Video games company hit by 38-day DDoS attack

News by Steve Gold

51,000-plus terabits of data thrown against client, says IP security firm

Incapsula has revealed that one of its clients - a video games company - was recently hit by a 38-day DDoS attack involving a hefty 51,000-plus terabits of data flowing during the attack period.

The DDoS attack remediation and packet-filtering specialist says that, whilst the attackers switched between several targets, they consistently targeted the website of the video games company (which remains unnamed).

Research into the attack revealed that most of the malicious packets were coming from the same IP ranges and, from this, the firm says it has concluded the attack was the result of business feud - with the explicit aim of `taking down' the gaming company's web portal.

The attackers attempted a number of different attack vectors, ranging from major network layer DDoS attacks to focused application layer (HTTP) floods, all followed by dozens of SQLI and XSS attempts.

Typically, the security firm says that the perpetrators were simultaneously using at least two of these attack vectors and it was not uncommon to see them turning up the heat with “all guns blazing” using all five of the attack methodologies.

"At all times, they continued to use extremely large DNS floods, usually comprising several tens of millions requests per second. Often these were accompanied by large SYN floods, also aimed at Incapsula's DNS infrastructure," says the firm, adding that the attacks had continuous access to several very powerful network resources.

These were, notes Incapsula in its analysis, strong and reliable enough to sustain a month-long offensive – whilst also generating 90+ Gbps of unamplified DDoS traffic.

"This is a long way off from what you would expect from an off-the-shelf botnet for hire. The perpetrators weren't script kiddies looking to make a quick buck with a 20 Gbps DDoS attack and a $300 ransom note," the company's analysis concludes.

Commenting on the attack and the analysis, Steve Smith, managing director of security consultancy Pentura, said that DDoS attacks have long been used as a hacktivist weapon, so it is a logical development that the attack vector is now being used as a tool for industrial espionage as well.

"This incident highlights that any organisation – and not just high-profile firms or government bodies – can be targeted. DDoS attacks are difficult to defend against, but companies should consider contingency and remediation plans in the event of such attacks, and appropriate defences such as scrubbing services," he explained.

Steve Armstrong, technical security director with Logically Secure, said that, as a consultant to several gaming companies, he has seen these types of attacks before, and they tend to escalate in both magnitude and frequency.

"Therefore, whilst the ability to manage a huge DDoS attack is an excellent service to have in your defence arsenal, ultimately the cost of remediating these attacks falls at the feet of the customer," he said, adding that DDoS mitigation is an expensive business, as the bandwidth to receive - and the hardware to process - the high volumes of data places it out of the reach of most companies.

Furthermore, he says, while new products are coming out to mitigate the problem, the real fix is to have ISPs detect and block this at its source using IP traffic security analysis at core Internet pinch nodes.

"In my experience this anti-gaming DDoS attack will probably be grudge-based, as it is rare for ransom demands in relation to high volume DDoS attacks," he said, adding that the problem is not likely to go away in the near future.

Because of this, Armstrong - who is also a SANS Institute Instructor and experienced pen tester - says that, whilst the games company may technically be able to handle the DDoS attack, their lack of OpSec capabilities reveals their capability and the industry they are supporting.

"This means that those groups conducting the attack can identify the capabilities of the attack mitigation, and that's a clear OpSec fail in anyone's book," he concluded.

APDoS attacks

Tony Marques, a cyber security consultant with Encode UK, meanwhile, said that simultaneous persistent multi-layer attacks of this nature represent an evolution of DDoS into what he calls Advanced Persistent DoS (APDoS) attacks.

“These attacks possess five key properties: advanced reconnaissance, tactical execution, explicit motivation, large computing capacity, simultaneous multi-threaded ISO layer attacks and persistence over extended periods,” he said.

APDoS attacks, he says, are more likely to be perpetrated by advanced threat actors who are well resourced exceptionally skilled and have access to substantial commercial grade computing resources.

“These types of attacks represent a clear and emerging threat needing specialised monitoring and incident response services and the defensive capabilities of service providers like Incapsula,” he noted.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews