Medusa

No fun and games: DDoS attacks use game servers

Each day 145 million people play online video games. Many of the servers they use are insecure and misconfigured, making online gaming networks easy-to-exploit by criminals who launch distributed denial of service (DDoS) attacks. What does this problem have to do with non-gamers? DDoS attackers use gaming servers to enhance their attacks, but their targets aren’t limited to the gaming industry. Many attackers simply use the gaming servers to make their denial of service attacks more powerful. Regardless of your industry, a malicious actor could use gaming servers to attack your business.

The attacks keep coming and new techniques keep evolving. Using gaming servers to strengthen DDoS attacks is not new. Gamers and those who exploit multiplayer gaming infrastructures have been up to bad ends for a long time – since at least the 1990s.

 

Denial of service attacks involving gaming servers are launched by criminals who are outside of the gaming industry – and by gamers themselves. Criminals and players have different reasons for DDoSing. Criminals use gaming servers to boost their attacks against non-gaming businesses, especially against (but not limited to) the financial industry. Disgruntled gamers, on the other hand, may use a DDoS attack to knock a fellow gamer off a game network as a strategy to gain a temporary in-game advantage. Other gamers may use DDoS attacks to target other gaming systems to damage the playing experience of gamers on rival platforms.

One common type of denial of service attack that often involves the online gaming infrastructure is called amplified distributed reflection denial of service attacks, or DrDoS attacks. This type of attack has been used for decades. Early DrDoS attacks that involved gaming servers took advantage of misconfigurations within the servers that hosted Counter-Strike, Quake and Half Life – and they still do.
One of the reasons gaming servers are so popular among criminals is that gaming-server aggregators provide a good source of server IP addresses to employ in DrDoS attacks. Although aggregators exist to provide a legitimate service for players to find a gaming server to play on, criminals use the server addresses maliciously. With the IP addresses, an attacker can identify which of them can be exploited and cause them to produce outsized responses directed the attacker’s target, overwhelming the target with network traffic and slowing it or shutting it down.

Gamers tend to use different attack techniques. They often track down the IP address of an individual rival and use a DDoS method called packeting to slow or stop Internet service at the target. Although packeting attacks are relatively weak, gamers also have more sophisticated attacks at their disposal: For a fee, enterprising developers offer ready-to-use DDoS toolkits that are pre-configured to take advantage of insecure and misconfigured gaming servers.

Even non-gamers are at risk from DDoS attacks that abuse gaming servers. You can learn more about attacks and tools that exploit the multiplayer gaming infrastructure in Prolexic’s white paper, DrDoS and DDoS Attacks Involving the Multiplayer Video Gaming Community.