Online game servers reflecting DDoS attacks at conventional targets: Prolexic

DrDoS attacks feed malformed packets to an online service designed as a relay between gamers, creating delays that can interrupt the flow of a game and make it less responsive to a gamer’s commands

Online multiplayer gaming servers are being gamed by hackers to launch aggressive attacks against financial and other organisations using DNS reflection denial of service (DrDOS) techniques that have been honed to a fine art by online gamers that regularly use them to cripple online opponents.

DrDoS attacks feed malformed packets to an online service designed as a relay between gamers, creating delays that can interrupt the flow of a game and make it less responsive to a gamer’s commands – giving the perpetrator a strategic advantage. They can also flood a target gamer or organisation’s network with ‘amplified’ data streams produced when gaming servers freely provide large data streams as responses to short queries.

The broad availability of freely available toolkits such as the Perl-based is helping hackers borrow the technique to launch attacks on more conventional targets. enables reflected TCP SYN attacks or UDP attacks that leverage Quake 3, Valve Source, Half Life, Gamespy and Gamespy 2 servers, and supports a range of DDoS payloads.

“Malicious actors have historically used gaming communities as sources of servers upon which to reflect and amplify denial of service attacks,” the report’s authors warn. “Gaming-server aggregators provide a good source of server IP addresses that are likely to be vulnerable.”

One financial institution, Prolexic reported in its recent Multiplayer Video Gaming Attacks report (register to download), suffered a sustained DDoS attack that saw 5Gbps of traffic, sent from 605 different IP addresses, pummelling the target after being diverted through multiplayer game servers for Call of Duty 2, Quake, and Quake 3.

Prolexic, which specialises in DDoS mitigation, picked up and stopped the attack, which saw more than 975,000 packets per second flung at the victim organisation from servers in nearly 30 countries. The toolkit allowed the spoofing of the attacker’s identity by replacing it with the same address as the target.

Australian organisations would be even more susceptible to such interruption given the limits on trans-Pacific bandwidth and the ability for inherently chatty game servers to generate massive volumes of traffic. A single 60-byte status query to a Call of Duty server – set up in Prolexic’s PLXsert research lab to test the DrDoS technique – generated a 339-byte response that could easily be redirected to a DDoS target by spoofing the enquiring system’s IP address.

Additional techniques use widely available toolkits like Wickd’s Booter and Hippo Stresser to launch ‘stresser’ attacks on services such as Microsoft’s Xbox Live gaming network. Others are using phishing techniques or automated password-checking tools to brute-force a way into better network access to online gaming services.

While the proliferation of DDoS techniques, toolkits and even cloud-based DDoS services confirms the issue will remain a problem for some time, Prolexic advises anti-DDoS precautions including third-party DDoS monitoring and mitigation services; endpoint security techniques to enforce client authentication policies; proactively protect potentially vulnerable protocols like ICMP and DNS; implement and enforce policies for software updates, patches and change management; and to use geolocation and other techniques to limit the opportunity for brute-force attacks.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityProlexic

More about MicrosoftXbox

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts