DDos or how we lost our games to a Lizard

T

-tkf-

Legend
So last night i was playing around with the thought of buying Diablo 3 for my PS4 online, i decided to burn the money on my US/PS4 account.

I was trying to login on the PSN Website on my PC, it acted slow and didn't work. Not a new thing for that website, it is often slow and unresponsive. So i figured i might as well power up the PS4 and let it download over night. Turned out that the PS-Store was down, and a quick google told me that someone named after a reptile decided to DDos the hell out of PSN and other gaming services*

Afaik PSN was down for a long time, Bnet suffered, Steam as well and XBOX Live got a shot in the dying moments of the DDos attack. Which got me thinking about how Fragile our online gaming is turning out to be.
Sure, MP games would always be affected by DDos attacks on servers etc, but as we see gaming services getting concentrated on fewer and bigger players the attackers are having an easier job shooting those services down. And with more and more games relying on some kind of internet connection DDos attacks like last night will influence more and more people. Microsoft wants to use Cloud computing, Sony wants to sell us PS-Now, Destiny is a game where SP parts run online, there is plenty of examples.

What are the options, how does the big providers of games and services avoid stuff like this in the future, where the damage can only increase. Maybe they are already working on a solution, last night didn't seem promising :)

*Shacknews has the story:
http://www.shacknews.com/article/85...wide-ddos-attack-update-fbi-now-investigating
 
how many DDOS attacks are there a year of significant magnitude? One? Two? For the loss of two days' gaming, I'm not sure its a big enough problem to address. In every aspect of life there's some douche whole turn up and ruin it for a spell. Trying to control every single tiny element to stop them is probably not practical nor desirable.

The only strategy that makes any reasonable sense to me is general internet infrastructure improvements for general benefit, whatever that might be. Considering how primitive the DDOS attack is, and how it's dependent on bots, it's a bit bizarre that it remains so effective. Couldn't a client-based security measure (ie. Windows security feature) detect if a machine was a DDOS bot and do something about it?

Not sure this is totally console related...
 
Shifty Geezer said:
how many DDOS attacks are there a year of significant magnitude? One? Two? For the loss of two days' gaming, I'm not sure its a big enough problem to address. In every aspect of life there's some douche whole turn up and ruin it for a spell. Trying to control every single tiny element to stop them is probably not practical nor desirable.

The only strategy that makes any reasonable sense to me is general internet infrastructure improvements for general benefit, whatever that might be. Considering how primitive the DDOS attack is, and how it's dependent on bots, it's a bit bizarre that it remains so effective. Couldn't a client-based security measure (ie. Windows security feature) detect if a machine was a DDOS bot and do something about it?

Not sure this is totally console related...
Click to expand...

Well we didn't loose 2 days of gaming because none of our consoles require always on to game, we lost some online gaming time, that is it. But as more and more games require some kind of internet connection to work, and consoles as well, it's a given that these issues will not go away, they will only grow. I can't remember the last DDos on a gaming service, but i am pretty sure that it will only grow in strength as the target gets grows.

Nope, not really console related, i guess. In this case PSN was the major target, but in general it's a problem for every game service.
 
Well they are not totally sure who is responsible for the ddos attack. There are 2 groups claiming responsibility, Lizard Squad and Famedgod. Lizard claims ties to a terrorist group and even tweeted a bomb threat to the plane with a sony rep. The other guy claims he was trying to prove that Sony's network was still extremely vulnerable. Who knows? In my opinion the people responsible for the ddos attack are really pathetic! Oh and a bomb threat to an airplane is just sick! I hope the FBI finds the culprits! There is no network that is completely invulnerable to attacks from hackers, but gaming companies charging for online services should be taking every step possible to protect the users of said networks. Thankfully noones personal info has been taken.
 
From what I understand, DDoS takes a lot of time to plan. They need a lot of zombie PCs that have been infected over the course of many months. Once they activated the zombies and started the DDoS, most of these PC owners receive an email from their ISP, or literally get disconnected by their ISP, so these machines are lost forever (now that they know, they will reinstall or use an anti-virus). It's not something that can happen often because it's too much effort for too little gain. Later attack will be mch milder than the first ones, they lost their machines.

For large networks, they have nice mitigations against DDoS, but every new attack try to go around the detection mechanisms. The goal is to successfully look like legitimate traffic, so it can be hard to detect. The attackers can't just try again every day, they lost their million bots, and the mechanism they used is now known, the admins can add an effective filter upstream after some forensic analysis. Some of the bots are usually kept online by law enforcement so that they can monitor and reverse engineer their protocol.... then some kids in canada go to jail... all in the name of the opportunity to express their teenage angst. I think it's sad, they're not fully aware of what they're doing.

The bomb threats are much more serious though... this is way beyond teenage angst.
 
the weird thing is, Microsoft also got the DDOS attack but Xbox Live login system completely works fine. only the gaming side thats affected.

but why sony all down? (i cant even login)

i asked this on eurogamer comment section and nobody replies me but lots of them giving me + and - with net result -3. Weird. so many votes, zero replies.
 
MS had enough time to prepare since the attackers literally warned them hours in advance. OTOH, Sony was attacked first without warning... the active bot number would go down over time, ISPs get notified, the bot IPs get blocked upstream. So their botnet was probably already gimped.

If they are clever they would have reserved multiple blocks of zombies for a second and third wave. But it's doubtful they are clever.
 
I'm surprised ddos is still a problem, seems to me like most server companies already have countermeasures for these sorts of things. Maybe MS/Sony just never expected to be targets of such intense attacks?
 
MrFox said:
From what I understand, DDoS takes a lot of time to plan. They need a lot of zombie PCs that have been infected over the course of many months. Once they activated the zombies and started the DDoS, most of these PC owners receive an email from their ISP, or literally get disconnected by their ISP, so these machines are lost forever (now that they know, they will reinstall or use an anti-virus). It's not something that can happen often because it's too much effort for too little gain. Later attack will be mch milder than the first ones, they lost their machines.
Click to expand...

That's not how modern day DDoS attacks work. They use some zombie nodes, but not as many as was required in the old days.

They mostly rely on amplification flaws. It's not untypical for the amplification to be 50x or higher. Last year there was another attack which increased the amplification by another factor of 50x.

I can't find the writeup on last year's attack, but here's a general one: http://blog.cloudflare.com/deep-inside-a-dns-amplification-ddos-attack
 
Found an article talking about a DDoS DNS Amplification attack hitting a factor of 100x. http://blog.cloudflare.com/the-ddos-that-knocked-spamhaus-offline-and-ho

In the Spamhaus case, the attacker was sending requests for the DNS zone file for ripe.net to open DNS resolvers. The attacker spoofed the CloudFlare IPs we'd issued for Spamhaus as the source in their DNS requests. The open resolvers responded with DNS zone file, generating collectively approximately 75Gbps of attack traffic. The requests were likely approximately 36 bytes long (e.g. dig ANY ripe.net @X.X.X.X +edns=0 +bufsize=4096, where X.X.X.X is replaced with the IP address of an open DNS resolver) and the response was approximately 3,000 bytes, translating to a 100x amplification factor.

We recorded over 30,000 unique DNS resolvers involved in the attack. This translates to each open DNS resolver sending an average of 2.5Mbps, which is small enough to fly under the radar of most DNS resolvers. Because the attacker used a DNS amplification, the attacker only needed to control a botnet or cluster of servers to generate 750Mbps -- which is possible with a small sized botnet or a handful of AWS instances. It is worth repeating: open DNS resolvers are the scourge of the Internet and these attacks will become more common and large until service providers take serious efforts to close them.
Click to expand...
 
MrFox said:
From what I understand, DDoS takes a lot of time to plan. They need a lot of zombie PCs that have been infected over the course of many months. Once they activated the zombies and started the DDoS, most of these PC owners receive an email from their ISP, or literally get disconnected by their ISP, so these machines are lost forever (now that they know, they will reinstall or use an anti-virus). It's not something that can happen often because it's too much effort for too little gain. Later attack will be mch milder than the first ones, they lost their machines.

For large networks, they have nice mitigations against DDoS, but every new attack try to go around the detection mechanisms. The goal is to successfully look like legitimate traffic, so it can be hard to detect. The attackers can't just try again every day, they lost their million bots, and the mechanism they used is now known, the admins can add an effective filter upstream after some forensic analysis. Some of the bots are usually kept online by law enforcement so that they can monitor and reverse engineer their protocol.... then some kids in canada go to jail... all in the name of the opportunity to express their teenage angst. I think it's sad, they're not fully aware of what they're doing.

The bomb threats are much more serious though... this is way beyond teenage angst.
Click to expand...
Wow!! If that's the background of all of it, that's quite fascinating stuff if you ask me. At least for those whose PCs didn't get infected of course... I only noticed a couple of minutes where the connection dropped on my Xbox One because a message appeared on Diablo 3, although I could play just fine, but the connection began to fully work again in no time.
 
You don't need your pc to be infected to be ddos drone. Your Internet modem also can get infected.

But from my experience, using custom firmware and change default password already enough to secure an Internet modem.
 
orangpelupa said:
You don't need your pc to be infected to be ddos drone. Your Internet modem also can get infected.

But from my experience, using custom firmware and change default password already enough to secure an Internet modem.
Click to expand...

Not really, a custom firmware does not equal no security issues. And most of the exploits does not involve having the password.
 
JPT said:
Not really, a custom firmware does not equal no security issues. And most of the exploits does not involve having the password.
Click to expand...
There likely are a bunch of different exploits but the prolific ones are exploiting remote root access and for most SOHO routers, root will mirror the admin password used for setup which too many people don't change.

It's becoming more common that the setup process for routers will force you to change the admin/root password and some will not even accept the usual dumbass passwords like "password", "admin", "root", "1234" etc.
 
They should provide a phone based app that uses bluetooth pairing or something to access and guides you through a securing process. that's something everyone could do. Just needs some random numbers for the IP address and a password which can be written on the back on the router.

They really should take security more seriously/proactively.
 
Shifty Geezer said:
They should provide a phone based app that uses bluetooth pairing or something to access and guides you through a securing process. that's something everyone could do. Just needs some random numbers for the IP address and a password which can be written on the back on the router.

They really should take security more seriously/proactively.
Click to expand...

I think Netgear has something like this. There is an install wizard when you first bootup your router on a blank config. There is desktop software, and I think an app as well. The router comes configured with a non-advertised wireless connection, and it has a unique name and password that is written on the bottom of the router. That way you can configure from wireless devices, instead of having to plug it into a computer. I always do manual config, so I'm not really sure what the app gets you to do. Pretty sure it at least makes you change the default password of your router and the name and password of the wireless connection.
 
I'm still a little skeptical of Sony as a software and services company, but I think overall even the biggest companies are going to face a battle as more and more things transition to online services rather than client-side software. Overall, it's the right way to go, so it'll just be the nature of online gaming for a while. I don't expect there to be too many interruptions like this. Last gen had it's share of network attacks and compromised user data.
 
Dont use WPS it is unsecure. last time i read it on ars technica and tried it myself in a shopping mall.

But it was in 2013, dont know if they patched it now. but there also problem where most people never update their WiFi router or internet modem :(

EDIT:
found the article, sorry it was 2012 (not 2013 as i remembered)
http://arstechnica.com/business/2012/01/hands-on-hacking-wifi-protected-setup-with-reaver/

@JPT
changing the password at least make the internet modem a bit harder to hack from the most basic script kiddie.

for example, i use HAME Ethernet to WiFi that if i left it with default password, i will always get DNS Resolver amplification attack warning from campus. But it is fine after i change the password.

then about custom firmware, there are article of ars technica that found out default firmware for internet modem are horrible. They have default backdoor, etc etc. I think if i remember correctly it was ASUS and TP Link.

my ADSL modem unfortunatel use modified TP-Link by ISP. So i cant update the firmware with anything and it is always hacked since a few weeks before the article are up on ars technica. The symptom are similar, where i no longer have access to Admin panel. A hard-reboot will fix it (the malware only stay on modem RAM).
 
Last edited by a moderator:
You must log in or register to reply here.

Similar threads

B
  • Locked
Game devs on trial - considerations on current game technical quality and causes *spawn
2 3
Replies
47
Views
3K
Andrew Lauritzen
A
P
Falling Frontier [PC/Steam/Epic Games/GoG]
Replies
2
Views
377
hoom
hoom
D
RTX Video HDR modded to work in games, RTX Game HDR?
Replies
7
Views
925
DegustatoR
D
iroboto
  • Locked
Are current games less effectively executed than previous generations? *spawn
2
Replies
27
Views
2K
Shifty Geezer
Shifty Geezer
Rys
  • Sticky
Hello again
3 4 5
Replies
91
Views
10K
homerdog
homerdog
Back
Top