When I was younger, used to play with LEGOs with my cousins all the time. We’d spend time creating huge houses and vehicles that could fly and have big battles. It was so much fun… most of the time. Every once in a while, one cousin would get angry with what we were building and playing. It would always start the same: He’d say, “Oh, we should do it this way…” and escalate up to full-on temper-tantrum, destroying everything we’d built, because he wasn’t happy with how we were playing. If we weren’t doing what he thought we should do, he didn’t want us to play at all.
I once thought we’d all outgrow that mentality, but some online gamers have never really matured beyond the “my way or the highway mentality.” And our tools to carry our temper tantrums have changed in scope.
It seems like every other day we are hearing about this game or that game getting DDoSed by someone who is upset with the game or because they are so upset they think no one else should be able to play the game. In this edition of Lawful Neutral, we’re going to explain the concept of DDoS, digging into how it works, how it affects gaming, and how current law deals with it.
OK, so what exactly is a DDoS?
DDoS is an awkward acronym for “Distributed Denial of Service attack,” which is a malicious attempt to disrupt normal traffic of a server or service – in our case, a game. A Distributed Denial of Service attack requires access to a large number of internet connected devices that are infected with malware. This malware can sit on your computer, your internet-connected doorbell, your DVR, your wifi toaster. Almost anything connected to the internet can be infected. In fact, the more “out there” the internet-connected device is, the shoddier the security tends to be, and therefore the easier it is to exploit. This network of infected devices is called a botnet.
The DDoS attack works by flooding the game with bogus requests, making legitimate requests — like a player trying to log in — unable to make it through the traffic jam the botnet created. Attackers do this by exploiting network connections at different layers of the Open Systems Interconnection model, or OSI Model. The OSI model is a seven-layer visualization for how computers talk to each other. I won’t go into the nitty-gritty of the details here; I mention it only because DDoS attacks function by exploiting legitimate networking.
The end result of a DDoS attack for a player is that you can’t play the game: Either you are prevented from playing, or degradation of the service is so bad that you are effectively unable to play.
Why do people DDoS?
In short, to hurt the target game, company, or community. DDoSing doesn’t provide any direct enrichment for attackers. It can create opportunities for other breaches, which could theoretically result in enrichment for the attacker (the DDoS blackmail scheme that afflicted Albion Online years ago is one such example). But generally, the attackers don’t really get anything of the satisfaction of having “hurt” the game when DDoSing. In MMOs, we often see DDoS attacks as attacks of revenge for an individual not agreeing with a company decision… and little else.
Of course, some people also just do it for the lulz. We see this type of troll behavior frequently around the holidays; when people have a lot of time to game, there’s typically an uptick in the number of attacks.
How does it work?
Let’s take a hypothetical walk-through of how this works. Imagine your smart toaster has malware running on it. The malware is designed to be silent, so the toaster keeps on toasting just as the user expects. If it caused the toaster to stop working and the user replaced it, the attacker loses that endpoint of the botnet, which he definitely does not want. So the malware is installed, and you’d never know because everything works just as it always has.
Every few minutes or so, your toaster is reaching out to an IP address – let’s call it the Botmaster – asking for any instructions. Most of the time, your toaster doesn’t get a response, so it keeps happily toasting your English muffins. However, one time it reaches out and does get a response. This response contains a new IP address for the authentication servers for an MMO – let’s go with Final Fantasy XIV – to talk to, and specific instructions on how to talk to them. Your toaster, despite being a smart wifi toaster, is actually pretty dumb. It happily reaches out to the auth servers in just the way it was told to. And while it’s reaching out to this new IP, it’s going to continue to check into the BotMaster.
One wifi toaster hitting the IP address for the Final Fantasy XIV authentication servers isn’t a big deal. The auth servers look at the request and response from the Toasty McSmartToaster and respond accordingly. The request from the toaster was structured in such a way that the response from the auth servers is as big as possible — not because it’s trying to phish for information but because big requests user more bandwidth. So Toasty continues to spam the same request over and over and over again.
Just one toaster isn’t a big deal. The auth servers shrug and move on. But then, as the botnet ramps up, the game starts getting requests from 10 toasters, then 100 toasters, then 10,000 toasters. Now the auth servers are struggling. Each request comes in, and the servers respond with a big block of data, using up all available resources to respond to these fake requests. Legitimate players trying to log in are now getting error messages because all the resources are being used by these fake requests. And the DDoS attack is underway.
It will continue until our toaster botnet checks in with the Botmaster, who sends back a response to stop the attack. All the toaster will stop spamming the auth servers, and service goes back to normal.
How do people get away with this? Is it legal?
This is Lawful Neutral, right? So let’s take a look at the legality of the DDoSing. We have the unique opportunity here to discuss the international legality when it comes to DDoSing. Article 2(4) of the UN Charter governs the use of force between nation states, and the application for cybersecurity actions is… murky and vague, from what constitutes “force” to what constituents critical infrastructure. But the takeaway here is that based on the current interpretation, DDoSing is probably is a violation of the UN Charter. It doesn’t really apply to games as it’s mostly concerned with actions of nation states against each other, but I thought it was a fun tidbit.
In the US, for once things are a little more clear: It’s actually a federal crime under the Computer Fraud and Abuse Act to coordinate a DDoS attack, punishable by up to 10 years in prison and pretty hefty fines. The UK, Sweden, and Australia also have laws on the books criminalizing DDoS attacks. In fact, we’ve actually seen people arrested in conjunction with DDoS attacks against MMOs.
But it’s actually a depressingly small number of people arrested when we compare that with the number of actual attacks we see in the genre. A bit part of the reason is how much the company cares and is willing to invest in finding the attackers. It’s difficult and therefore expensive to track down who is actually instigating an attack. Outside of the big attacks, the actual cost of the attack most often doesn’t equal the cost it would take to track down and identify the attacker to bring him to justice.
Here’s just a small sampling of the more interesting DDoS scenarios we’ve covered in MMOs over the last few years: