Online game servers reflecting DDoS attacks at conventional targets: Prolexic
- 12 September, 2013 10:47
Online multiplayer gaming servers are being gamed by hackers to launch aggressive attacks against financial and other organisations using DNS reflection denial of service (DrDOS) techniques that have been honed to a fine art by online gamers that regularly use them to cripple online opponents.
DrDoS attacks feed malformed packets to an online service designed as a relay between gamers, creating delays that can interrupt the flow of a game and make it less responsive to a gamer’s commands – giving the perpetrator a strategic advantage. They can also flood a target gamer or organisation’s network with ‘amplified’ data streams produced when gaming servers freely provide large data streams as responses to short queries.
The broad availability of freely available toolkits such as the Perl-based DrDoS.pl is helping hackers borrow the technique to launch attacks on more conventional targets. DrDoS.pl enables reflected TCP SYN attacks or UDP attacks that leverage Quake 3, Valve Source, Half Life, Gamespy and Gamespy 2 servers, and supports a range of DDoS payloads.
“Malicious actors have historically used gaming communities as sources of servers upon which to reflect and amplify denial of service attacks,” the report’s authors warn. “Gaming-server aggregators provide a good source of server IP addresses that are likely to be vulnerable.”
One financial institution, Prolexic reported in its recent Multiplayer Video Gaming Attacks report (register to download), suffered a sustained DDoS attack that saw 5Gbps of traffic, sent from 605 different IP addresses, pummelling the target after being diverted through multiplayer game servers for Call of Duty 2, Quake, and Quake 3.
Prolexic, which specialises in DDoS mitigation, picked up and stopped the attack, which saw more than 975,000 packets per second flung at the victim organisation from servers in nearly 30 countries. The toolkit allowed the spoofing of the attacker’s identity by replacing it with the same address as the target.
Australian organisations would be even more susceptible to such interruption given the limits on trans-Pacific bandwidth and the ability for inherently chatty game servers to generate massive volumes of traffic. A single 60-byte status query to a Call of Duty server – set up in Prolexic’s PLXsert research lab to test the DrDoS technique – generated a 339-byte response that could easily be redirected to a DDoS target by spoofing the enquiring system’s IP address.
Additional techniques use widely available toolkits like Wickd’s Booter and Hippo Stresser to launch ‘stresser’ attacks on services such as Microsoft’s Xbox Live gaming network. Others are using phishing techniques or automated password-checking tools to brute-force a way into better network access to online gaming services.
While the proliferation of DDoS techniques, toolkits and even cloud-based DDoS services confirms the issue will remain a problem for some time, Prolexic advises anti-DDoS precautions including third-party DDoS monitoring and mitigation services; endpoint security techniques to enforce client authentication policies; proactively protect potentially vulnerable protocols like ICMP and DNS; implement and enforce policies for software updates, patches and change management; and to use geolocation and other techniques to limit the opportunity for brute-force attacks.