From popular multiplayer games to esports tournaments, the online/mobile gaming sector has become one of the biggest and most lucrative online businesses. Because of the industry’s hypercompetitive nature, strong profitability and players’ zero-tolerance towards downtime, game hosting servers are, unfortunately, very attractive to DDoS attackers. The bad news is, a small, targeted attack causing small but noticeable lags, jitters or packet loss is enough to drive players away to other competitors’ games.
It is estimated that the traffic share of online gaming traffic has now reached over 5 percent of total network traffic of communications service providers (CSPs); and accounts for a much higher percentage on specialized hosting platforms. Different game genres have different latency requirements, depending on the game dynamics and player interactions. While, needless to say, latency is the most important parameter, other factors such as packet loss and delay variation (jitter) are also the criteria that gamers don’t compromise on.
Increasingly popular MMOGs give rise to new attack signatures
In Asia, Massively Multiplayer Online Games (MMOGs), called battle royal games by some, have gained a lot of popularity in recent years. An MMOG creates an immersive battleground or environment in which thousands of players form small teams against other teams, or battle as individuals. The stringent demand for synchronization in addition to heavy traffic loading has shaped a new traffic pattern for MMOGs versus other network services and applications.
For MMOGs, gamers play one continuous session and are encouraged to interact with others online as many times as they can. This usage has prompted a new type of service, i.e. real-time interactive service over TCP. Typical real-time systems use UDP because retransmitted packets will cause long delays and will be discarded anyway. But in many MMOGs, TCP serves better as the transport protocol, thanks to the reliable connection it guarantees.
The growing popularity of MMOGs is in line with our latest findings on the evolving techniques of DDoS attacks against mobile game servers. In Nov 2019 we mitigated an advanced attack on certain mobile games. Rather than firing off a large volume of junk traffic, attackers sent more targeted malicious traffic on purpose that was barely enough to cause network crashes and session interruptions on a daily basis. Our records show that there were 64 such attacks that targeted the servers of mobile game apps’ IPs between Nov and Dec last year. In Nov alone, attackers mainly employed ~20Gbps DNS amplification and ICMP flood attacks to crash the targeted networks.
DNS amplification, which floods the target with large quantities of UDP packets, and ICMP flood are relatively straightforward strategies to slow down the network and cause packet loss. Once successful they will cause a service outage to the victim game. DNS amplification is one of the most popular attack vectors, which is easy to generate, and has a sheer quantity of open DNS resolvers to abuse. Yet, it is also relatively easy to be detected and mitigated.
Attackers abuse TCP keepalive to disrupt supposedly persistent connections
But since Dec 6 attackers began to spoof the keepalive packets to crash target servers. TCP keepalive is an important transmission feature to determine the validity of the connection between two hosts over a network via TCP/IP. If proven invalid, the connection will be terminated. Most hosts that support TCP also support TCP keepalive.
Here’s an explanation from Wikipedia on how keepalive works to secure the continuity of a connection: Each host (or peer) periodically sends a TCP packet to its peer which solicits a response. If a certain number of keepalives are sent and no response (ACK) is received then the sending host will terminate the connection from its end. If a connection has been terminated due to a TCP Keepalive time-out and the other host eventually sends a packet for the old connection, the host that terminated the connection will send a packet with the RST flag set to signal the other host that the old connection is no longer active. This will force the other host to terminate its end of the connection so a new connection can be established.
For those in the know, this is where the vulnerability lies. Our researchers found that attackers inserted a Gbps-sized TCP ACK flood during an attack campaign, which could cause a severe impact to mobile game apps. We identified two types of attack patterns based on our analysis of the most popular mobile games, with the first type already being employed; and the second type that we believe will soon be employed to target games that run on TCP and UDP.
Players logged out of the game worse than being knocked out in the game
In the first type, which is the most classic and common type of game application via XML, the game runs one or a few TCP sessions only. To our surprise, even for the highest grossing game, it runs on one session only, according to our findings. Once the session is broken, the player has to login again.
For TCP-based mobile games, they use TCP ACK as a keepalive packet to make sure that the client app is up and running. During an TCP ACK attack, if the attack traffic hits the server, it will have to handle an extra yet useless TCP ACK packet. Once the amount of spoofed TCP ACK pockets disguised as keepalive packets is overwhelmingly large, the app will be crashed and the existing session will be reset. To put it simply, the player will be suddenly logged out of the gameplay, which is anything but a pleasant experience.
The second type of attacks target those MMOGs that both use TCP and UDP as transport protocol. This pool of games use TCP to carry out user authentication and registration, followed by UDP for gameplay communications. The good news is that no attack that uses this hybrid approach has been observed; but it’s only a matter of time that it will emerge. Compared with TCP, UDP traffic is easier to be spoofed and easier to cause a significant outage.
As a rapidly growing yet fiercely competitive industry, mobile gaming has proven to be a cash cow for successful developers and their hosting platforms. But due to its nature and complexity it is difficult for a game to get intellectual protection. In other words, it is no surprise that a copycat can beat the original game after it has attracted the critical mass of players.
Winners take all
To be a successful game in today’s time, protecting the gamer’s experience and ultimately the game’s environment from the impacts of DDoS attacks is paramount. Game developers and operators must spare no dollars to put in place the best technologies and services - not just any service, but one that understands the space, and possess the commitment and proven track records to deliver the results.