Final Fantasy

Game designers spend a lot of time going over the ins and outs of different types of attacks and defenses and weapons and so on. Unfortunately for the companies behind those games as well as their users, so too do the IT and security people tasked with keeping those games up and running at a high level.

Online gaming platforms have always been a major target for DDoS attacks, and they probably always will be. It’s possible that this is because some online gamers are so loyal to their games of choice they enjoy making a game inaccessible for fans of another franchise. The big stink gamers tend to make on social media when their games don’t work is also appealing for DDoS attackers of a certain type. Over all, there’s one big reason online gaming platforms keep getting rocked by DDoS attacks: other than the small-time websites that don’t have DDoS protection, online gaming platforms are some of the easiest targets currently on the internet. That’s right, there is no honor among the thieves stealing your gaming experience from you.

The Odyssey-style overload
For a perfect example of just how distributed denial of service or DDoS attackers can get big results with some pretty lazy efforts, look at the recent attack that blighted the Assassin’s Creed Odyssey launch. Just as the new and hotly-anticipated entry in the Assassin’s Creed franchise became available to the public, its servers became unavailable, with what was referred to as a crippling DDoS attack taking them down.

Regardless of the tricks or techniques an attacker uses to make it happen, a distributed denial of service attack at its core is a blast of malicious traffic that consumes so many server resources or so much bandwidth that legitimate users are unable to connect to the target website or platform.

You know what helps a dose of malicious traffic take down a gaming platform? A big ol’ influx of legitimate traffic, like the one that would accompany the release of a brand new game. Forget being a cyber criminal mastermind, all it really takes is one last push of traffic to take an already stressed gaming server over the edge.

The Cyclops-style vulnerability
In the same week that Assassin’s Creed Odyssey suffered its launch-day DDoSing, Final Fantasy XIV went down to a distributed denial of service attack as well. Unlike Assassin’s Creed, there was no launch involved in the Final Fantasy outage, nor was there a release of an expansion pack or anything else that would cause a significant natural uptick in traffic.

Due to the nature of online games and their platforms, that legitimate uptick in traffic isn’t strictly necessary for making life easy for attackers. In order to serve gamers at any minute of the day, gaming companies need to have a centralized, always-available platform that provides a high enough level of connectivity that there is absolutely no lag for anyone gaming at any given time. This is what’s referred to as a single point of failure. Think of it like Cyclops’ eye in Assassin’s Creed Odyssey: in order to take down an entire game, all an attacker needs to do is keep aiming malicious traffic at this centralized platform. With a narrow attack, widespread havoc can be wreaked.

Not that it needs to be made any easier for the type of attacker that aims a distributed denial of service assault at an online gaming platform, but it’s also worth keeping in mind that in order to be successful, an attack can merely slow the server enough that the game lags for its users. There doesn’t even have to be any actual outage time.

Game over
When a target like, say, the website of investigative reporter Brian Krebs goes down to a DDoS attack, there’s at least some solace in knowing that the attackers had to launch what was then a record-setting attack with one of the biggest botnets of all time in order to succeed. Online gaming companies and their users get no such solace.

Until online gaming companies are equipped with professional cloud-based DDoS protection with an SLA-guaranteed time to mitigation of less than 10 seconds, the processing capability necessary to handle the malicious output of IoT botnets, and next-gen filtering that keeps legitimate users seamlessly connected while slamming the door on attack traffic, lazy DDoS attackers are going to keep getting their kicks at expense of gamers. Not much of a quest there.