For the past two years, the constraints of the COVID-19 pandemic have spawned an unprecedented surge in the online gaming industry, which is emerging as a major platform for entertainment, social interaction, and competition. By 2024, this media category could surpass $200 billion in revenue, making it one of the fastest-growing industry segments in the world, with an estimated 2 billion unique gamers worldwide.
As online gaming booms and gains a higher profile, game publishers and gaming networks are attracting unwelcome attention: a growing wave of cyberattacks that carry major costs. According to our recent threat research, gaming was one of the industries most heavily targeted by distributed denial-of-service (DDoS) attackers in 2021.
DDoS Attacks in Gaming on the Rise
As it would be for any major business, data loss is a high priority for gaming companies whose servers are tempting targets for thieves seeking access to high-value databases that hold payment information, player statistics, intellectual property, and more. More recently, DDoS attacks intended to disrupt game play and bring massively multiplayer online (MMO) games to their knees have been more commonplace. Here, data is not at risk. Instead, DDoS is preventing legitimate players from accessing games, leading to user frustration, revenue loss, and reputational risk. Impact is not limited to the game itself, but also impacts businesses that rely on the game such as e-sports professionals and Twitch streamers.
DDoS Halts Squidcraft Games Tournament
A recent major security incident underscores the point. In January, Twitch Rivals hosted a six-day Squid Game-themed competition — a Minecraft tournament called Squidcraft Games for Spanish-speaking gamers. About 150 contestants, including some of the platform's most famous Spanish-speaking creators (including Ibai, Rubius, and Auronplay), competed for a $100,000 purse in front of a record-setting 2 million viewers.
But what really grabbed the headlines wasn't just the high-profile competition — it was the intensive (and peculiarly timed) DDoS attacks that eventually shut down Internet access in Andorra, the small principality located between France and Spain in the Pyrenees mountains where some tournament participants live. On the fourth day of the tournament, Jan. 22, 2022, a DDoS attack reaching 100 Gbps in several short bursts impacted the Andorran competitors.
News reports indicate this attack, the work of an unknown DDoS-for-hire service, knocked out about a dozen Andorran players from the competition (including E1Rubis, Biyin, TheGregfg, TaeSchnee, VioletaG, Aroyitt, 8cho, TinenQa, and Auron), and paved the way for OllieGamerz to take the top spot and $100,000. It doesn't take a lot of imagination to see how a DDoS attack — one of the simplest, cheapest, and most effective attacks — can be timed to gain a decisive advantage on high-stakes competitors and disrupt matches in a win-at-all-costs culture.
Multifaceted Threats to Gaming's Unique Architecture
Online games typically employ a distinct architecture to optimally serve their customers. When a player wants to join an online game, they must first enter a "lobby" where they wait for other players to join. When enough players have gathered in the lobby, the game starts — only then can these users play the game. As a result of this architecture and their multiplayer design, online games are vulnerable to DDoS attacks through multiple dimensions: the game server itself, the game lobby, and, for some peer-to-peer multiplayer games, the individual player.
The real-time nature of gaming presents major issues because it emphasizes team scalability, which can create challenges when addressing security concerns. Of course, gaming platforms are highly sensitive to performance and outage issues. Their passionate users are vocal about outages of any kind at any time. Failing to meet user expectations can doom the reputation of a game.
The other element in play here is that the gaming sector covers a huge variety of companies, from international giants to smaller firms that address niche markets. Each eventually encounters the same issues (e.g., keeping customer data and intellectual property secure and ensuring high availability and performance). However, smaller firms may find it harder to get the right skills in place.
With the increasing shift to online gaming and the growth of e-sports, gaming companies must redouble their efforts to protect themselves and their users from cyberattacks. This means developing a good security strategy that covers all the bases. This includes design and architecture, coding and deployment, up to the hosting of the online service. These proactive measures can prevent attacks from affecting the gaming experience and protect the gamers while building trust in the integrity of their platforms and the competitions they host.