Attacks/Breaches
9/17/2013
11:54 PM
Lori MacVittie
Lori MacVittie
Commentary
50%
50%

Grand Theft Oh No: When Online Gamers Attack

A new report says the tactics players use to slow down the competition may be trained on your site. Here's how to protect yourself.

The volume of distributed denial-of-service attacks is holding steady, with vendors and researchers pointing to statistic after chilling statistic about how many, how often and how successfully such exploits occur. Most blame the ability of attackers to leverage vast networks of compromised PCs, often procured at volume-discount prices on the resource black market. But are zombie armies getting the blame for attacks originating from dark, seedy online gaming networks?

Maybe, says a recent white paper with the deceptively tame title "An Analysis of DrDoS and DDoS Attacks Involving the Multiplayer Video Gaming Community." In it, DDoS mitigation service provider Prolexic tells a tale of revenge, exploitation and extreme competition among gamers.

The report explains how vulnerable game servers become launch points for DDoS attacks against both third-party and in-game targets. It's become so common that the gaming community has its own term for the practice: "packeting." These attacks are most often reflection-based, using compromised servers to take down a target by spoofing requests to public services that return responses, flooding the target's network connection or overwhelming available resources. Gamers initiate attacks for a variety of reasons, including inducing enough lag to achieve a strategic advantage over rivals.

[ DDoS attacks can cost serious money and are nearly impossible to repel with standard defenses. Should you buy protection? ]

What's disconcerting, however, is the potential use of these often-vulnerable servers to carry out DDoS attacks against enterprise networks. Downtime and disruption caused by DDoS attacks is expensive, costing victims an average of $172,238, according to the Ponemon Institute, and you don't even get to blow up any virtual cities for your trouble.

Both IT organizations and game platform providers can take action to minimize the impact of such attacks, as well as prevent their servers from being used as an attack platform. Above all, remain vigilant and have monitoring and alerting systems and processes in place to rapidly detect and respond to an attack in progress. Specifically:

-- Close open resolvers: A significant number of DDoS attacks are carried out against DNS due to the public nature of the servers they provide. It's a rare organization that needs to act as an open resolver -- in most cases, these systems are misconfigured. Turning off open recursion is a good first step toward mitigating the effects of a DNS DDoS attack.

-- Mind your bandwidth: Reflective attacks work because the response, which is sent to the victim, is many orders of magnitude larger than the request itself. The sheer volume and size of responses can consume every bit of available bandwidth and cause network outages and service disruptions. Ensuring that you have spare network capacity -- both available bandwidth and packets-per-second processing power -- will buy you time to take action in the face of an attack. 


-- Consider rate limiting on perimeter network elements: Response-rate limiting as well as inbound packet filtering, particularly when network-layer anomalies indicative of an attack can be identified, will help reduce the impact of a DDoS attack on other services.

Gaming platform providers can -- and should -- do more to monitor and guard against abuse of their resources. Packet-filtering, rate limiting and, of course, addressing server vulnerabilities will go a long way toward eliminating the ability of gamers to exploit systems for their own gain.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Moderator
9/19/2013 | 12:28:24 AM
re: Grand Theft Oh No: When Online Gamers Attack
What evidence does the report provide that gaming community behavior spills over to affect businesses outside that sector?
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7402
Published: 2014-12-17
Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allow remote attackers to cause a denial of service (crash) via a crafted ICAP request.

CVE-2014-5437
Published: 2014-12-17
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php,...

CVE-2014-5438
Published: 2014-12-17
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

CVE-2014-7170
Published: 2014-12-17
Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service.

CVE-2014-7285
Published: 2014-12-17
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.