Beware of the DDoS

Over the last few months, we in the NETSCOUT ASERT team have briefed multiple enterprises and ISPs alike on the activities and characteristics of the high-profile, high-cadence DDoS extortionist dubbed LBA.

In several of these discussions, the conversation turned to the evolution of DDoS extortion attacks over the years; and that story isn’t complete without exploring the impact of DDoS attacks in general, and DDoS extortion in particular, on the online gaming industry.

Early days

In the late 1990s, the confusing (and sometimes contradictory) patchwork of local, state, and US Federal regulations related to the gaming industry spurred many gaming houses intent on entering the brave new world of internet gaming to site their online presences outside the United States.  Caribbean and Latin American nations became known in gaming circles for their relatively high-speed internet connectivity and welcoming business environments.

In short order, many of the first and most prominent online gaming operators of the era set up shop in these jurisdictions and enjoyed widespread popularity, alongside the benefits of low taxation and minimal regulation.

Sensing a new opportunity for illicit profits, and confident that these new gaming start-ups would be reluctant to engage with law enforcement — and that the relevant agencies in many of these locales would prove largely incapable of and uninterested in the then-new practice of Internet criminal investigation – criminal elements proceeded to engage in the first monetary-oriented DDoS extortion attacks of the internet era.

Some of the first perpetrators were individuals or small groups who wanted to make a quick score and then move on to other pursuits with their ill-gotten gains; but inevitably, organised crime stepped in and ‘professionalised’ the DDoS extortion racket.  Payments in the tens of thousands of US dollars were demanded, and ISPs who attempted to defend their online gaming customers were themselves targeted with DDoS attacks and threatened with ruinous DDoS attacks themselves if they didn’t allow events to take their course.  Indeed, some of these ISPs threw in the with attackers, selling out their customers and encouraging DDoS extortionists to target them, in exchange for a portion of any proceeds received.

For those organisations who gave in and paid the extortionists, more attacks followed; these threat actors would exchange tips and leads for which online gaming operators had already paid and were thus deemed likely to pay again.  Payment was arranged via Western Union by proxies, and when the first online currency, eGold, became widely available, DDoS extortionists were among its largest beneficiaries.

Season’s greetings

While the Texas Hold’Em revolution brought in millions of new internet gamers and led to the mainstreaming of online gaming, traditional betting houses that focused on horseracing, motor sports, soccer and more also took the plunge into online gaming.  As a result, we typically observe waves of DDoS extortion attacks that are seasonally aligned with major sporting events; the extortionists attempt to use the threat of service disruption during these times of key revenue opportunity to coerce betting houses into paying.

These same tactics are used to try and extort payments during high-stakes online poker tournaments; the celebrity factor which draws many casual gamers to the online tables during these events is inverted by the attackers and leveraged as both an immediate threat to revenues as well as mooting the incalculable reputational risk if the targeted organisation’s systems are successfully disrupted by DDoS attacks while many eyes are upon them.

On the defensive

Fortunately, just as the DDoS extortionists have upped their game over the years, with newer, more sophisticated, and higher-volume attacks at their disposal due to the weaponisation of these attack methods in the form of so-called ‘booter/stresser’ services — DDoS-for-hire sites open to all who can pay small amounts of money in order to launch attacks, and requiring little or no technical skill to operate — DDoS defences have also evolved and are more than capable of meeting the challenge posed by online criminals targeting the gaming industry.

The key to successful DDoS defence is preparedness; the majority of DDoS attacks which successfully disrupt the operations of targeted organisations do so due to the unpreparedness of the defenders. Implementing best current practices for network infrastructure; ensuring that application delivery chains are scalable, resilient, and capable of being defended; verifying that critical supporting services such as authoritative DNS servers are implemented in a secure and defensible manner; and engaging DDoS mitigation providers are all key to withstanding these attacks.

But creating a DDoS defence plan and keeping it up-to-date as the inevitable moves, adds, and changes take place isn’t enough.  Rehearsing that plan on a regular basis and ensuring that all critical elements in the service delivery chain are adequately protected against attack, is the surest way to maximise success in mitigating DDoS attacks, no matter the motivation of the attacker.

Finally, situational awareness and engagement with others in the online gaming community are key.  Be aware of both seasonal and ad hoc DDoS attack campaigns; share information, including online threats and useful mitigation techniques, with colleagues across the industry.  By working together as well as with their DDoS mitigation providers, gaming operators can raise the table stakes high enough to discourage even the most persistent attackers; and will catch perfect every time.

Roland Dobbins is a principal engineer on NETSCOUT’s ASERT team. He has more than 30 years of operational experience in the service provider (SP) and large enterprise arenas, designing, deploying, operating, securing, maintaining, troubleshooting and defending many of the highest-visibility networks in the world.