organization reappeared half a year later. .
对于实际的攻击手法而言,由于攻击源是在逐年增加的,以前只有针对PC的攻击,后来出现了针对服务器端的攻击,曾经有数据统计大约50%以上IDC的服务器都被黑客成功入侵并成为了肉鸡,而现在还有针对于手机的攻击,很多人的手机其实都处于黑产组织的控制之中,而且现在很多的IoT设备纷纷加入了DDoS攻击的浪潮之中,也将DDoS攻击的流量逐年推高。在2014年的时候DDoS攻击还是以50GBPS为主,攻击手法以IDC伪造源IP攻击为主。而在2015年时,攻击100Gbps+的攻击已经常态化了,攻击手法也在升级,从伪造IP转向反射型Flood攻击。2016年时,200Gbps+的攻击常态化,IoT和移动终端的兴起导致基于真实设备的攻击层出不穷。而在2017年的最近两三个月,大家所看到的趋势是300Gbps+的攻击常态化,并且基于私有协议和真实源的攻击事件呈指数级上升趋,导致攻击更加难以防范。
那么黑客为什么会攻击游戏行业呢?首先可能是发泄自己的不满,有些同学对于游戏产生了不满情绪,那就可能为了发泄自己的不满将游戏打挂掉。还有黑产接单打单,比如两家竞争同一市场的游戏公司,其中一家公司就有可能找黑产对于对方的业务进行打击。还有敲诈勒索,小蚁网络也遇到很多客户说自己曾收到了黑客在微信或者QQ上面的勒索流言,要求给对方钱财否则将对游戏业务进行攻击。还有业务扶持,黑产也会与一些行业中的公司进行合作,扶持某家公司成为行业的龙头老大,其他的竞争对手就会全部被打死。最后就是机房合作,黑客会要求一些游戏厂商必须搬到某个机房中,如果不然就进行攻击。所以就是出于以上的种种原因,地下黑产才形成了今天这样对于游戏客户的攻击形式。
而且黑客的具体攻击手法也非常多样,可以拿“打尖峰”举例说明,比如大家都知道阿里云及各云上5个G黑洞,此时黑客就不会持续地使用很高的流量进行攻击,因为他们知道黑洞的原理所以就会使用5.01G的流量进行攻击,这样游戏公司的IP就进入黑洞了,黑客就会主动摸索游戏公司的的业务防御上限在哪里,然后通过打尖峰的手法对游戏进行攻击直到服务挂掉。另外一种打法就是压制一个时间段,比方某一种游戏会在每天早上9点到9点半之间有大量的玩家涌入进来玩,如果在这半个小时内将游戏的登陆服务压制掉就能够导致游戏无法提供服务,这样就会导致玩家转到其他游戏。而最可怕的一种攻击手法就是最近出现的持续压制,也就是游戏从早到晚都会处于300G的流量攻击之下。以上主要是按照攻击的时间段进行划分的,而如果按照更细粒度攻击手法进行划就可以分为以下两种攻击:
大流量压制,也就是通过海量的流量涌过去将整个机房都堵上。
精细化压制,使用CC攻击实现的精细化流量压制,目前往往以同时使用或者先后使用的方式配合大流量压制实现。
趋势一:大流量已经常态化
目前,对于DDoS攻击而言出现了两个极为明显的趋势。
第一个趋势就是大流量攻击已经呈现常态化。黑客已经可以在极短的时间内聚集大量的攻击流量,这种大流量压制型攻击在之前可能只是个传说,而从今年的情况看来,大流量攻击已经成为了现实。随着带宽成本逐年降低,肉鸡资源的逐年丰富,大流量压制型攻击已经不再是业界的“都市传说”,高入口带宽也已经不再是攻防的保险箱,已经无法实现与攻击流量进行“军备竞赛”,因此现在也是时候需要考虑对于应对大流量攻击采取一些变革了。
趋势二:CC攻击向精细化转变